Authority Document - Unified Compliance

North America > US National Institute of Standards and Technology

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171

AD ID

0002798

AD STATUS

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171

ORIGINATOR

US National Institute of Standards and Technology

TYPE

International or National Standard

AVAILABILITY

Free

SYNONYMS

NIST SP 800-171

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171

EFFECTIVE

2015-06-01

ADDED

The document as a whole was last reviewed and released on 2016-07-09T00:00:00-0700.

URL

Click here

AD ID

0002798

AD STATUS

Free

ORIGINATOR

US National Institute of Standards and Technology

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

NIST SP 800-171

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171

EFFECTIVE

2015-06-01

ADDED

The document as a whole was last reviewed and released on 2016-07-09T00:00:00-0700.

URL

Click here

Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.

Common Controls and
mandates by Impact Zone 120 Mandated Controls - bold
105 Implied Controls - italic 1350 Implementation

Number of Controls

1575 Total

Audits and risk management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain an audit program. CC ID 00684	Establish/Maintain Documentation	Preventive
Accept the attestation engagement when all preconditions are met. CC ID 13933	Business Processes	Preventive
Audit in scope audit items and compliance documents. CC ID 06730	Audits and Risk Management	Preventive
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980	Testing	Detective
Document test plans for auditing in scope controls. CC ID 06985	Testing	Detective
Determine the effectiveness of in scope controls. CC ID 06984 [Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application. 3.12.1 Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls. 3.12.3]	Testing	Detective
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157	Audits and Risk Management	Detective
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156	Audits and Risk Management	Detective
Observe processes to determine the effectiveness of in scope controls. CC ID 12155	Audits and Risk Management	Detective
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154	Audits and Risk Management	Detective
Review documentation to determine the effectiveness of in scope controls. CC ID 16522	Process or Activity	Preventive
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144	Audits and Risk Management	Detective
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556	Audits and Risk Management	Detective
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555	Audits and Risk Management	Detective
Establish, implement, and maintain a risk management program. CC ID 12051	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Establish/Maintain Documentation	Preventive
Perform risk assessments for all target environments, as necessary. CC ID 06452 [Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI. 3.11.1]	Testing	Preventive
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Establish/Maintain Documentation	Preventive
Include physical assets in the scope of the risk assessment. CC ID 13075	Establish/Maintain Documentation	Preventive
Include the results of the risk assessment in the risk assessment report. CC ID 06481	Establish/Maintain Documentation	Preventive
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109	Audits and Risk Management	Preventive
Update the risk assessment upon discovery of a new threat. CC ID 00708	Establish/Maintain Documentation	Detective
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154	Audits and Risk Management	Preventive
Update the risk assessment upon changes to the risk profile. CC ID 11627	Establish/Maintain Documentation	Detective
Review the risk to the audit function when the audit personnel status changes. CC ID 01153	Audits and Risk Management	Preventive
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Establish/Maintain Documentation	Preventive
Create a risk assessment report based on the risk assessment results. CC ID 15695	Establish/Maintain Documentation	Preventive
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633	Communicate	Preventive
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and Risk Management	Detective
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Communicate	Preventive

Human Resources management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Human Resources management CC ID 00763	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a personnel management program. CC ID 14018	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personnel security program. CC ID 10628	Establish/Maintain Documentation	Preventive
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782	Testing	Detective
Establish, implement, and maintain security clearance procedures. CC ID 00783	Establish/Maintain Documentation	Preventive
Perform security clearance procedures, as necessary. CC ID 06644 [Screen individuals prior to authorizing access to information systems containing CUI. 3.9.1]	Human Resources Management	Preventive
Establish and maintain security clearances. CC ID 01634	Human Resources Management	Preventive
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 [Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers. 3.9.2]	Establish/Maintain Documentation	Preventive
Terminate user accounts when notified that an individual is terminated. CC ID 11614	Technical Security	Corrective
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826	Technical Security	Corrective
Assign an owner of the personnel status change and termination procedures. CC ID 11805	Human Resources Management	Preventive
Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309	Data and Information Management	Corrective
Notify the security manager, in writing, prior to an employee's job change. CC ID 12283	Human Resources Management	Preventive
Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677	Behavior	Preventive
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630	Communicate	Preventive
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992	Human Resources Management	Preventive
Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692	Human Resources Management	Corrective
Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676	Behavior	Preventive
Conduct exit interviews upon termination of employment. CC ID 14290	Human Resources Management	Preventive
Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631	Establish/Maintain Documentation	Preventive
Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449	Human Resources Management	Detective
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764	Establish Roles	Preventive
Implement segregation of duties in roles and responsibilities. CC ID 00774 [Separate the duties of individuals to reduce the risk of malevolent activity without collusion. 3.1.4]	Testing	Detective
Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960	Technical Security	Preventive
Train all personnel and third parties, as necessary. CC ID 00785	Behavior	Preventive
Establish, implement, and maintain an education methodology. CC ID 06671	Business Processes	Preventive
Tailor training to be taught at each person's level of responsibility. CC ID 06674 [Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. 3.2.2]	Behavior	Preventive
Establish, implement, and maintain training plans. CC ID 00828	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security awareness program. CC ID 11746	Establish/Maintain Documentation	Preventive
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 [Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems. 3.2.1]	Behavior	Preventive
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [Provide security awareness training on recognizing and reporting potential indicators of insider threat. 3.2.3]	Behavior	Preventive
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Training	Preventive
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363	Establish/Maintain Documentation	Preventive

Monitoring and measurement

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitoring and measurement CC ID 00636	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Log Management	Detective
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitor and Evaluate Occurrences	Preventive
Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Monitor information system security alerts and advisories and take appropriate actions in response. 3.14.3 Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. 3.14.6]	Monitor and Evaluate Occurrences	Detective
Monitor systems for blended attacks and multiple component incidents. CC ID 01225	Monitor and Evaluate Occurrences	Detective
Monitor systems for Denial of Service attacks. CC ID 01222	Monitor and Evaluate Occurrences	Detective
Monitor systems for unauthorized data transfers. CC ID 12971	Monitor and Evaluate Occurrences	Preventive
Address operational anomalies within the incident management system. CC ID 11633	Audits and Risk Management	Preventive
Monitor systems for access to restricted data or restricted information. CC ID 04721	Monitor and Evaluate Occurrences	Detective
Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950	Human Resources Management	Detective
Detect unauthorized access to systems. CC ID 06798 [Identify unauthorized use of the information system. 3.14.7]	Monitor and Evaluate Occurrences	Detective
Incorporate potential red flags into the organization's incident management system. CC ID 04652	Monitor and Evaluate Occurrences	Detective
Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634	Audits and Risk Management	Preventive
Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430	Monitor and Evaluate Occurrences	Detective
Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808	Monitor and Evaluate Occurrences	Detective
Monitor systems for unauthorized mobile code. CC ID 10034 [Control and monitor the use of mobile code. 3.13.13]	Monitor and Evaluate Occurrences	Preventive
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 [Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. 3.3.1]	Log Management	Detective
Establish, implement, and maintain an event logging policy. CC ID 15217	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain event logging procedures. CC ID 01335	Log Management	Detective
Include the system components that generate audit records in the event logging procedures. CC ID 16426	Data and Information Management	Preventive
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643	Log Management	Preventive
Protect the event logs from failure. CC ID 06290	Log Management	Preventive
Overwrite the oldest records when audit logging fails. CC ID 14308	Data and Information Management	Preventive
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 [Provide audit reduction and report generation to support on-demand analysis and reporting. 3.3.6]	Testing	Preventive
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774	Establish/Maintain Documentation	Corrective
Include identity information of suspects in the suspicious activity report. CC ID 16648	Establish/Maintain Documentation	Preventive
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 [Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity. 3.3.5]	Audits and Risk Management	Preventive
Review and update event logs and audit logs, as necessary. CC ID 00596	Log Management	Detective
Eliminate false positives in event logs and audit logs. CC ID 07047	Log Management	Corrective
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207	Log Management	Detective
Identify cybersecurity events in event logs and audit logs. CC ID 13206	Technical Security	Detective
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925	Investigate	Corrective
Reproduce the event log if a log failure is captured. CC ID 01426	Log Management	Preventive
Document the event information to be logged in the event information log specification. CC ID 00639	Configuration	Preventive
Enable logging for all systems that meet a traceability criteria. CC ID 00640	Log Management	Detective
Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001	Configuration	Preventive
Enable and configure logging on all network access controls. CC ID 01963	Configuration	Preventive
Analyze firewall logs for the correct capturing of data. CC ID 00549	Log Management	Detective
Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. 3.3.7]	Configuration	Preventive
Centralize network time servers to as few as practical. CC ID 06308	Configuration	Preventive
Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044	Communicate	Preventive
Define the frequency to capture and log events. CC ID 06313	Log Management	Preventive
Include logging frequencies in the event logging procedures. CC ID 00642	Log Management	Preventive
Review and update the list of auditable events in the event logging procedures. CC ID 10097 [Review and update audited events. 3.3.3]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a testing program. CC ID 00654	Behavior	Preventive
Establish, implement, and maintain a vulnerability management program. CC ID 15721	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a vulnerability assessment program. CC ID 11636	Establish/Maintain Documentation	Preventive
Perform vulnerability scans, as necessary. CC ID 11637 [Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified. 3.11.2]	Technical Security	Detective
Repeat vulnerability scanning, as necessary. CC ID 11646 [Remediate vulnerabilities in accordance with assessments of risk. 3.11.3]	Testing	Detective
Identify and document security vulnerabilities. CC ID 11857	Technical Security	Detective
Rank discovered vulnerabilities. CC ID 11940	Investigate	Detective
Use dedicated user accounts when conducting vulnerability scans. CC ID 12098	Technical Security	Preventive
Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638	Technical Security	Detective
Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097	Establish/Maintain Documentation	Preventive
Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418	Communicate	Preventive
Maintain vulnerability scan reports as organizational records. CC ID 12092	Records Management	Preventive
Correlate vulnerability scan reports from the various systems. CC ID 10636	Technical Security	Detective
Perform internal vulnerability scans, as necessary. CC ID 00656	Testing	Detective
Perform vulnerability scans prior to installing payment applications. CC ID 12192	Technical Security	Detective
Implement scanning tools, as necessary. CC ID 14282	Technical Security	Detective
Update the vulnerability scanners' vulnerability list. CC ID 10634	Configuration	Corrective
Repeat vulnerability scanning after an approved change occurs. CC ID 12468	Technical Security	Detective
Perform external vulnerability scans, as necessary. CC ID 11624	Technical Security	Detective
Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467	Business Processes	Preventive
Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039	Testing	Preventive
Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635	Technical Security	Detective
Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748	Behavior	Corrective
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a log management program. CC ID 00673 [Limit management of audit functionality to a subset of privileged users. 3.3.9]	Establish/Maintain Documentation	Preventive
Deploy log normalization tools, as necessary. CC ID 12141	Technical Security	Preventive
Restrict access to logs to authorized individuals. CC ID 01342	Log Management	Preventive
Restrict access to audit trails to a need to know basis. CC ID 11641	Technical Security	Preventive
Refrain from recording unnecessary restricted data in logs. CC ID 06318	Log Management	Preventive
Back up audit trails according to backup procedures. CC ID 11642	Systems Continuity	Preventive
Back up logs according to backup procedures. CC ID 01344	Log Management	Preventive
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346	Log Management	Preventive
Identify hosts with logs that are not being stored. CC ID 06314	Log Management	Preventive
Identify hosts with logs that are being stored at the system level only. CC ID 06315	Log Management	Preventive
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316	Log Management	Preventive
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317	Log Management	Preventive
Protect logs from unauthorized activity. CC ID 01345 [Protect audit information and audit tools from unauthorized access, modification, and deletion. 3.3.8]	Log Management	Preventive
Perform testing and validating activities on all logs. CC ID 06322	Log Management	Preventive
Archive the audit trail in accordance with compliance requirements. CC ID 00674	Log Management	Preventive
Enforce dual authorization as a part of information flow control for logs. CC ID 10098	Configuration	Preventive
Preserve the identity of individuals in audit trails. CC ID 10594	Log Management	Preventive
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595	Establish/Maintain Documentation	Preventive
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596	Audits and Risk Management	Preventive
Establish, implement, and maintain a corrective action plan. CC ID 00675 [Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems. 3.12.2]	Monitor and Evaluate Occurrences	Detective
Align corrective actions with the level of environmental impact. CC ID 15193	Business Processes	Preventive
Include risks and opportunities in the corrective action plan. CC ID 15178	Establish/Maintain Documentation	Preventive
Include environmental aspects in the corrective action plan. CC ID 15177	Establish/Maintain Documentation	Preventive
Include the completion date in the corrective action plan. CC ID 13272	Establish/Maintain Documentation	Preventive
Include monitoring in the corrective action plan. CC ID 11645	Monitor and Evaluate Occurrences	Detective

Operational and Systems Continuity

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational and Systems Continuity CC ID 00731	IT Impact Zone	IT Impact Zone
Prepare the alternate facility for an emergency offsite relocation. CC ID 00744	Systems Continuity	Preventive
Protect backup systems and restoration systems at the alternate facility. CC ID 04883 [Protect the confidentiality of backup CUI at storage locations. 3.8.9]	Systems Continuity	Preventive

Operational management

318

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational management CC ID 00805	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Establish/Maintain Documentation	Preventive
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems. 3.2.1]	Communicate	Preventive
Establish, implement, and maintain operational control procedures. CC ID 00831	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 [Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. 3.13.14]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350	Establish/Maintain Documentation	Preventive
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 [Control and monitor user-installed software. 3.4.9]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630	Business Processes	Preventive
Establish, implement, and maintain an asset inventory. CC ID 06631 [Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. 3.4.1]	Business Processes	Preventive
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689	Establish/Maintain Documentation	Preventive
Include all account types in the Information Technology inventory. CC ID 13311	Establish/Maintain Documentation	Preventive
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695	Systems Design, Build, and Implementation	Preventive
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289	Data and Information Management	Preventive
Include each Information System's major applications in the Information Technology inventory. CC ID 01407	Establish/Maintain Documentation	Preventive
Categorize all major applications according to the business information they process. CC ID 07182	Establish/Maintain Documentation	Preventive
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164	Establish/Maintain Documentation	Preventive
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408	Establish/Maintain Documentation	Preventive
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409	Establish/Maintain Documentation	Preventive
Conduct environmental surveys. CC ID 00690	Physical and Environmental Protection	Preventive
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a hardware asset inventory. CC ID 00691	Establish/Maintain Documentation	Preventive
Include network equipment in the Information Technology inventory. CC ID 00693	Establish/Maintain Documentation	Preventive
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719	Establish/Maintain Documentation	Preventive
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885	Process or Activity	Preventive
Include software in the Information Technology inventory. CC ID 00692	Establish/Maintain Documentation	Preventive
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a storage media inventory. CC ID 00694	Establish/Maintain Documentation	Preventive
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260	Establish/Maintain Documentation	Preventive
Add inventoried assets to the asset register database, as necessary. CC ID 07051	Establish/Maintain Documentation	Preventive
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052	Monitor and Evaluate Occurrences	Corrective
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053	Monitor and Evaluate Occurrences	Corrective
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181	Establish/Maintain Documentation	Preventive
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054	Technical Security	Preventive
Link the authentication system to the asset inventory. CC ID 13718	Technical Security	Preventive
Record a unique name for each asset in the asset inventory. CC ID 16305	Data and Information Management	Preventive
Record the decommission date for applicable assets in the asset inventory. CC ID 14920	Establish/Maintain Documentation	Preventive
Record the status of information systems in the asset inventory. CC ID 16304	Data and Information Management	Preventive
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301	Data and Information Management	Preventive
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918	Establish/Maintain Documentation	Preventive
Include source code in the asset inventory. CC ID 14858	Records Management	Preventive
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344	Human Resources Management	Preventive
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110	Technical Security	Detective
Record the review date for applicable assets in the asset inventory. CC ID 14919	Establish/Maintain Documentation	Preventive
Record software license information for each asset in the asset inventory. CC ID 11736	Data and Information Management	Preventive
Record services for applicable assets in the asset inventory. CC ID 13733	Establish/Maintain Documentation	Preventive
Record protocols for applicable assets in the asset inventory. CC ID 13734	Establish/Maintain Documentation	Preventive
Record the software version in the asset inventory. CC ID 12196	Establish/Maintain Documentation	Preventive
Record the publisher for applicable assets in the asset inventory. CC ID 13725	Establish/Maintain Documentation	Preventive
Record the authentication system in the asset inventory. CC ID 13724	Establish/Maintain Documentation	Preventive
Tag unsupported assets in the asset inventory. CC ID 13723	Establish/Maintain Documentation	Preventive
Record the install date for applicable assets in the asset inventory. CC ID 13720	Establish/Maintain Documentation	Preventive
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465	Establish/Maintain Documentation	Preventive
Record the asset tag for physical assets in the asset inventory. CC ID 06632	Establish/Maintain Documentation	Preventive
Record the host name of applicable assets in the asset inventory. CC ID 13722	Establish/Maintain Documentation	Preventive
Record network ports for applicable assets in the asset inventory. CC ID 13730	Establish/Maintain Documentation	Preventive
Record the MAC address for applicable assets in the asset inventory. CC ID 13721	Establish/Maintain Documentation	Preventive
Record the operating system version for applicable assets in the asset inventory. CC ID 11748	Data and Information Management	Preventive
Record the operating system type for applicable assets in the asset inventory. CC ID 06633	Establish/Maintain Documentation	Preventive
Record rooms at external locations in the asset inventory. CC ID 16302	Data and Information Management	Preventive
Record the department associated with the asset in the asset inventory. CC ID 12084	Establish/Maintain Documentation	Preventive
Record the physical location for applicable assets in the asset inventory. CC ID 06634	Establish/Maintain Documentation	Preventive
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635	Establish/Maintain Documentation	Preventive
Record the firmware version for applicable assets in the asset inventory. CC ID 12195	Establish/Maintain Documentation	Preventive
Record the related business function for applicable assets in the asset inventory. CC ID 06636	Establish/Maintain Documentation	Preventive
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637	Establish/Maintain Documentation	Preventive
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638	Establish/Maintain Documentation	Preventive
Record trusted keys and certificates in the asset inventory. CC ID 15486	Data and Information Management	Preventive
Record cipher suites and protocols in the asset inventory. CC ID 15489	Data and Information Management	Preventive
Link the software asset inventory to the hardware asset inventory. CC ID 12085	Establish/Maintain Documentation	Preventive
Record the owner for applicable assets in the asset inventory. CC ID 06640	Establish/Maintain Documentation	Preventive
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696	Establish/Maintain Documentation	Preventive
Record all changes to assets in the asset inventory. CC ID 12190	Establish/Maintain Documentation	Preventive
Record cloud service derived data in the asset inventory. CC ID 13007	Establish/Maintain Documentation	Preventive
Include cloud service customer data in the asset inventory. CC ID 13006	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885	Establish/Maintain Documentation	Preventive
Control and monitor all maintenance tools. CC ID 01432 [Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance. 3.7.2]	Physical and Environmental Protection	Detective
Obtain approval before removing maintenance tools from the facility. CC ID 14298	Business Processes	Preventive
Control remote maintenance according to the system's asset classification. CC ID 01433	Technical Security	Preventive
Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 [Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. 3.7.5]	Technical Security	Preventive
Conduct maintenance with authorized personnel. CC ID 01434 [Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance. 3.7.2]	Testing	Detective
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295	Maintenance	Preventive
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291	Maintenance	Preventive
Perform periodic maintenance according to organizational standards. CC ID 01435 [Perform maintenance on organizational information systems. 3.7.1]	Behavior	Preventive
Restart systems on a periodic basis. CC ID 16498	Maintenance	Preventive
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251	Maintenance	Preventive
Employ dedicated systems during system maintenance. CC ID 12108	Technical Security	Preventive
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114	Technical Security	Preventive
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873	Human Resources Management	Preventive
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Business Processes	Preventive
Establish, implement, and maintain an incident management policy. CC ID 16414	Establish/Maintain Documentation	Preventive
Define and assign the roles and responsibilities for Incident Management program. CC ID 13055	Human Resources Management	Preventive
Define the uses and capabilities of the Incident Management program. CC ID 00854	Establish/Maintain Documentation	Preventive
Include incident escalation procedures in the Incident Management program. CC ID 00856 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Establish/Maintain Documentation	Preventive
Define the characteristics of the Incident Management program. CC ID 00855	Establish/Maintain Documentation	Preventive
Include the criteria for a data loss event in the Incident Management program. CC ID 12179	Establish/Maintain Documentation	Preventive
Include the criteria for an incident in the Incident Management program. CC ID 12173	Establish/Maintain Documentation	Preventive
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an anti-money laundering program. CC ID 13675	Business Processes	Detective
Include detection procedures in the Incident Management program. CC ID 00588	Establish/Maintain Documentation	Preventive
Categorize the incident following an incident response. CC ID 13208	Technical Security	Preventive
Define and document impact thresholds to be used in categorizing incidents. CC ID 10033	Establish/Maintain Documentation	Preventive
Determine the incident severity level when assessing the security incidents. CC ID 01650	Monitor and Evaluate Occurrences	Corrective
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453	Monitor and Evaluate Occurrences	Detective
Require personnel to monitor for and report suspicious account activity. CC ID 16462	Monitor and Evaluate Occurrences	Detective
Identify root causes of incidents that force system changes. CC ID 13482	Investigate	Detective
Respond to and triage when an incident is detected. CC ID 06942	Monitor and Evaluate Occurrences	Detective
Document the incident and any relevant evidence in the incident report. CC ID 08659 [Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization. 3.6.2]	Establish/Maintain Documentation	Detective
Escalate incidents, as necessary. CC ID 14861	Monitor and Evaluate Occurrences	Corrective
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Process or Activity	Corrective
Respond to all alerts from security systems in a timely manner. CC ID 06434 [Monitor information system security alerts and advisories and take appropriate actions in response. 3.14.3]	Behavior	Corrective
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Process or Activity	Corrective
Contain the incident to prevent further loss. CC ID 01751	Process or Activity	Corrective
Wipe data and memory after an incident has been detected. CC ID 16850	Technical Security	Corrective
Refrain from accessing compromised systems. CC ID 01752	Technical Security	Corrective
Isolate compromised systems from the network. CC ID 01753	Technical Security	Corrective
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754	Log Management	Corrective
Change authenticators after a security incident has been detected. CC ID 06789	Technical Security	Corrective
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677	Investigate	Detective
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095	Establish/Maintain Documentation	Preventive
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674	Establish/Maintain Documentation	Detective
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678	Establish/Maintain Documentation	Detective
Assess all incidents to determine what information was accessed. CC ID 01226	Testing	Corrective
Check the precursors and indicators when assessing the security incidents. CC ID 01761	Monitor and Evaluate Occurrences	Corrective
Analyze the incident response process following an incident response. CC ID 13179	Investigate	Detective
Share incident information with interested personnel and affected parties. CC ID 01212	Data and Information Management	Corrective
Share data loss event information with the media. CC ID 01759	Behavior	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Data and Information Management	Preventive
Share data loss event information with interconnected system owners. CC ID 01209	Establish/Maintain Documentation	Corrective
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Communicate	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Communicate	Preventive
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Establish/Maintain Documentation	Preventive
Report data loss event information to breach notification organizations. CC ID 01210	Data and Information Management	Corrective
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Log Management	Detective
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Communicate	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Communicate	Preventive
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Behavior	Corrective
Remediate security violations according to organizational standards. CC ID 12338	Business Processes	Preventive
Include data loss event notifications in the Incident Response program. CC ID 00364	Establish/Maintain Documentation	Preventive
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365	Behavior	Corrective
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801	Behavior	Detective
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Behavior	Corrective
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Establish/Maintain Documentation	Preventive
Submit written requests to delay the notification of affected parties. CC ID 16783	Communicate	Preventive
Revoke the written request to delay the notification. CC ID 16843	Process or Activity	Preventive
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Establish/Maintain Documentation	Preventive
Avoid false positive incident response notifications. CC ID 04732	Behavior	Detective
Establish, implement, and maintain incident response notifications. CC ID 12975	Establish/Maintain Documentation	Corrective
Refrain from charging for providing incident response notifications. CC ID 13876	Business Processes	Preventive
Include information required by law in incident response notifications. CC ID 00802	Establish/Maintain Documentation	Detective
Title breach notifications "Notice of Data Breach". CC ID 12977	Establish/Maintain Documentation	Preventive
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Establish/Maintain Documentation	Preventive
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Establish/Maintain Documentation	Preventive
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Establish/Maintain Documentation	Preventive
Use plain language to write incident response notifications. CC ID 12976	Establish/Maintain Documentation	Preventive
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Establish/Maintain Documentation	Preventive
Refrain from including restricted information in the incident response notification. CC ID 16806	Actionable Reports or Measurements	Preventive
Include the affected parties rights in the incident response notification. CC ID 16811	Establish/Maintain Documentation	Preventive
Include details of the investigation in incident response notifications. CC ID 12296	Establish/Maintain Documentation	Preventive
Include the issuer's name in incident response notifications. CC ID 12062	Establish/Maintain Documentation	Preventive
Include a "What Happened" heading in breach notifications. CC ID 12978	Establish/Maintain Documentation	Preventive
Include a general description of the data loss event in incident response notifications. CC ID 04734	Establish/Maintain Documentation	Preventive
Include time information in incident response notifications. CC ID 04745	Establish/Maintain Documentation	Preventive
Include the identification of the data source in incident response notifications. CC ID 12305	Establish/Maintain Documentation	Preventive
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Establish/Maintain Documentation	Preventive
Include the type of information that was lost in incident response notifications. CC ID 04735	Establish/Maintain Documentation	Preventive
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Establish/Maintain Documentation	Preventive
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Establish/Maintain Documentation	Preventive
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Establish/Maintain Documentation	Preventive
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Establish/Maintain Documentation	Preventive
Include a "For More Information" heading in breach notifications. CC ID 12981	Establish/Maintain Documentation	Preventive
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Establish/Maintain Documentation	Preventive
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Establish/Maintain Documentation	Preventive
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Establish/Maintain Documentation	Preventive
Include any consequences in the incident response notifications. CC ID 12604	Establish/Maintain Documentation	Preventive
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Establish/Maintain Documentation	Preventive
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Establish/Maintain Documentation	Preventive
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Establish/Maintain Documentation	Detective
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Communicate	Corrective
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Business Processes	Corrective
Include contact information in incident response notifications. CC ID 04739	Establish/Maintain Documentation	Preventive
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Communicate	Preventive
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Behavior	Corrective
Post the incident response notification on the organization's website. CC ID 16809	Process or Activity	Preventive
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Behavior	Corrective
Document the determination for providing a substitute incident response notification. CC ID 16841	Process or Activity	Preventive
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Behavior	Corrective
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Behavior	Corrective
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Behavior	Preventive
Include contact information in the substitute incident response notification. CC ID 16776	Establish/Maintain Documentation	Preventive
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Establish/Maintain Documentation	Preventive
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Behavior	Preventive
Publish the incident response notification in a general circulation periodical. CC ID 04651	Behavior	Corrective
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Behavior	Preventive
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Behavior	Corrective
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Communicate	Corrective
Establish, implement, and maintain a containment strategy. CC ID 13480	Establish/Maintain Documentation	Preventive
Include the containment approach in the containment strategy. CC ID 13486	Establish/Maintain Documentation	Preventive
Include response times in the containment strategy. CC ID 13485	Establish/Maintain Documentation	Preventive
Include incident recovery procedures in the Incident Management program. CC ID 01758 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Establish/Maintain Documentation	Corrective
Change wireless access variables after a data loss event has been detected. CC ID 01756	Technical Security	Corrective
Eradicate the cause of the incident after the incident has been contained. CC ID 01757	Business Processes	Corrective
Establish, implement, and maintain a restoration log. CC ID 12745	Establish/Maintain Documentation	Preventive
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463	Data and Information Management	Preventive
Include a description of the restored data in the restoration log. CC ID 15462	Data and Information Management	Preventive
Implement security controls for personnel that have accessed information absent authorization. CC ID 10611	Human Resources Management	Corrective
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592	Establish/Maintain Documentation	Preventive
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265	Monitor and Evaluate Occurrences	Detective
Re-image compromised systems with secure builds. CC ID 12086	Technical Security	Corrective
Analyze security violations in Suspicious Activity Reports. CC ID 00591	Establish/Maintain Documentation	Preventive
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234	Monitor and Evaluate Occurrences	Preventive
Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298	Investigate	Preventive
Update the incident response procedures using the lessons learned. CC ID 01233	Establish/Maintain Documentation	Preventive
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Establish/Maintain Documentation	Preventive
Test incident monitoring procedures. CC ID 13194	Testing	Detective
Include incident response procedures in the Incident Management program. CC ID 01218	Establish/Maintain Documentation	Preventive
Integrate configuration management procedures into the incident management program. CC ID 13647	Technical Security	Preventive
Include incident management procedures in the Incident Management program. CC ID 12689	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Establish/Maintain Documentation	Corrective
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Establish/Maintain Documentation	Preventive
Include after-action analysis procedures in the Incident Management program. CC ID 01219 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844	Establish/Maintain Documentation	Preventive
Conduct incident investigations, as necessary. CC ID 13826	Process or Activity	Detective
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042	Investigate	Detective
Identify the affected parties during incident investigations. CC ID 16781	Investigate	Detective
Interview suspects during incident investigations, as necessary. CC ID 14041	Investigate	Detective
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038	Investigate	Detective
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain incident management audit logs. CC ID 13514	Records Management	Preventive
Log incidents in the Incident Management audit log. CC ID 00857 [Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization. 3.6.2]	Establish/Maintain Documentation	Preventive
Include who the incident was reported to in the incident management audit log. CC ID 16487	Log Management	Preventive
Include corrective actions in the incident management audit log. CC ID 16466	Establish/Maintain Documentation	Preventive
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238	Log Management	Corrective
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234	Log Management	Preventive
Include emergency processing priorities in the Incident Management program. CC ID 00859	Establish/Maintain Documentation	Preventive
Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387	Establish/Maintain Documentation	Preventive
Include incident record closure procedures in the Incident Management program. CC ID 01620	Establish/Maintain Documentation	Preventive
Include incident reporting procedures in the Incident Management program. CC ID 11772 [Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization. 3.6.2]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142	Communicate	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Establish/Maintain Documentation	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Establish/Maintain Documentation	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Establish Roles	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Establish Roles	Preventive
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Provide privacy and security notices consistent with applicable CUI rules. 3.1.9]	Communicate	Corrective
Establish, implement, and maintain incident response procedures. CC ID 01206 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Establish/Maintain Documentation	Detective
Include references to industry best practices in the incident response procedures. CC ID 11956	Establish/Maintain Documentation	Preventive
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949	Establish/Maintain Documentation	Preventive
Respond when an integrity violation is detected, as necessary. CC ID 10678	Technical Security	Corrective
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Technical Security	Corrective
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Technical Security	Corrective
Include business recovery procedures in the Incident Response program. CC ID 11774 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Establish/Maintain Documentation	Preventive
Test the incident response procedures. CC ID 01216 [Test the organizational incident response capability. 3.6.3]	Testing	Detective
Document the results of incident response tests and provide them to senior management. CC ID 14857	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain a change control program. CC ID 00886 [Track, review, approve/disapprove, and audit changes to information systems. 3.4.3]	Establish/Maintain Documentation	Preventive
Include potential consequences of unintended changes in the change control program. CC ID 12243	Establish/Maintain Documentation	Preventive
Include version control in the change control program. CC ID 13119	Establish/Maintain Documentation	Preventive
Include service design and transition in the change control program. CC ID 13920	Establish/Maintain Documentation	Preventive
Separate the production environment from development environment or test environment for the change control process. CC ID 11864	Maintenance	Preventive
Integrate configuration management procedures into the change control program. CC ID 13646	Technical Security	Preventive
Establish, implement, and maintain a back-out plan. CC ID 13623	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373	Establish/Maintain Documentation	Preventive
Approve back-out plans, as necessary. CC ID 13627	Establish/Maintain Documentation	Corrective
Manage change requests. CC ID 00887	Business Processes	Preventive
Include documentation of the impact level of proposed changes in the change request. CC ID 11942	Establish/Maintain Documentation	Preventive
Establish and maintain a change request approver list. CC ID 06795	Establish/Maintain Documentation	Preventive
Document all change requests in change request forms. CC ID 06794 [Track, review, approve/disapprove, and audit changes to information systems. 3.4.3]	Establish/Maintain Documentation	Preventive
Test proposed changes prior to their approval. CC ID 00548	Testing	Detective
Examine all changes to ensure they correspond with the change request. CC ID 12345	Business Processes	Detective
Approve tested change requests. CC ID 11783 [Track, review, approve/disapprove, and audit changes to information systems. 3.4.3]	Data and Information Management	Preventive
Validate the system before implementing approved changes. CC ID 01510 [Track, review, approve/disapprove, and audit changes to information systems. 3.4.3]	Systems Design, Build, and Implementation	Preventive
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807	Behavior	Preventive
Establish, implement, and maintain emergency change procedures. CC ID 00890	Establish/Maintain Documentation	Preventive
Perform emergency changes, as necessary. CC ID 12707	Process or Activity	Preventive
Back up emergency changes after the change has been performed. CC ID 12734	Process or Activity	Preventive
Log emergency changes after they have been performed. CC ID 12733	Establish/Maintain Documentation	Preventive
Perform risk assessments prior to approving change requests. CC ID 00888 [Analyze the security impact of changes prior to implementation. 3.4.4]	Testing	Preventive
Conduct network certifications prior to approving change requests for networks. CC ID 13121	Process or Activity	Detective
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126	Investigate	Detective
Collect data about the network environment when certifying the network. CC ID 13125	Investigate	Detective
Implement changes according to the change control program. CC ID 11776	Business Processes	Preventive
Provide audit trails for all approved changes. CC ID 13120	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a patch management program. CC ID 00896 [Identify, report, and correct information and information system flaws in a timely manner. 3.14.1]	Process or Activity	Preventive
Document the sources of all software updates. CC ID 13316	Establish/Maintain Documentation	Preventive
Implement patch management software, as necessary. CC ID 12094	Technical Security	Preventive
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087	Technical Security	Preventive
Establish, implement, and maintain a patch management policy. CC ID 16432	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain patch management procedures. CC ID 15224	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a patch log. CC ID 01642	Establish/Maintain Documentation	Preventive
Review the patch log for missing patches. CC ID 13186	Technical Security	Detective
Perform a patch test prior to deploying a patch. CC ID 00898	Testing	Detective
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796	Business Processes	Preventive
Deploy software patches in accordance with organizational standards. CC ID 07032	Configuration	Corrective
Test software patches for any potential compromise of the system's security. CC ID 13175	Testing	Detective
Patch software. CC ID 11825	Technical Security	Corrective
Patch the operating system, as necessary. CC ID 11824	Technical Security	Corrective
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174	Configuration	Corrective
Remove outdated software after software has been updated. CC ID 11792	Configuration	Corrective
Update computer firmware, as necessary. CC ID 11755	Configuration	Corrective
Review changes to computer firmware. CC ID 12226	Testing	Detective
Certify changes to computer firmware are free of malicious logic. CC ID 12227	Testing	Detective
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671	Configuration	Corrective
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682	Technical Security	Detective
Establish, implement, and maintain a software release policy. CC ID 00893	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain traceability documentation. CC ID 16388	Systems Design, Build, and Implementation	Preventive
Disseminate and communicate software update information to users and regulators. CC ID 06602	Behavior	Preventive
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809	Data and Information Management	Preventive
Mitigate the adverse effects of unauthorized changes. CC ID 12244	Business Processes	Corrective
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391	Establish/Maintain Documentation	Detective
Test the system's operational functionality after implementing approved changes. CC ID 06294	Testing	Detective
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541	Testing	Detective
Establish, implement, and maintain a change acceptance testing log. CC ID 06392	Establish/Maintain Documentation	Corrective
Update associated documentation after the system configuration has been changed. CC ID 00891	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a configuration change log. CC ID 08710	Configuration	Detective
Document approved configuration deviations. CC ID 08711	Establish/Maintain Documentation	Corrective

Physical and environmental protection

185

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Physical and environmental protection CC ID 00709	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a physical security program. CC ID 11757	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a facility physical security program. CC ID 00711 [Protect and monitor the physical facility and support infrastructure for those information systems. 3.10.2]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain opening procedures for businesses. CC ID 16671	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain closing procedures for businesses. CC ID 16670	Establish/Maintain Documentation	Preventive
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050	Establish/Maintain Documentation	Preventive
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311	Behavior	Preventive
Protect the facility from crime. CC ID 06347	Physical and Environmental Protection	Preventive
Define communication methods for reporting crimes. CC ID 06349	Establish/Maintain Documentation	Preventive
Include identification cards or badges in the physical security program. CC ID 14818	Establish/Maintain Documentation	Preventive
Protect facilities from eavesdropping. CC ID 02222	Physical and Environmental Protection	Preventive
Inspect telephones for eavesdropping devices. CC ID 02223	Physical and Environmental Protection	Detective
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455	Technical Security	Preventive
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581	Establish/Maintain Documentation	Preventive
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440	Physical and Environmental Protection	Preventive
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441	Physical and Environmental Protection	Preventive
Create security zones in facilities, as necessary. CC ID 16295	Physical and Environmental Protection	Preventive
Establish clear zones around any sensitive facilities. CC ID 02214	Physical and Environmental Protection	Preventive
Establish, implement, and maintain floor plans. CC ID 16419	Establish/Maintain Documentation	Preventive
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420	Establish/Maintain Documentation	Preventive
Post floor plans of critical facilities in secure locations. CC ID 16138	Communicate	Preventive
Post and maintain security signage for all facilities. CC ID 02201	Establish/Maintain Documentation	Preventive
Inspect items brought into the facility. CC ID 06341	Physical and Environmental Protection	Preventive
Maintain all physical security systems. CC ID 02206	Physical and Environmental Protection	Preventive
Detect anomalies in physical barriers. CC ID 13533	Investigate	Detective
Maintain all security alarm systems. CC ID 11669	Physical and Environmental Protection	Preventive
Identify and document physical access controls for all physical entry points. CC ID 01637	Establish/Maintain Documentation	Preventive
Control physical access to (and within) the facility. CC ID 01329	Physical and Environmental Protection	Preventive
Establish, implement, and maintain physical access procedures. CC ID 13629	Establish/Maintain Documentation	Preventive
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419	Physical and Environmental Protection	Preventive
Secure physical entry points with physical access controls or security guards. CC ID 01640	Physical and Environmental Protection	Detective
Configure the access control system to grant access only during authorized working hours. CC ID 12325	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a visitor access permission policy. CC ID 06699	Establish/Maintain Documentation	Preventive
Escort visitors within the facility, as necessary. CC ID 06417 [Escort visitors and monitor visitor activity. 3.10.3]	Establish/Maintain Documentation	Preventive
Check the visitor's stated identity against a provided government issued identification. CC ID 06701	Physical and Environmental Protection	Preventive
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330	Testing	Preventive
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702	Behavior	Preventive
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048	Establish/Maintain Documentation	Preventive
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436	Establish/Maintain Documentation	Preventive
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463	Physical and Environmental Protection	Corrective
Authorize physical access to sensitive areas based on job functions. CC ID 12462	Establish/Maintain Documentation	Preventive
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 [Supervise the maintenance activities of maintenance personnel without required access authorization. 3.7.6]	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain physical identification procedures. CC ID 00713	Establish/Maintain Documentation	Preventive
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030	Human Resources Management	Preventive
Implement physical identification processes. CC ID 13715	Process or Activity	Preventive
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717	Process or Activity	Preventive
Issue photo identification badges to all employees. CC ID 12326	Physical and Environmental Protection	Preventive
Implement operational requirements for card readers. CC ID 02225	Testing	Preventive
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819	Establish/Maintain Documentation	Preventive
Document all lost badges in a lost badge list. CC ID 12448	Establish/Maintain Documentation	Corrective
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334	Physical and Environmental Protection	Preventive
Manage constituent identification inside the facility. CC ID 02215	Behavior	Preventive
Direct each employee to be responsible for their identification card or badge. CC ID 12332	Human Resources Management	Preventive
Manage visitor identification inside the facility. CC ID 11670	Physical and Environmental Protection	Preventive
Issue visitor identification badges to all non-employees. CC ID 00543	Behavior	Preventive
Secure unissued visitor identification badges. CC ID 06712	Physical and Environmental Protection	Preventive
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331	Behavior	Preventive
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331	Physical and Environmental Protection	Preventive
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598	Establish/Maintain Documentation	Preventive
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714	Process or Activity	Preventive
Include error handling controls in identification issuance procedures. CC ID 13709	Establish/Maintain Documentation	Preventive
Include an appeal process in the identification issuance procedures. CC ID 15428	Business Processes	Preventive
Include information security in the identification issuance procedures. CC ID 15425	Establish/Maintain Documentation	Preventive
Include identity proofing processes in the identification issuance procedures. CC ID 06597	Process or Activity	Preventive
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426	Establish/Maintain Documentation	Preventive
Include an identity registration process in the identification issuance procedures. CC ID 11671	Establish/Maintain Documentation	Preventive
Restrict access to the badge system to authorized personnel. CC ID 12043	Physical and Environmental Protection	Preventive
Enforce dual control for badge assignments. CC ID 12328	Physical and Environmental Protection	Preventive
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327	Physical and Environmental Protection	Preventive
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282	Physical and Environmental Protection	Preventive
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599	Establish/Maintain Documentation	Preventive
Assign employees the responsibility for controlling their identification badges. CC ID 12333	Human Resources Management	Preventive
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306	Establish/Maintain Documentation	Preventive
Prevent tailgating through physical entry points. CC ID 06685	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a door security standard. CC ID 06686	Establish/Maintain Documentation	Preventive
Install doors so that exposed hinges are on the secured side. CC ID 06687	Configuration	Preventive
Install emergency doors to permit egress only. CC ID 06688	Configuration	Preventive
Install contact alarms on doors, as necessary. CC ID 06710	Configuration	Preventive
Use locks to protect against unauthorized physical access. CC ID 06342	Physical and Environmental Protection	Preventive
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650	Configuration	Preventive
Test locks for physical security vulnerabilities. CC ID 04880	Testing	Detective
Secure unissued access mechanisms. CC ID 06713	Technical Security	Preventive
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 [Control and manage physical access devices. 3.10.5]	Establish/Maintain Documentation	Preventive
Change cipher lock codes, as necessary. CC ID 06651	Technical Security	Preventive
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a window security standard. CC ID 06689	Establish/Maintain Documentation	Preventive
Install contact alarms on openable windows, as necessary. CC ID 06690	Configuration	Preventive
Install glass break alarms on windows, as necessary. CC ID 06691	Configuration	Preventive
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204	Establish/Maintain Documentation	Preventive
Install and maintain security lighting at all physical entry points. CC ID 02205	Physical and Environmental Protection	Preventive
Use vandal resistant light fixtures for all security lighting. CC ID 16130	Physical and Environmental Protection	Preventive
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210	Physical and Environmental Protection	Preventive
Secure the loading dock with physical access controls or security guards. CC ID 06703	Physical and Environmental Protection	Preventive
Isolate loading areas from information processing facilities, if possible. CC ID 12028	Physical and Environmental Protection	Preventive
Screen incoming mail and deliveries. CC ID 06719	Physical and Environmental Protection	Preventive
Protect access to the facility's mechanical systems area. CC ID 02212	Physical and Environmental Protection	Preventive
Establish, implement, and maintain elevator security guidelines. CC ID 02232	Physical and Environmental Protection	Preventive
Establish, implement, and maintain stairwell security guidelines. CC ID 02233	Physical and Environmental Protection	Preventive
Establish, implement, and maintain glass opening security guidelines. CC ID 02234	Physical and Environmental Protection	Preventive
Establish, implement, and maintain after hours facility access procedures. CC ID 06340	Establish/Maintain Documentation	Preventive
Establish a security room, if necessary. CC ID 00738	Physical and Environmental Protection	Preventive
Implement physical security standards for mainframe rooms or data centers. CC ID 00749	Physical and Environmental Protection	Preventive
Establish and maintain equipment security cages in a shared space environment. CC ID 06711	Physical and Environmental Protection	Preventive
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716	Physical and Environmental Protection	Preventive
Lock all lockable equipment cabinets. CC ID 11673	Physical and Environmental Protection	Detective
Establish, implement, and maintain vault physical security standards. CC ID 02203	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain emergency exit procedures. CC ID 01252	Establish/Maintain Documentation	Preventive
Establish, Implement, and maintain a camera operating policy. CC ID 15456	Establish/Maintain Documentation	Preventive
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461	Communicate	Preventive
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638	Monitor and Evaluate Occurrences	Detective
Establish and maintain a visitor log. CC ID 00715	Log Management	Preventive
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700	Establish/Maintain Documentation	Preventive
Report anomalies in the visitor log to appropriate personnel. CC ID 14755	Investigate	Detective
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649	Behavior	Preventive
Record the visitor's name in the visitor log. CC ID 00557	Log Management	Preventive
Record the visitor's organization in the visitor log. CC ID 12121	Log Management	Preventive
Record the visitor's acceptable access areas in the visitor log. CC ID 12237	Log Management	Preventive
Record the date and time of entry in the visitor log. CC ID 13255	Establish/Maintain Documentation	Preventive
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466	Establish/Maintain Documentation	Preventive
Retain all records in the visitor log as prescribed by law. CC ID 00572	Log Management	Preventive
Establish, implement, and maintain a physical access log. CC ID 12080 [Maintain audit logs of physical access. 3.10.4]	Establish/Maintain Documentation	Preventive
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641	Log Management	Preventive
Log when the vault is accessed. CC ID 06725	Log Management	Detective
Log when the cabinet is accessed. CC ID 11674	Log Management	Detective
Store facility access logs in off-site storage. CC ID 06958	Log Management	Preventive
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675	Monitor and Evaluate Occurrences	Preventive
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328	Monitor and Evaluate Occurrences	Detective
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609	Monitor and Evaluate Occurrences	Detective
Configure video cameras to cover all physical entry points. CC ID 06302	Configuration	Preventive
Configure video cameras to prevent physical tampering or disablement. CC ID 06303	Configuration	Preventive
Retain video events according to Records Management procedures. CC ID 06304	Records Management	Preventive
Monitor physical entry point alarms. CC ID 01639	Physical and Environmental Protection	Detective
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677	Monitor and Evaluate Occurrences	Detective
Monitor for alarmed security doors being propped open. CC ID 06684	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain physical security threat reports. CC ID 02207	Establish/Maintain Documentation	Preventive
Build and maintain fencing, as necessary. CC ID 02235	Physical and Environmental Protection	Preventive
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352	Physical and Environmental Protection	Preventive
Physically segregate business areas in accordance with organizational standards. CC ID 16718	Physical and Environmental Protection	Preventive
Employ security guards to provide physical security, as necessary. CC ID 06653	Establish Roles	Preventive
Establish, implement, and maintain a facility wall standard. CC ID 06692	Establish/Maintain Documentation	Preventive
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372	Physical and Environmental Protection	Preventive
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693	Configuration	Preventive
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980	Behavior	Preventive
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981	Behavior	Preventive
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982	Business Processes	Preventive
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983	Behavior	Preventive
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984	Behavior	Preventive
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718	Physical and Environmental Protection	Preventive
Control the transiting and internal distribution or external distribution of assets. CC ID 00963	Records Management	Preventive
Transport restricted media using a delivery method that can be tracked. CC ID 11777 [Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. 3.8.5]	Business Processes	Preventive
Track restricted storage media while it is in transit. CC ID 00967	Data and Information Management	Detective
Restrict physical access to distributed assets. CC ID 11865 [Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. 3.10.1]	Physical and Environmental Protection	Preventive
House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873	Physical and Environmental Protection	Preventive
Protect electronic storage media with physical access controls. CC ID 00720	Physical and Environmental Protection	Preventive
Establish, implement, and maintain removable storage media controls. CC ID 06680 [Limit use of organizational portable storage devices on external information systems. 3.1.21 Control the use of removable media on information system components. 3.8.7]	Data and Information Management	Preventive
Control access to restricted storage media. CC ID 04889 [Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. 3.8.5]	Data and Information Management	Preventive
Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664	Physical and Environmental Protection	Preventive
Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961	Records Management	Preventive
Treat archive media as evidence. CC ID 00960	Records Management	Preventive
Log the transfer of removable storage media. CC ID 12322	Log Management	Preventive
Establish, implement, and maintain storage media access control procedures. CC ID 00959 [Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital. 3.8.1 Limit access to CUI on information system media to authorized users. 3.8.2]	Establish/Maintain Documentation	Preventive
Require removable storage media be in the custody of an authorized individual. CC ID 12319	Behavior	Preventive
Control the storage of restricted storage media. CC ID 00965	Records Management	Preventive
Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717	Physical and Environmental Protection	Preventive
Protect the combinations for all combination locks. CC ID 02199	Physical and Environmental Protection	Preventive
Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200	Establish/Maintain Documentation	Preventive
Establish and maintain eavesdropping protection for vaults. CC ID 02231	Physical and Environmental Protection	Preventive
Serialize all removable storage media. CC ID 00949	Configuration	Preventive
Establish, implement, and maintain mobile device security guidelines. CC ID 04723 [Control connection of mobile devices. 3.1.18]	Establish/Maintain Documentation	Preventive
Require users to refrain from leaving mobile devices unattended. CC ID 16446	Business Processes	Preventive
Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292	Establish/Maintain Documentation	Preventive
Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242	Data and Information Management	Preventive
Include legal requirements in the mobile device security guidelines. CC ID 12291	Establish/Maintain Documentation	Preventive
Include the use of privacy filters in the mobile device security guidelines. CC ID 16452	Physical and Environmental Protection	Preventive
Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290	Establish/Maintain Documentation	Preventive
Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289	Establish/Maintain Documentation	Preventive
Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288	Establish/Maintain Documentation	Preventive
Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430	Physical and Environmental Protection	Preventive
Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429	Physical and Environmental Protection	Preventive
Encrypt information stored on mobile devices. CC ID 01422 [Encrypt CUI on mobile devices. 3.1.19]	Data and Information Management	Preventive
Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 [Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. 3.13.12]	Technical Security	Preventive
Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 [Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. 3.13.12]	Technical Security	Preventive

Records management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Records management CC ID 00902	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain records management policies. CC ID 00903	Establish/Maintain Documentation	Preventive
Define each system's preservation requirements for records and logs. CC ID 00904	Establish/Maintain Documentation	Detective
Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657	Establish/Maintain Documentation	Preventive
Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 [Ensure equipment removed for off-site maintenance is sanitized of any CUI. 3.7.3]	Data and Information Management	Preventive
Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 [Sanitize or destroy information system media containing CUI before disposal or release for reuse. 3.8.3]	Data and Information Management	Preventive
Establish, implement, and maintain records management procedures. CC ID 11619	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain document security requirements for the output of records. CC ID 11656	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 [Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital. 3.8.1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security label procedures. CC ID 06747 [Mark media with necessary CUI markings and distribution limitations. 3.8.4]	Establish/Maintain Documentation	Preventive
Label restricted storage media appropriately. CC ID 00966	Data and Information Management	Preventive
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420	Records Management	Detective
Establish, implement, and maintain restricted material identification procedures. CC ID 01889	Establish/Maintain Documentation	Preventive
Conspicuously locate the restricted record's overall classification. CC ID 01890	Establish/Maintain Documentation	Preventive
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891	Establish/Maintain Documentation	Preventive
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892	Establish/Maintain Documentation	Preventive
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893	Establish/Maintain Documentation	Preventive
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894	Establish/Maintain Documentation	Preventive
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896	Data and Information Management	Preventive
Establish, implement, and maintain online storage controls. CC ID 00942	Technical Security	Preventive
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943	Records Management	Preventive
Provide encryption for different types of electronic storage media. CC ID 00945 [Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. 3.8.6]	Technical Security	Preventive

System hardening through configuration management

614

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
System hardening through configuration management CC ID 00860	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a Configuration Management program. CC ID 00867	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Establish and enforce security configuration settings for information technology products employed in organizational information systems. 3.4.2 Employ the principle of least functionality by configuring the information system to provide only essential capabilities. 3.4.6 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. 3.4.1]	Establish/Maintain Documentation	Preventive
Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285	Establish/Maintain Documentation	Preventive
Include the differences between test environments and production environments in the baseline configuration. CC ID 13284	Establish/Maintain Documentation	Preventive
Include the applied security patches in the baseline configuration. CC ID 13271	Establish/Maintain Documentation	Preventive
Include the installed application software and version numbers in the baseline configuration. CC ID 13270	Establish/Maintain Documentation	Preventive
Include installed custom software in the baseline configuration. CC ID 13274	Establish/Maintain Documentation	Preventive
Include network ports in the baseline configuration. CC ID 13273	Establish/Maintain Documentation	Preventive
Include the operating systems and version numbers in the baseline configuration. CC ID 13269	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain system hardening procedures. CC ID 12001	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain idle session termination and logout capabilities. CC ID 01418 [Terminate (automatically) a user session after a defined condition. 3.1.11 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. 3.13.9]	Configuration	Preventive
Refrain from using assertion lifetimes to limit each session. CC ID 13871	Technical Security	Preventive
Configure Session Configuration settings in accordance with organizational standards. CC ID 07698	Configuration	Preventive
Invalidate unexpected session identifiers. CC ID 15307	Configuration	Preventive
Configure the "MaxStartups" settings to organizational standards. CC ID 15329	Configuration	Preventive
Reject session identifiers that are not valid. CC ID 15306	Configuration	Preventive
Configure the "MaxSessions" settings to organizational standards. CC ID 15330	Configuration	Preventive
Configure the "Interactive logon: Message title for users attempting to log on" to organizational standards. CC ID 07699	Configuration	Preventive
Configure the "LoginGraceTime" settings to organizational standards. CC ID 15328	Configuration	Preventive
Configure the "Network security: Force logoff when logon hours expire" to organizational standards. CC ID 07738	Configuration	Preventive
Configure the "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" to organizational standards. CC ID 07758	Configuration	Preventive
Configure the "Microsoft network server: Disconnect clients when logon hours expire" to organizational standards. CC ID 07824	Configuration	Preventive
Configure the "Microsoft network server: Amount of idle time required before suspending session" to organizational standards. CC ID 07826	Configuration	Preventive
Configure the "Interactive logon: Do not display last user name" to organizational standards. CC ID 07832	Configuration	Preventive
Configure the "Interactive logon: Display user information when the session is locked" to organizational standards. CC ID 07848	Configuration	Preventive
Configure the "Interactive logon: Message text for users attempting to log on" to organizational standards. CC ID 07870	Configuration	Preventive
Configure the "Always prompt for password upon connection" to organizational standards. CC ID 08229	Configuration	Preventive
Configure the "Interactive logon: Machine inactivity limit" to organizational standards. CC ID 08350	Configuration	Preventive
Remove all unnecessary functionality. CC ID 00882	Configuration	Preventive
Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827	Configuration	Preventive
Disable the use of removable storage media for systems that process restricted data or restricted information, as necessary. CC ID 06681 [Prohibit the use of portable storage devices when such devices have no identifiable owner. 3.8.8]	Data and Information Management	Preventive
Disable removable storage media daemon unless the removable storage media daemon is absolutely necessary. CC ID 01477	Configuration	Preventive
Disable all unnecessary services unless otherwise noted in a policy exception. CC ID 00880 [Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services. 3.4.7]	Configuration	Preventive
Disable rquotad unless rquotad is absolutely necessary. CC ID 01473	Configuration	Preventive
Configure the rquotad service to use a static port or a dynamic portmapper port as appropriate. CC ID 05983	Configuration	Preventive
Disable telnet unless telnet use is absolutely necessary. CC ID 01478	Configuration	Preventive
Disable File Transfer Protocol unless File Transfer Protocol use is absolutely necessary. CC ID 01479	Configuration	Preventive
Configure anonymous FTP to restrict the use of restricted data. CC ID 16314	Configuration	Preventive
Disable anonymous access to File Transfer Protocol. CC ID 06739	Configuration	Preventive
Disable Internet Message Access Protocol unless Internet Message Access Protocol use is absolutely necessary. CC ID 01485	Configuration	Preventive
Disable Post Office Protocol unless its use is absolutely necessary. CC ID 01486	Configuration	Preventive
Disable SQLServer processes unless SQLServer processes use is absolutely necessary. CC ID 01500	Configuration	Preventive
Disable alerter unless alerter use is absolutely necessary. CC ID 01810	Configuration	Preventive
Disable Background Intelligent Transfer Service unless Background Intelligent Transfer Service use is absolutely necessary. CC ID 01812	Configuration	Preventive
Disable ClipBook unless ClipBook use is absolutely necessary. CC ID 01813	Configuration	Preventive
Disable Fax Service unless Fax Service use is absolutely necessary. CC ID 01815	Configuration	Preventive
Disable IIS admin service unless IIS admin service use is absolutely necessary. CC ID 01817	Configuration	Preventive
Disable indexing service unless indexing service use is absolutely necessary. CC ID 01818	Configuration	Preventive
Disable net logon unless net logon use is absolutely necessary. CC ID 01820	Configuration	Preventive
Disable Remote Desktop Help Session Manager unless Remote Desktop Help Session Manager use is absolutely necessary. CC ID 01822	Configuration	Preventive
Disable the "Offer Remote Assistance" setting. CC ID 04325	Configuration	Preventive
Disable the "Solicited Remote Assistance" setting. CC ID 04326	Configuration	Preventive
Disable Remote Registry Service unless Remote Registry Service use is absolutely necessary. CC ID 01823	Configuration	Preventive
Disable Routing and Remote Access unless Routing and Remote Access use is necessary. CC ID 01824	Configuration	Preventive
Disable task scheduler unless task scheduler use is absolutely necessary. CC ID 01829	Configuration	Preventive
Disable Terminal Services unless Terminal Services use is absolutely necessary. CC ID 01831	Configuration	Preventive
Disable Universal Plug and Play device host unless Universal Plug and Play device host use is absolutely necessary. CC ID 01832	Configuration	Preventive
Disable File Service Protocol. CC ID 02167	Configuration	Preventive
Disable the License Logging Service unless unless it is absolutely necessary. CC ID 04282	Configuration	Preventive
Disable Remote Access Auto Connection Manager unless Remote Access Auto Connection Manager use is absolutely necessary. CC ID 04285	Configuration	Preventive
Disable Remote Access Connection Manager unless Remote Access Connection Manager use is absolutely necessary. CC ID 04286	Configuration	Preventive
Disable Remote Administration Service unless remote administration management is absolutely necessary. CC ID 04287	Configuration	Preventive
Disable remote installation unless remote installation is absolutely necessary. CC ID 04288	Configuration	Preventive
Disable Remote Server Manager unless Remote Server Manager is absolutely necessary. CC ID 04289	Configuration	Preventive
Disable Remote Server Monitor unless Remote Server Monitor use is absolutely necessary. CC ID 04290	Configuration	Preventive
Disable Remote Storage Notification unless Remote Storage Notification use is absolutely necessary. CC ID 04291	Configuration	Preventive
Disable Remote Storage Server unless Remote Storage Server use is absolutely necessary. CC ID 04292	Configuration	Preventive
Disable telephony services unless telephony services use is absolutely necessary. CC ID 04293	Configuration	Preventive
Disable Wireless Zero Configuration service unless Wireless Zero Configuration service use is absolutely necessary. CC ID 04294	Configuration	Preventive
Disable SSDP/UPnp unless SSDP/UPnP is absolutely necessary. CC ID 04315	Configuration	Preventive
Configure the "ntpd service" setting to organizational standards. CC ID 04911	Configuration	Preventive
Configure the "echo service" setting to organizational standards. CC ID 04912	Configuration	Preventive
Configure the "echo-dgram service" setting to organizational standards. CC ID 09927	Configuration	Preventive
Configure the "echo-stream service" setting to organizational standards. CC ID 09928	Configuration	Preventive
Configure the "AllowTcpForwarding" to organizational standards. CC ID 15327	Configuration	Preventive
Configure the "tcpmux-server" setting to organizational standards. CC ID 09929	Configuration	Preventive
Configure the "netstat service" setting to organizational standards. CC ID 04913	Configuration	Preventive
Configure the "character generator protocol (chargen)" setting to organizational standards. CC ID 04914	Configuration	Preventive
Configure the "tftpd service" setting to organizational standards. CC ID 04915	Configuration	Preventive
Configure the "walld service" setting to organizational standards. CC ID 04916	Configuration	Preventive
Configure the "rstatd service" setting to organizational standards. CC ID 04917	Configuration	Preventive
Configure the "sprayd service" setting to organizational standards. CC ID 04918	Configuration	Preventive
Configure the "rusersd service" setting to organizational standards. CC ID 04919	Configuration	Preventive
Configure the "inn service" setting to organizational standards. CC ID 04920	Configuration	Preventive
Configure the "font service" setting to organizational standards. CC ID 04921	Configuration	Preventive
Configure the "ident service" setting to organizational standards. CC ID 04922	Configuration	Preventive
Configure the "rexd service" setting to organizational standards. CC ID 04923	Configuration	Preventive
Configure the "daytime service" setting to organizational standards. CC ID 04924	Configuration	Preventive
Configure the "dtspc (cde-spc) service" setting to organizational standards. CC ID 04925	Configuration	Preventive
Configure the "cmsd service" setting to organizational standards. CC ID 04926	Configuration	Preventive
Configure the "ToolTalk service" setting to organizational standards. CC ID 04927	Configuration	Preventive
Configure the "discard service" setting to organizational standards. CC ID 04928	Configuration	Preventive
Configure the "vino-server service" setting to organizational standards. CC ID 04929	Configuration	Preventive
Configure the "bind service" setting to organizational standards. CC ID 04930	Configuration	Preventive
Configure the "nfsd service" setting to organizational standards. CC ID 04931	Configuration	Preventive
Configure the "mountd service" setting to organizational standards. CC ID 04932	Configuration	Preventive
Configure the "statd service" setting to organizational standards. CC ID 04933	Configuration	Preventive
Configure the "lockd service" setting to organizational standards. CC ID 04934	Configuration	Preventive
Configure the lockd service to use a static port or a dynamic portmapper port for User Datagram Protocol as appropriate. CC ID 05980	Configuration	Preventive
Configure the "decode sendmail alias" setting to organizational standards. CC ID 04935	Configuration	Preventive
Configure the sendmail vrfy command, as appropriate. CC ID 04936	Configuration	Preventive
Configure the sendmail expn command, as appropriate. CC ID 04937	Configuration	Preventive
Configure .netrc with an appropriate set of services. CC ID 04938	Configuration	Preventive
Enable NFS insecure locks as necessary. CC ID 04939	Configuration	Preventive
Configure the "X server ac" setting to organizational standards. CC ID 04940	Configuration	Preventive
Configure the "X server core" setting to organizational standards. CC ID 04941	Configuration	Preventive
Enable or disable the setroubleshoot service, as appropriate. CC ID 05540	Configuration	Preventive
Configure the "X server nolock" setting to organizational standards. CC ID 04942	Configuration	Preventive
Enable or disable the mcstrans service, as appropriate. CC ID 05541	Configuration	Preventive
Configure the "PAM console" setting to organizational standards. CC ID 04943	Configuration	Preventive
Enable or disable the restorecond service, as appropriate. CC ID 05542	Configuration	Preventive
Enable the rhnsd service as necessary. CC ID 04944	Configuration	Preventive
Enable the yum-updatesd service as necessary. CC ID 04945	Configuration	Preventive
Enable the autofs service as necessary. CC ID 04946	Configuration	Preventive
Enable the ip6tables service as necessary. CC ID 04947	Configuration	Preventive
Configure syslog to organizational standards. CC ID 04949	Configuration	Preventive
Enable the auditd service as necessary. CC ID 04950	Configuration	Preventive
Enable the logwatch service as necessary. CC ID 04951	Configuration	Preventive
Enable the logrotate (syslog rotator) service as necessary. CC ID 04952	Configuration	Preventive
Install or uninstall the telnet server package, only if absolutely necessary. CC ID 04953	Configuration	Preventive
Enable the ypbind service as necessary. CC ID 04954	Configuration	Preventive
Enable the ypserv service as necessary. CC ID 04955	Configuration	Preventive
Enable the firstboot service as necessary. CC ID 04956	Configuration	Preventive
Enable the gpm service as necessary. CC ID 04957	Configuration	Preventive
Enable the irqbalance service as necessary. CC ID 04958	Configuration	Preventive
Enable the isdn service as necessary. CC ID 04959	Configuration	Preventive
Enable the kdump service as necessary. CC ID 04960	Configuration	Preventive
Enable the mdmonitor service as necessary. CC ID 04961	Configuration	Preventive
Enable the microcode_ctl service as necessary. CC ID 04962	Configuration	Preventive
Enable the pcscd service as necessary. CC ID 04963	Configuration	Preventive
Enable the smartd service as necessary. CC ID 04964	Configuration	Preventive
Enable the readahead_early service as necessary. CC ID 04965	Configuration	Preventive
Enable the readahead_later service as necessary. CC ID 04966	Configuration	Preventive
Enable the messagebus service as necessary. CC ID 04967	Configuration	Preventive
Enable the haldaemon service as necessary. CC ID 04968	Configuration	Preventive
Enable the apmd service as necessary. CC ID 04969	Configuration	Preventive
Enable the acpid service as necessary. CC ID 04970	Configuration	Preventive
Enable the cpuspeed service as necessary. CC ID 04971	Configuration	Preventive
Enable the network service as necessary. CC ID 04972	Configuration	Preventive
Enable the hidd service as necessary. CC ID 04973	Configuration	Preventive
Enable the crond service as necessary. CC ID 04974	Configuration	Preventive
Install and enable the anacron service as necessary. CC ID 04975	Configuration	Preventive
Enable the xfs service as necessary. CC ID 04976	Configuration	Preventive
Install and enable the Avahi daemon service, as necessary. CC ID 04977	Configuration	Preventive
Enable the CUPS service, as necessary. CC ID 04978	Configuration	Preventive
Enable the hplip service as necessary. CC ID 04979	Configuration	Preventive
Enable the dhcpd service as necessary. CC ID 04980	Configuration	Preventive
Enable the nfslock service as necessary. CC ID 04981	Configuration	Preventive
Enable the rpcgssd service as necessary. CC ID 04982	Configuration	Preventive
Enable the rpcidmapd service as necessary. CC ID 04983	Configuration	Preventive
Enable the rpcsvcgssd service as necessary. CC ID 04985	Configuration	Preventive
Configure root squashing for all NFS shares, as appropriate. CC ID 04986	Configuration	Preventive
Configure write access to NFS shares, as appropriate. CC ID 04987	Configuration	Preventive
Configure the named service, as appropriate. CC ID 04988	Configuration	Preventive
Configure the vsftpd service, as appropriate. CC ID 04989	Configuration	Preventive
Configure the “dovecot” service to organizational standards. CC ID 04990	Configuration	Preventive
Configure Server Message Block (SMB) to organizational standards. CC ID 04991	Configuration	Preventive
Enable the snmpd service as necessary. CC ID 04992	Configuration	Preventive
Enable the calendar manager as necessary. CC ID 04993	Configuration	Preventive
Enable the GNOME logon service as necessary. CC ID 04994	Configuration	Preventive
Enable the WBEM services as necessary. CC ID 04995	Configuration	Preventive
Enable the keyserv service as necessary. CC ID 04996	Configuration	Preventive
Enable the Generic Security Service daemon as necessary. CC ID 04997	Configuration	Preventive
Enable the volfs service as necessary. CC ID 04998	Configuration	Preventive
Enable the smserver service as necessary. CC ID 04999	Configuration	Preventive
Enable the mpxio-upgrade service as necessary. CC ID 05000	Configuration	Preventive
Enable the metainit service as necessary. CC ID 05001	Configuration	Preventive
Enable the meta service as necessary. CC ID 05003	Configuration	Preventive
Enable the metaed service as necessary. CC ID 05004	Configuration	Preventive
Enable the metamh service as necessary. CC ID 05005	Configuration	Preventive
Enable the Local RPC Port Mapping Service as necessary. CC ID 05006	Configuration	Preventive
Enable the Kerberos kadmind service as necessary. CC ID 05007	Configuration	Preventive
Enable the Kerberos krb5kdc service as necessary. CC ID 05008	Configuration	Preventive
Enable the Kerberos kpropd service as necessary. CC ID 05009	Configuration	Preventive
Enable the Kerberos ktkt_warnd service as necessary. CC ID 05010	Configuration	Preventive
Enable the sadmin service as necessary. CC ID 05011	Configuration	Preventive
Enable the IPP listener as necessary. CC ID 05012	Configuration	Preventive
Enable the serial port listener as necessary. CC ID 05013	Configuration	Preventive
Enable the Smart Card Helper service as necessary. CC ID 05014	Configuration	Preventive
Enable the Application Management service as necessary. CC ID 05015	Configuration	Preventive
Enable the Resultant Set of Policy (RSoP) Provider service as necessary. CC ID 05016	Configuration	Preventive
Enable the Network News Transport Protocol service as necessary. CC ID 05017	Configuration	Preventive
Enable the network Dynamic Data Exchange service as necessary. CC ID 05018	Configuration	Preventive
Enable the Distributed Link Tracking Server service as necessary. CC ID 05019	Configuration	Preventive
Enable the RARP service as necessary. CC ID 05020	Configuration	Preventive
Configure the ".NET Framework service" setting to organizational standards. CC ID 05021	Configuration	Preventive
Enable the Network DDE Share Database Manager service as necessary. CC ID 05022	Configuration	Preventive
Enable the Certificate Services service as necessary. CC ID 05023	Configuration	Preventive
Configure the ATI hotkey poller service properly. CC ID 05024	Configuration	Preventive
Configure the Interix Subsystem Startup service properly. CC ID 05025	Configuration	Preventive
Configure the Cluster Service service properly. CC ID 05026	Configuration	Preventive
Configure the IAS Jet Database Access service properly. CC ID 05027	Configuration	Preventive
Configure the IAS service properly. CC ID 05028	Configuration	Preventive
Configure the IP Version 6 Helper service properly. CC ID 05029	Configuration	Preventive
Configure "Message Queuing service" to organizational standards. CC ID 05030	Configuration	Preventive
Configure the Message Queuing Down Level Clients service properly. CC ID 05031	Configuration	Preventive
Configure the Windows Management Instrumentation Driver Extensions service properly. CC ID 05033	Configuration	Preventive
Configure the TCP/IP NetBIOS Helper Service properly. CC ID 05034	Configuration	Preventive
Configure the Utility Manager service properly. CC ID 05035	Configuration	Preventive
Configure the secondary logon service properly. CC ID 05036	Configuration	Preventive
Configure the Windows Management Instrumentation service properly. CC ID 05037	Configuration	Preventive
Configure the Workstation service properly. CC ID 05038	Configuration	Preventive
Configure the Windows Installer service properly. CC ID 05039	Configuration	Preventive
Configure the Windows System Resource Manager service properly. CC ID 05040	Configuration	Preventive
Configure the WinHTTP Web Proxy Auto-Discovery Service properly. CC ID 05041	Configuration	Preventive
Configure the Services for Unix Client for NFS service properly. CC ID 05042	Configuration	Preventive
Configure the Services for Unix Server for PCNFS service properly. CC ID 05043	Configuration	Preventive
Configure the Services for Unix Perl Socket service properly. CC ID 05044	Configuration	Preventive
Configure the Services for Unix User Name Mapping service properly. CC ID 05045	Configuration	Preventive
Configure the Services for Unix Windows Cron service properly. CC ID 05046	Configuration	Preventive
Configure the Windows Media Services service properly. CC ID 05047	Configuration	Preventive
Configure the Services for Netware Service Advertising Protocol (SAP) Agent properly. CC ID 05048	Configuration	Preventive
Configure the Web Element Manager service properly. CC ID 05049	Configuration	Preventive
Configure the Remote Installation Services Single Instance Storage (SIS) Groveler service properly. CC ID 05050	Configuration	Preventive
Configure the Terminal Services Licensing service properly. CC ID 05051	Configuration	Preventive
Configure the COM+ Event System service properly. CC ID 05052	Configuration	Preventive
Configure the Event Log service properly. CC ID 05053	Configuration	Preventive
Configure the Infrared Monitor service properly. CC ID 05054	Configuration	Preventive
Configure the Services for Unix Server for NFS service properly. CC ID 05055	Configuration	Preventive
Configure the System Event Notification Service properly. CC ID 05056	Configuration	Preventive
Configure the NTLM Security Support Provider service properly. CC ID 05057	Configuration	Preventive
Configure the Performance Logs and Alerts service properly. CC ID 05058	Configuration	Preventive
Configure the Protected Storage service properly. CC ID 05059	Configuration	Preventive
Configure the QoS Admission Control (RSVP) service properly. CC ID 05060	Configuration	Preventive
Configure the Remote Procedure Call service properly. CC ID 05061	Configuration	Preventive
Configure the Removable Storage service properly. CC ID 05062	Configuration	Preventive
Configure the Server service properly. CC ID 05063	Configuration	Preventive
Configure the Security Accounts Manager service properly. CC ID 05064	Configuration	Preventive
Configure the “Network Connections” service to organizational standards. CC ID 05065	Configuration	Preventive
Configure the Logical Disk Manager service properly. CC ID 05066	Configuration	Preventive
Configure the Logical Disk Manager Administrative Service properly. CC ID 05067	Configuration	Preventive
Configure the File Replication service properly. CC ID 05068	Configuration	Preventive
Configure the Kerberos Key Distribution Center service properly. CC ID 05069	Configuration	Preventive
Configure the Intersite Messaging service properly. CC ID 05070	Configuration	Preventive
Configure the Remote Procedure Call locator service properly. CC ID 05071	Configuration	Preventive
Configure the Distributed File System service properly. CC ID 05072	Configuration	Preventive
Configure the Windows Internet Name Service service properly. CC ID 05073	Configuration	Preventive
Configure the FTP Publishing Service properly. CC ID 05074	Configuration	Preventive
Configure the Windows Search service properly. CC ID 05075	Configuration	Preventive
Configure the Microsoft Peer-to-Peer Networking Services service properly. CC ID 05076	Configuration	Preventive
Configure the Remote Shell service properly. CC ID 05077	Configuration	Preventive
Configure Simple TCP/IP services to organizational standards. CC ID 05078	Configuration	Preventive
Configure the Print Services for Unix service properly. CC ID 05079	Configuration	Preventive
Configure the File Shares service to organizational standards. CC ID 05080	Configuration	Preventive
Configure the NetMeeting service properly. CC ID 05081	Configuration	Preventive
Configure the Application Layer Gateway service properly. CC ID 05082	Configuration	Preventive
Configure the Cryptographic Services service properly. CC ID 05083	Configuration	Preventive
Configure the Help and Support Service properly. CC ID 05084	Configuration	Preventive
Configure the Human Interface Device Access service properly. CC ID 05085	Configuration	Preventive
Configure the IMAPI CD-Burning COM service properly. CC ID 05086	Configuration	Preventive
Configure the MS Software Shadow Copy Provider service properly. CC ID 05087	Configuration	Preventive
Configure the Network Location Awareness service properly. CC ID 05088	Configuration	Preventive
Configure the Portable Media Serial Number Service service properly. CC ID 05089	Configuration	Preventive
Configure the System Restore Service service properly. CC ID 05090	Configuration	Preventive
Configure the Themes service properly. CC ID 05091	Configuration	Preventive
Configure the Uninterruptible Power Supply service properly. CC ID 05092	Configuration	Preventive
Configure the Upload Manager service properly. CC ID 05093	Configuration	Preventive
Configure the Volume Shadow Copy Service properly. CC ID 05094	Configuration	Preventive
Configure the WebClient service properly. CC ID 05095	Configuration	Preventive
Configure the Windows Audio service properly. CC ID 05096	Configuration	Preventive
Configure the Windows Image Acquisition service properly. CC ID 05097	Configuration	Preventive
Configure the WMI Performance Adapter service properly. CC ID 05098	Configuration	Preventive
Enable file uploads via vsftpd service, as appropriate. CC ID 05100	Configuration	Preventive
Disable or remove sadmind unless use of sadmind is absolutely necessary. CC ID 06885	Configuration	Preventive
Configure the "SNMP version 1" setting to organizational standards. CC ID 08976	Configuration	Preventive
Configure the "xdmcp service" setting to organizational standards. CC ID 08985	Configuration	Preventive
Establish, implement, and maintain authenticators. CC ID 15305	Technical Security	Preventive
Establish, implement, and maintain an authenticator standard. CC ID 01702	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an authenticator management system. CC ID 12031	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain authenticator procedures. CC ID 12002	Establish/Maintain Documentation	Preventive
Configure authenticators to comply with organizational standards. CC ID 06412	Configuration	Preventive
Configure the system to require new users to change their authenticator on first use. CC ID 05268 [Allow temporary password use for system logons with an immediate change to a permanent password. 3.5.9]	Configuration	Preventive
Configure the system to encrypt authenticators. CC ID 06735 [Store and transmit only encrypted representation of passwords. 3.5.10]	Configuration	Preventive
Configure the system to mask authenticators. CC ID 02037 [Obscure feedback of authentication information. 3.5.11]	Configuration	Preventive
Configure the system security parameters to prevent system misuse or information misappropriation. CC ID 00881	Configuration	Preventive
Configure the default locking Screen saver timeout to a predetermined time period. CC ID 01570 [Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity. 3.1.10]	Configuration	Preventive
Configure Wireless Access Points in accordance with organizational standards. CC ID 12477	Configuration	Preventive
Enable two-factor authentication for identifying and authenticating Wireless Local Area Network users. CC ID 04595 [Protect wireless access using authentication and encryption. 3.1.17]	Configuration	Preventive
Configure mobile device settings in accordance with organizational standards. CC ID 04600	Configuration	Preventive
Enable data-at-rest encryption on mobile devices. CC ID 04842 [Protect the confidentiality of CUI at rest. 3.13.16]	Configuration	Preventive
Configure Logging settings in accordance with organizational standards. CC ID 07611 [Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. 3.3.1]	Configuration	Preventive
Configure "CloudTrail" to organizational standards. CC ID 15443	Configuration	Preventive
Configure "CloudTrail log file validation" to organizational standards. CC ID 15437	Configuration	Preventive
Configure "VPC flow logging" to organizational standards. CC ID 15436	Configuration	Preventive
Configure "object-level logging" to organizational standards. CC ID 15433	Configuration	Preventive
Configure "Turn on PowerShell Transcription" to organizational standards. CC ID 15415	Configuration	Preventive
Configure "Turn on PowerShell Script Block Logging" to organizational standards. CC ID 15413	Configuration	Preventive
Configure "Audit PNP Activity" to organizational standards. CC ID 15393	Configuration	Preventive
Configure "Include command line in process creation events" to organizational standards. CC ID 15358	Configuration	Preventive
Configure "Audit Group Membership" to organizational standards. CC ID 15341	Configuration	Preventive
Configure the "audit_backlog_limit" setting to organizational standards. CC ID 15324	Configuration	Preventive
Configure the "/etc/docker/daemon.json" files and directories auditing to organizational standards. CC ID 14467	Configuration	Detective
Configure the "systemd-journald" to organizational standards. CC ID 15326	Configuration	Preventive
Configure the "/etc/docker" files and directories auditing to organizational standards. CC ID 14459	Configuration	Detective
Configure the "docker.socket" files and directories auditing to organizational standards. CC ID 14458	Configuration	Detective
Configure the "docker.service" files and directories auditing to organizational standards. CC ID 14454	Configuration	Detective
Configure the "/var/lib/docker" files and directories auditing to organizational standards. CC ID 14453	Configuration	Detective
Configure the "/usr/sbin/runc" files and directories auditing to organizational standards. CC ID 14452	Configuration	Detective
Configure the "/usr/bin/containerd" files and directories auditing to organizational standards. CC ID 14451	Configuration	Detective
Configure the "/etc/default/docker" files and directories auditing to organizational standards. CC ID 14450	Configuration	Detective
Configure the "/etc/sysconfig/docker" files and directories auditing to organizational standards. CC ID 14449	Configuration	Detective
Provide the reference database used to verify input data in the logging capability. CC ID 15018	Log Management	Preventive
Configure the storage parameters for all logs. CC ID 06330	Configuration	Preventive
Configure the "Audit Policy: Object Access: SAM" to organizational standards. CC ID 07612	Configuration	Preventive
Configure sufficient log storage capacity and prevent the capacity from being exceeded. CC ID 01425	Configuration	Preventive
Configure the log retention method. CC ID 01715	Configuration	Preventive
Configure the log retention size. CC ID 01716	Configuration	Preventive
Configure syslogd to send logs to a Remote LogHost. CC ID 01526	Configuration	Preventive
Configure the security parameters for all logs. CC ID 01712	Configuration	Preventive
Configure the "Audit Policy: Account Management: User Account Management" to organizational standards. CC ID 07613	Configuration	Preventive
Configure the log so that it cannot be disabled. CC ID 00595	Configuration	Preventive
Configure the event log size capacity limits for the application log, the security log, and the system log. CC ID 01713	Configuration	Preventive
Configure the application log, the security log, and the system log to restrict guest access. CC ID 01714	Configuration	Preventive
Configure the log to capture audit log initialization, along with auditable event selection. CC ID 00649	Log Management	Detective
Configure the "mss: (warninglevel) percentage threshold for the security event log at which the system will generate a warning" setting. CC ID 04275	Configuration	Preventive
Configure the "Audit Policy: System: System Integrity" to organizational standards. CC ID 07652	Configuration	Preventive
Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc. CC ID 06331 [Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. 3.3.2]	Configuration	Preventive
Configure the log to capture creates, reads, updates, or deletes of records containing personal data. CC ID 11890	Log Management	Detective
Configure the log to capture the information referent when personal data is being accessed. CC ID 11968	Log Management	Detective
Configure the log to capture the user's identification. CC ID 01334	Configuration	Preventive
Configure the log to capture a date and time stamp. CC ID 01336 [Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. 3.3.7]	Configuration	Preventive
Configure the log to capture each auditable event's origination. CC ID 01338	Log Management	Detective
Configure the log to uniquely identify each asset. CC ID 01339	Configuration	Preventive
Configure the log to capture remote access information. CC ID 05596	Configuration	Detective
Configure the log to capture the type of each event. CC ID 06423	Configuration	Preventive
Configure the log to capture each event's success or failure indication. CC ID 06424	Configuration	Preventive
Configure all logs to capture auditable events or actionable events. CC ID 06332	Configuration	Preventive
Configure the "Audit Policy: Object Access: File Share" to organizational standards. CC ID 07655	Configuration	Preventive
Configure the log to capture the amount of data uploaded and downloaded. CC ID 16494	Log Management	Preventive
Configure the log to capture startups and shutdowns. CC ID 16491	Log Management	Preventive
Configure the log to capture user queries and searches. CC ID 16479	Log Management	Preventive
Configure the log to capture Internet Protocol addresses. CC ID 16495	Log Management	Preventive
Configure the log to capture error messages. CC ID 16477	Log Management	Preventive
Configure the log to capture system failures. CC ID 16475	Log Management	Preventive
Configure the log to capture account lockouts. CC ID 16470	Configuration	Preventive
Configure the log to capture execution events. CC ID 16469	Configuration	Preventive
Configure the log to capture AWS Organizations changes. CC ID 15445	Configuration	Preventive
Configure the log to capture Identity and Access Management policy changes. CC ID 15442	Configuration	Preventive
Configure the log to capture management console sign-in without multi-factor authentication. CC ID 15441	Configuration	Preventive
Configure the log to capture route table changes. CC ID 15439	Configuration	Preventive
Configure the log to capture virtual private cloud changes. CC ID 15435	Configuration	Preventive
Configure the log to capture changes to encryption keys. CC ID 15432	Configuration	Preventive
Configure the log to capture unauthorized API calls. CC ID 15429	Configuration	Preventive
Configure the log to capture changes to network gateways. CC ID 15421	Configuration	Preventive
Configure the log to capture all malicious code that has been discovered, quarantined, and/or eradicated. CC ID 00577	Log Management	Detective
Configure the log to capture all spoofed addresses. CC ID 01313	Configuration	Preventive
Configure the "logging level" to organizational standards. CC ID 14456	Configuration	Detective
Capture successful operating system access and successful software access. CC ID 00527	Log Management	Detective
Configure the log to capture hardware and software access attempts. CC ID 01220	Log Management	Detective
Configure the log to capture all URL requests. CC ID 12138	Technical Security	Detective
Configure inetd tracing. CC ID 01523	Configuration	Preventive
Configure the system to capture messages sent to the syslog AUTH facility. CC ID 01525	Configuration	Preventive
Configure the log to capture logons, logouts, logon attempts, and logout attempts. CC ID 01915	Log Management	Detective
Configure Cron logging. CC ID 01528	Configuration	Preventive
Configure the kernel level auditing setting. CC ID 01530	Configuration	Preventive
Configure the "audit successful file system mounts" setting to organizational standards. CC ID 09923	Configuration	Preventive
Configure system accounting/system events. CC ID 01529	Configuration	Preventive
Configure the privilege use auditing setting. CC ID 01699	Configuration	Preventive
Configure the log to record the Denial of Access that results from an excessive number of unsuccessful logon attempts. CC ID 01919	Configuration	Preventive
Configure the Audit Process Tracking setting. CC ID 01700	Configuration	Preventive
Configure the log to capture access to restricted data or restricted information. CC ID 00644	Log Management	Detective
Configure the EEPROM security-mode accesses and EEPROM log-failed accesses. CC ID 01575	Configuration	Preventive
Configure the log to capture user identifier, address, port blocking or blacklisting. CC ID 01918	Configuration	Preventive
Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 [Prevent non-privileged users from executing privileged functions and audit the execution of such functions. 3.1.7]	Log Management	Detective
Configure the log to capture identification and authentication mechanism use. CC ID 00648	Log Management	Detective
Configure the log to capture all access to the audit trail. CC ID 00646	Log Management	Detective
Configure the log to capture Object access to key directories or key files. CC ID 01697	Log Management	Detective
Configure the log to capture both access and access attempts to security-relevant objects and security-relevant directories. CC ID 01916	Log Management	Detective
Configure the log to capture system level object creation and deletion. CC ID 00650	Log Management	Detective
Enable directory service access events, as appropriate. CC ID 05616	Configuration	Preventive
Configure the log to capture failed transactions. CC ID 06334	Configuration	Preventive
Configure the log to capture successful transactions. CC ID 06335	Configuration	Preventive
Audit non attributable events (na class). CC ID 05604	Configuration	Preventive
Configure the log to capture configuration changes. CC ID 06881	Configuration	Preventive
Log, monitor, and review all changes to time settings on critical systems. CC ID 11608	Configuration	Preventive
Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes. CC ID 01698	Log Management	Detective
Configure the log to capture user account additions, modifications, and deletions. CC ID 16482	Log Management	Preventive
Configure the log to capture all changes to certificates. CC ID 05595	Configuration	Preventive
Configure the log to capture user authenticator changes. CC ID 01917	Log Management	Detective
Configure the "inetd logging" setting to organizational standards. CC ID 08970	Configuration	Preventive
Configure the "audit sudoers" setting to organizational standards. CC ID 09950	Configuration	Preventive
Configure the event log settings for specific Operating System functions. CC ID 06337	Configuration	Preventive
Configure the "Audit Policy: Object Access: Registry" to organizational standards. CC ID 07658	Configuration	Preventive
Configure the "Audit: Audit the use of Backup and Restore privilege" setting. CC ID 01724	Configuration	Preventive
Configure the "Audit: Shut down the system immediately if unable to log security audits" setting. CC ID 01725	Configuration	Preventive
Configure "Audit account management" to organizational standards. CC ID 02039	Configuration	Preventive
Configure the "Audit: Force audit policy subcategory settings (Windows Vista or later)" setting. CC ID 04387	Configuration	Preventive
Configure console logging. CC ID 04454	Configuration	Preventive
Configure boot error logging. CC ID 04455	Configuration	Preventive
Disable the "Audit password" setting in NetWare. CC ID 04456	Configuration	Preventive
Configure the "Disable Logging" setting. CC ID 05590	Configuration	Preventive
Enable BIN mode auditing. CC ID 05591	Configuration	Preventive
Enable or disable the BSM auditing setting, as appropriate. CC ID 05592	Configuration	Preventive
Enable or disable NFS server logging, as appropriate. CC ID 05593	Log Management	Detective
Log Pluggable Authentication Modules access at an appropriate level. CC ID 05599	Log Management	Detective
Set the X server audit level appropriately. CC ID 05600	Configuration	Preventive
Enable or disable the logging of "martian" packets (impossible addresses), as appropriate. CC ID 05601	Log Management	Detective
Enable or disable dhcpd logging, as appropriate. CC ID 05602	Log Management	Detective
Enable or disable attempted stack exploit logging, as appropriate. CC ID 05614	Log Management	Detective
Enable or disable the debug logging option, as appropriate. CC ID 05617	Log Management	Detective
Configure the "Turn on session logging" properly. CC ID 05618	Configuration	Preventive
Configure Sendmail with the appropriate logging levels. CC ID 06028	Configuration	Preventive
Enable or disable auditing in the runcontrol scripts, as appropriate. CC ID 06029	Configuration	Preventive
Enable or disable auditing for user accounts, as appropriate. CC ID 06030	Configuration	Preventive
Enable or disable auditing at boot time, as appropriate. CC ID 06031	Configuration	Preventive
Enable or disable the logging of vsftpd transactions, as appropriate. CC ID 06032	Log Management	Detective
Enable or disable the auditing of chgrp usage, as appropriate. CC ID 06033	Configuration	Preventive
Enable or disable the auditing of mkgroup usage, as appropriate. CC ID 06034	Configuration	Preventive
Enable or disable the auditing of rmgroup usage, as appropriate. CC ID 06035	Configuration	Preventive
Enable or disable the auditing of the exit function, as appropriate. CC ID 06036	Configuration	Preventive
Generate an alert when an audit log failure occurs. CC ID 06737 [{generate} Alert in the event of an audit process failure. 3.3.4]	Configuration	Preventive
Configure the "Audit Policy: Logon-Logoff: Logoff" to organizational standards. CC ID 07662	Configuration	Preventive
Configure additional log settings. CC ID 06333	Configuration	Preventive
Configure additional logging for the FTP daemon. CC ID 01524	Configuration	Preventive
Configure the log to send alerts for each auditable events success or failure. CC ID 01337	Log Management	Preventive
Configure the "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to organizational standards. CC ID 07664	Configuration	Preventive
Configure additional log file parameters appropriately. CC ID 06338	Configuration	Preventive
Create the /var/adm/loginlog file. CC ID 01527	Configuration	Preventive
Verify the audit config file contains only accounts that should be present. CC ID 05594	Configuration	Preventive
Specify the PRI audit file properly. CC ID 05597	Configuration	Preventive
Specify the SEC audit file properly. CC ID 05598	Configuration	Preventive
Verify auditing is logged to an appropriate directory. CC ID 05603	Log Management	Detective
Verify the user audit file contains the appropriate never-audit flags. CC ID 05605	Configuration	Preventive
Enable or disable the /var/log/authlog log, as appropriate. CC ID 05606	Log Management	Detective
Enable or disable the /var/log/syslog log, as appropriate. CC ID 05607	Log Management	Detective
Enable or disable the /var/adm/messages log, as appropriate. CC ID 05608	Log Management	Detective
Enable or disable the /var/adm/sulog log, as appropriate. CC ID 05609	Log Management	Detective
Enable or disable the /var/adm/utmp(x) log, as appropriate. CC ID 05610	Log Management	Detective
Enable or disable the /var/adm/wtmp(x) log, as appropriate. CC ID 05611	Log Management	Detective
Enable or disable the /var/adm/sshlog log, as appropriate. CC ID 05612	Log Management	Detective
Enable or disable the /var/log/pamlog log, as appropriate. CC ID 05613	Log Management	Detective
Perform filesystem logging and filesystem journaling. CC ID 05615	Log Management	Detective
Configure the "Audit Policy: Object Access: File System" to organizational standards. CC ID 07666	Configuration	Preventive
Configure the "Background upload of a roaming user profile's registry file while user is logged on" setting to organizational standards. CC ID 10761	Configuration	Preventive
Configure the "Audit Policy: Logon-Logoff: Logon" to organizational standards. CC ID 07669	Configuration	Preventive
Configure the "Backup log automatically when full" setting for the "setup log" to organizational standards. CC ID 10762	Configuration	Preventive
Configure the "Audit Policy: Account Logon: Kerberos Authentication Service" to organizational standards. CC ID 07679	Configuration	Preventive
Configure the "Applications preference logging and tracing" setting to organizational standards. CC ID 10774	Configuration	Preventive
Configure the "Data Sources preference logging and tracing" setting to organizational standards. CC ID 10779	Configuration	Preventive
Configure the "Audit Policy: Logon-Logoff: IPsec Extended Mode" to organizational standards. CC ID 07683	Configuration	Preventive
Configure the "Audit Policy: Object Access: Handle Manipulation" to organizational standards. CC ID 07684	Configuration	Preventive
Configure the "Devices preference logging and tracing" setting to organizational standards. CC ID 10782	Configuration	Preventive
Configure the "Drive Maps preference logging and tracing" setting to organizational standards. CC ID 10783	Configuration	Preventive
Configure the "Audit Policy: Object Access: Detailed File Share" to organizational standards. CC ID 07687	Configuration	Preventive
Configure the "Audit Policy: Logon-Logoff: Network Policy Server" to organizational standards. CC ID 07701	Configuration	Preventive
Configure the "Environment preference logging and tracing" setting to organizational standards. CC ID 10784	Configuration	Preventive
Configure the "Audit Policy: Detailed Tracking: Process Creation" to organizational standards. CC ID 07707	Configuration	Preventive
Configure the "Files preference logging and tracing" setting to organizational standards. CC ID 10785	Configuration	Preventive
Configure the "Folder Options preference logging and tracing" setting to organizational standards. CC ID 10786	Configuration	Preventive
Configure the "Audit Policy: System: IPsec Driver" to organizational standards. CC ID 07708	Configuration	Preventive
Configure the "Audit Policy: Logon-Logoff: Account Lockout" to organizational standards. CC ID 07713	Configuration	Preventive
Configure the "Folders preference logging and tracing" setting to organizational standards. CC ID 10787	Configuration	Preventive
Configure the "Ini Files preference logging and tracing" setting to organizational standards. CC ID 10788	Configuration	Preventive
Configure the "Audit Policy: Object Access: Kernel Object" to organizational standards. CC ID 07720	Configuration	Preventive
Configure the "Audit Policy: Object Access: Other Object Access Events" to organizational standards. CC ID 07724	Configuration	Preventive
Configure the "Internet Settings preference logging and tracing" setting to organizational standards. CC ID 10789	Configuration	Preventive
Configure the "Local Users and Groups preference logging and tracing" setting to organizational standards. CC ID 10793	Configuration	Preventive
Configure the "Audit Policy: DS Access: Directory Service Replication" to organizational standards. CC ID 07734	Configuration	Preventive
Configure the "Regional Options preference logging and tracing" setting to organizational standards. CC ID 10802	Configuration	Preventive
Configure the "Audit Policy: Policy Change: Audit Policy Change" to organizational standards. CC ID 07735	Configuration	Preventive
Configure the "Audit Policy: DS Access: Directory Service Changes" to organizational standards. CC ID 07736	Configuration	Preventive
Configure the "Registry preference logging and tracing" setting to organizational standards. CC ID 10803	Configuration	Preventive
Configure the "Audit Policy: Object Access: Certification Services" to organizational standards. CC ID 07742	Configuration	Preventive
Configure the "Scheduled Tasks preference logging and tracing" setting to organizational standards. CC ID 10815	Configuration	Preventive
Configure the "Services preference logging and tracing" setting to organizational standards. CC ID 10818	Configuration	Preventive
Configure the "Maximum Log Size (KB)" to organizational standards. CC ID 07744	Configuration	Preventive
Configure the "Audit Policy: Detailed Tracking: DPAPI Activity" to organizational standards. CC ID 07746	Configuration	Preventive
Configure the "Shortcuts preference logging and tracing" setting to organizational standards. CC ID 10819	Configuration	Preventive
Configure the "Start Menu preference logging and tracing" setting to organizational standards. CC ID 10821	Configuration	Preventive
Configure the "Audit Policy: Account Management: Other Account Management Events" to organizational standards. CC ID 07751	Configuration	Preventive
Configure the "Delete data from devices running Microsoft firmware when a user logs off from the computer." setting to organizational standards. CC ID 10846	Configuration	Preventive
Configure the "Audit Policy: Account Management: Computer Account Management" to organizational standards. CC ID 07752	Configuration	Preventive
Configure the "Audit Policy: Privilege Use: Non Sensitive Privilege Use" to organizational standards. CC ID 07756	Configuration	Preventive
Configure the "Disable logging via package settings" setting to organizational standards. CC ID 10864	Configuration	Preventive
Configure the "Audit Policy: Object Access: Application Generated" to organizational standards. CC ID 07757	Configuration	Preventive
Configure the "Do not forcefully unload the users registry at user logoff" setting to organizational standards. CC ID 10930	Configuration	Preventive
Configure the "Audit Policy: DS Access: Detailed Directory Service Replication" to organizational standards. CC ID 07764	Configuration	Preventive
Configure the "Do not log users on with temporary profiles" setting to organizational standards. CC ID 10931	Configuration	Preventive
Configure the "Audit Policy: Privilege Use: Other Privilege Use Events" to organizational standards. CC ID 07776	Configuration	Preventive
Configure the "Log Access" setting for the "application log" to organizational standards. CC ID 11026	Configuration	Preventive
Configure the "Audit Policy: Account Logon: Kerberos Service Ticket Operations" to organizational standards. CC ID 07786	Configuration	Preventive
Configure the "Log Access" setting for the "setup log" to organizational standards. CC ID 11027	Configuration	Preventive
Configure the "Audit Policy: DS Access: Directory Service Access" to organizational standards. CC ID 07790	Configuration	Preventive
Configure the "Log Access" setting for the "system log" to organizational standards. CC ID 11028	Configuration	Preventive
Configure the "Log directory pruning retry events" setting to organizational standards. CC ID 11029	Configuration	Preventive
Configure the "Retain old events" to organizational standards. CC ID 07791	Configuration	Preventive
Configure the "Log event when quota limit exceeded" setting to organizational standards. CC ID 11030	Configuration	Preventive
Configure the "Audit: Audit the use of Backup and Restore privilege" to organizational standards. CC ID 07792	Configuration	Preventive
Configure the "Log File Path" setting for the "application log" to organizational standards. CC ID 11033	Configuration	Preventive
Configure the "Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change" to organizational standards. CC ID 07793	Configuration	Preventive
Configure the "Log File Path" setting for the "setup log" to organizational standards. CC ID 11034	Configuration	Preventive
Configure the "Audit Policy: Policy Change: Other Policy Change Events" to organizational standards. CC ID 07810	Configuration	Preventive
Configure the "Log File Path" setting for the "system log" to organizational standards. CC ID 11035	Configuration	Preventive
Configure the "Audit: Shut down system immediately if unable to log security audits" to organizational standards. CC ID 07812	Configuration	Preventive
Configure the "Logging" setting to organizational standards. CC ID 11036	Configuration	Preventive
Configure the "Audit Policy: System: Other System Events" to organizational standards. CC ID 07817	Configuration	Preventive
Configure the "Audit Policy: Account Management: Application Group Management" to organizational standards. CC ID 07819	Configuration	Preventive
Configure the "Remove "Disconnect" option from Shut Down dialog" setting to organizational standards. CC ID 11126	Configuration	Preventive
Configure the "MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" to organizational standards. CC ID 07820	Configuration	Preventive
Configure the "Remove browse dialog box for new source" setting to organizational standards. CC ID 11127	Configuration	Preventive
Configure the "Audit Policy: Account Logon: Other Account Logon Events" to organizational standards. CC ID 07825	Configuration	Preventive
Configure the "Restricts the UI language Windows uses for all logged users" setting to organizational standards. CC ID 11147	Configuration	Preventive
Configure the "Set roaming profile path for all users logging onto this computer" setting to organizational standards. CC ID 11182	Configuration	Preventive
Configure the "Audit Policy: Account Management: Distribution Group Management" to organizational standards. CC ID 07828	Configuration	Preventive
Configure the "Set the Time interval in minutes for logging accounting data" setting to organizational standards. CC ID 11193	Configuration	Preventive
Configure the "Audit: Audit the access of global system objects" to organizational standards. CC ID 07831	Configuration	Preventive
Configure the "Audit Policy: Logon-Logoff: Special Logon" to organizational standards. CC ID 07835	Configuration	Preventive
Configure the "Turn off Resultant Set of Policy logging" setting to organizational standards. CC ID 11307	Configuration	Preventive
Configure the "Audit Policy: Detailed Tracking: RPC Events" to organizational standards. CC ID 07840	Configuration	Preventive
Configure the "Turn on extensive logging for Active Directory Domain Services domain controllers that are running Server for NIS" setting to organizational standards. CC ID 11343	Configuration	Preventive
Configure the "Audit Policy: Policy Change: Authentication Policy Change" to organizational standards. CC ID 07846	Configuration	Preventive
Configure the "Turn on extensive logging for Password Synchronization" setting to organizational standards. CC ID 11344	Configuration	Preventive
Configure the "Audit Policy: Detailed Tracking: Process Termination" to organizational standards. CC ID 07849	Configuration	Preventive
Configure the "Turn on logging" setting to organizational standards. CC ID 11345	Configuration	Preventive
Configure the "Turn on session logging" setting to organizational standards. CC ID 11350	Configuration	Preventive
Configure the "Audit Policy: Logon-Logoff: IPsec Quick Mode" to organizational standards. CC ID 07852	Configuration	Preventive
Configure the "Audit Policy: Object Access: Filtering Platform Packet Drop" to organizational standards. CC ID 07856	Configuration	Preventive
Configure the "Audit Policy: Object Access: Filtering Platform Connection" to organizational standards. CC ID 07864	Configuration	Preventive
Configure the "Audit Policy: Policy Change: Authorization Policy Change" to organizational standards. CC ID 07875	Configuration	Preventive
Configure the "Audit Policy: Account Management: Security Group Management" to organizational standards. CC ID 07880	Configuration	Preventive
Configure the "Audit Policy: Privilege Use: Sensitive Privilege Use" to organizational standards. CC ID 07887	Configuration	Preventive
Configure the "Audit Policy: Logon-Logoff: IPsec Main Mode" to organizational standards. CC ID 07888	Configuration	Preventive
Configure the "Audit Policy: Account Logon: Credential Validation" to organizational standards. CC ID 07892	Configuration	Preventive
Configure the "Audit Policy: Policy Change: Filtering Platform Policy Change" to organizational standards. CC ID 07895	Configuration	Preventive
Configure the "Audit Policy: Logon-Logoff: Other Logon/Logoff Events" to organizational standards. CC ID 07899	Configuration	Preventive
Configure the "Audit Policy: System: Security State Change" to organizational standards. CC ID 07903	Configuration	Preventive
Configure the "Audit Policy: System: Security System Extension" to organizational standards. CC ID 07904	Configuration	Preventive
Configure the "Audit account logon events" to organizational standards. CC ID 08188	Configuration	Preventive
Configure the "Retention method for security log" to organizational standards. CC ID 08197	Configuration	Preventive
Configure the "Retention method for system log" to organizational standards. CC ID 08211	Configuration	Preventive
Configure the "Audit logon events" to organizational standards. CC ID 08221	Configuration	Preventive
Configure the "Retention method for application log" to organizational standards. CC ID 08226	Configuration	Preventive
Configure the "Retain security log" to organizational standards. CC ID 08241	Configuration	Preventive
Configure the "Audit system events" to organizational standards. CC ID 08244	Configuration	Preventive
Configure the "Retain application log" to organizational standards. CC ID 08246	Configuration	Preventive
Configure the "Prevent local guests group from accessing application log" to organizational standards. CC ID 08248	Configuration	Preventive
Configure the "Maximum security log size" to organizational standards. CC ID 08251	Configuration	Preventive
Configure the "Retain system log" to organizational standards. CC ID 08258	Configuration	Preventive
Configure the "Audit privilege use" to organizational standards. CC ID 08266	Configuration	Preventive
Configure the "Audit policy change" to organizational standards. CC ID 08272	Configuration	Preventive
Configure the "Audit object access" to organizational standards. CC ID 08278	Configuration	Preventive
Configure the "Audit process tracking" to organizational standards. CC ID 08283	Configuration	Preventive
Configure the "Maximum system log size" to organizational standards. CC ID 08286	Configuration	Preventive
Configure the "Maximum application log size" to organizational standards. CC ID 08296	Configuration	Preventive
Configure the "Prevent local guests group from accessing security log" to organizational standards. CC ID 08297	Configuration	Preventive
Configure the "Audit directory service access" to organizational standards. CC ID 08304	Configuration	Preventive
Configure the "Audit account management" to organizational standards. CC ID 08316	Configuration	Preventive
Configure the "Prevent local guests group from accessing system log" to organizational standards. CC ID 08336	Configuration	Preventive
Configure the "Specify the maximum log file size (KB)" to organizational standards. CC ID 08352	Configuration	Preventive
Configure the "Message tracking logging - Mailbox" to organizational standards. CC ID 08360	Configuration	Preventive
Configure the "Turn on Connectivity logging" to organizational standards. CC ID 08398	Configuration	Preventive
Configure the "Windows Firewall: Domain: Logging: Size limit (KB)" to organizational standards. CC ID 08405	Configuration	Preventive
Configure the "Control Event Log behavior when the log file reaches its maximum size" to organizational standards. CC ID 08444	Configuration	Preventive
Configure the "Windows Firewall: Private: Logging: Log dropped packets" to organizational standards. CC ID 08445	Configuration	Preventive
Configure the "Windows Firewall: Public: Logging: Log dropped packets" to organizational standards. CC ID 08454	Configuration	Preventive
Configure the "Configure Protocol logging" to organizational standards. CC ID 08463	Configuration	Preventive
Configure the "Message tracking logging - Transport" to organizational standards. CC ID 08477	Configuration	Preventive
Configure the "Windows Firewall: Domain: Logging: Log dropped packets" to organizational standards. CC ID 08501	Configuration	Preventive
Configure the "Audit Policy: Object Access: Removable Storage" to organizational standards. CC ID 08504	Configuration	Preventive
Configure the "Windows Firewall: Domain: Logging: Name" to organizational standards. CC ID 08543	Configuration	Preventive
Configure the "Windows Firewall: Public: Logging: Log successful connections" to organizational standards. CC ID 08545	Configuration	Preventive
Configure the "Audit Policy: Object Access: Central Access Policy Staging" to organizational standards. CC ID 08558	Configuration	Preventive
Configure the "Windows Firewall: Public: Logging: Name" to organizational standards. CC ID 08565	Configuration	Preventive
Configure the "Windows Firewall: Private: Logging: Size limit (KB)" to organizational standards. CC ID 08606	Configuration	Preventive
Configure the "kernel arguments" setting for "auditing early in the boot process" to organizational standards. CC ID 08749	Establish/Maintain Documentation	Preventive
Configure the "record date and time modification events" setting for "auditing" to organizational standards. CC ID 08750	Establish/Maintain Documentation	Preventive
Configure the "record user/group information modification events" setting for "auditing" to organizational standards. CC ID 08751	Establish/Maintain Documentation	Preventive
Configure the "record changes to the system network environment" setting for "auditing" to organizational standards. CC ID 08752	Establish/Maintain Documentation	Preventive
Configure the "record changes to the system's mandatory access controls" setting for "auditing" to organizational standards. CC ID 08753	Establish/Maintain Documentation	Preventive
Configure the "record logon and logout events" setting for "auditing" to organizational standards. CC ID 08754	Establish/Maintain Documentation	Preventive
Configure the "record process and session initiation events" setting for "auditing" to organizational standards. CC ID 08755	Establish/Maintain Documentation	Preventive
Configure the "record changes to discretionary access control permissions" setting for "auditing" to organizational standards. CC ID 08756	Establish/Maintain Documentation	Preventive
Configure the "record unauthorized attempts to access files" setting for "auditing" to organizational standards. CC ID 08757	Establish/Maintain Documentation	Preventive
Configure the "record use of privileged commands" setting for "auditing" to organizational standards. CC ID 08758	Establish/Maintain Documentation	Preventive
Configure the "record data export to media events" setting for "auditing" to organizational standards. CC ID 08759	Establish/Maintain Documentation	Preventive
Configure the "record file and program deletion events" setting for "auditing" to organizational standards. CC ID 08760	Establish/Maintain Documentation	Preventive
Configure the "record administrator and security personnel action events" setting for "auditing" to organizational standards. CC ID 08761	Establish/Maintain Documentation	Preventive
Configure the "record kernel module loading and unloading events" setting for "auditing" to organizational standards. CC ID 08762	Establish/Maintain Documentation	Preventive
Configure the "Ensure auditd configuration is immutable" setting for "auditing" to organizational standards. CC ID 08763	Establish/Maintain Documentation	Preventive
Configure the "audit file ownership changes" setting to organizational standards. CC ID 08966	Audits and Risk Management	Preventive
Configure the "audit change user functions" setting to organizational standards. CC ID 08982	Configuration	Preventive
Configure the "audit the use of chmod command" setting to organizational standards. CC ID 08983	Configuration	Preventive
Configure the "audit the chown command" setting to organizational standards. CC ID 08984	Configuration	Preventive
Configure the "Collect Session Initiation Information" setting to organizational standards. CC ID 09948	Configuration	Preventive
Configure the "Collect Discretionary Access Control Permission Modification Events" setting to organizational standards. CC ID 09949	Configuration	Preventive
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Fault Tolerant Heap" to organizational standards. CC ID 10808	Configuration	Preventive
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Boot Performance Diagnostics" to organizational standards. CC ID 10809	Configuration	Preventive
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Memory Leak Diagnosis" to organizational standards. CC ID 10810	Configuration	Preventive
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Resource Exhaustion Detection and Resolution" to organizational standards. CC ID 10811	Configuration	Preventive
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Shutdown Performance Diagnostics" to organizational standards. CC ID 10812	Configuration	Preventive
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Standby/Resume Performance Diagnostics" to organizational standards. CC ID 10813	Configuration	Preventive
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows System Responsiveness Diagnostics" to organizational standards. CC ID 10814	Configuration	Preventive
Configure the "Default quota limit and warning level" setting to organizational standards. CC ID 10840	Configuration	Preventive
Configure the "Detect application failures caused by deprecated COM objects" setting to organizational standards. CC ID 10851	Configuration	Preventive
Configure the "Detect application failures caused by deprecated Windows DLLs" setting to organizational standards. CC ID 10852	Configuration	Preventive
Configure the "Detect application install failures" setting to organizational standards. CC ID 10853	Configuration	Preventive
Configure the "Detect application installers that need to be run as administrator" setting to organizational standards. CC ID 10854	Configuration	Preventive
Configure the "Detect applications unable to launch installers under UAC" setting to organizational standards. CC ID 10855	Configuration	Preventive
Configure the "Diagnostics: Configure scenario execution level" setting to organizational standards. CC ID 10856	Configuration	Preventive
Configure the "Disk Diagnostic: Configure execution level" setting to organizational standards. CC ID 10883	Configuration	Preventive
Configure the "Log event when quota warning level exceeded" setting to organizational standards. CC ID 11031	Configuration	Preventive
Configure the "Log File Debug Output Level" setting to organizational standards. CC ID 11032	Configuration	Preventive
Configure the "Microsoft Support Diagnostic Tool: Configure execution level" setting to organizational standards. CC ID 11043	Configuration	Preventive
Configure the "Primary DNS Suffix Devolution Level" setting to organizational standards. CC ID 11096	Configuration	Preventive
Configure the "Require user authentication for remote connections by using Network Level Authentication" setting to organizational standards. CC ID 11138	Configuration	Preventive
Configure the "Specify channel binding token hardening level" setting to organizational standards. CC ID 11209	Configuration	Preventive
Configure the "Update Security Level" setting to organizational standards. CC ID 11357	Configuration	Preventive
Configure the "Update Top Level Domain Zones" setting to organizational standards. CC ID 11358	Configuration	Preventive
Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards. CC ID 07621	Configuration	Preventive
Configure the "Password must meet complexity requirements" to organizational standards. CC ID 07743 [Enforce a minimum password complexity and change of characters when new passwords are created. 3.5.7]	Configuration	Preventive
Configure the "Enforce password history" to organizational standards. CC ID 07877 [Prevent reuse of identifiers for a defined period. 3.5.5 Prohibit password reuse for a specified number of generations. 3.5.8]	Configuration	Preventive
Configure security and protection software according to Organizational Standards. CC ID 11917	Configuration	Preventive
Configure security and protection software to check for up-to-date signature files. CC ID 00576 [Update malicious code protection mechanisms when new releases are available. 3.14.4]	Testing	Detective

Systems design, build, and implementation

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Systems design, build, and implementation CC ID 00989	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823	Systems Design, Build, and Implementation	Preventive
Include information security throughout the system development life cycle. CC ID 12042 [Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems. 3.13.2]	Systems Design, Build, and Implementation	Preventive
Protect confidential information during the system development life cycle program. CC ID 13479	Data and Information Management	Preventive

Technical security

270

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Technical security CC ID 00508	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain an access control program. CC ID 11702	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513	Establish/Maintain Documentation	Preventive
Identify information system users. CC ID 12081 [Identify information system users, processes acting on behalf of users, or devices. 3.5.1]	Technical Security	Detective
Review user accounts. CC ID 00525	Technical Security	Detective
Match user accounts to authorized parties. CC ID 12126	Configuration	Detective
Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 [Identify information system users, processes acting on behalf of users, or devices. 3.5.1]	Technical Security	Detective
Establish and maintain contact information for user accounts, as necessary. CC ID 15418	Data and Information Management	Preventive
Review shared accounts. CC ID 11840	Technical Security	Detective
Control access rights to organizational assets. CC ID 00004 [Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). 3.1.1]	Technical Security	Preventive
Configure access control lists in accordance with organizational standards. CC ID 16465	Configuration	Preventive
Add all devices requiring access control to the Access Control List. CC ID 06264	Establish/Maintain Documentation	Preventive
Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835	Technical Security	Preventive
Disallow application IDs from running as privileged users. CC ID 10050	Configuration	Detective
Define roles for information systems. CC ID 12454	Human Resources Management	Preventive
Define access needs for each role assigned to an information system. CC ID 12455	Human Resources Management	Preventive
Define access needs for each system component of an information system. CC ID 12456	Technical Security	Preventive
Define the level of privilege required for each system component of an information system. CC ID 12457	Technical Security	Preventive
Establish access rights based on least privilege. CC ID 01411 [Limit information system access to the types of transactions and functions that authorized users are permitted to execute. 3.1.2 Employ the principle of least privilege, including for specific security functions and privileged accounts. 3.1.5]	Technical Security	Preventive
Assign user permissions based on job responsibilities. CC ID 00538	Technical Security	Preventive
Assign user privileges after they have management sign off. CC ID 00542	Technical Security	Preventive
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767	Configuration	Preventive
Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 [Limit unsuccessful logon attempts. 3.1.8]	Technical Security	Preventive
Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822	Configuration	Preventive
Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818	Communicate	Corrective
Disallow unlocking user accounts absent system administrator approval. CC ID 01413	Technical Security	Preventive
Establish, implement, and maintain session lock capabilities. CC ID 01417 [Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity. 3.1.10]	Configuration	Preventive
Limit concurrent sessions according to account type. CC ID 01416	Configuration	Preventive
Establish session authenticity through Transport Layer Security. CC ID 01627 [Protect the authenticity of communications sessions. 3.13.15]	Technical Security	Preventive
Configure the "tlsverify" argument to organizational standards. CC ID 14460	Configuration	Preventive
Configure the "tlscacert" argument to organizational standards. CC ID 14521	Configuration	Preventive
Configure the "tlscert" argument to organizational standards. CC ID 14520	Configuration	Preventive
Configure the "tlskey" argument to organizational standards. CC ID 14519	Configuration	Preventive
Enable access control for objects and users on each system. CC ID 04553	Configuration	Preventive
Include all system components in the access control system. CC ID 11939	Technical Security	Preventive
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301	Process or Activity	Preventive
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850	Technical Security	Preventive
Enable attribute-based access control for objects and users on information systems. CC ID 16351	Technical Security	Preventive
Enable role-based access control for objects and users on information systems. CC ID 12458	Technical Security	Preventive
Include the objects and users subject to access control in the security policy. CC ID 11836	Establish/Maintain Documentation	Preventive
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Establish Roles	Preventive
Enforce access restrictions for change control. CC ID 01428 [{physical access restriction} Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system. 3.4.5]	Technical Security	Preventive
Enforce access restrictions for restricted data. CC ID 01921	Data and Information Management	Preventive
Permit a limited set of user actions absent identification and authentication. CC ID 04849	Technical Security	Preventive
Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455	Testing	Detective
Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262	Technical Security	Preventive
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500	Establish/Maintain Documentation	Preventive
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501	Establish/Maintain Documentation	Preventive
Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770	Technical Security	Preventive
Display previous logon information in the logon banner. CC ID 01415	Configuration	Preventive
Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771	Establish/Maintain Documentation	Preventive
Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964	Technical Security	Preventive
Establish, implement, and maintain User Access Management procedures. CC ID 00514	Technical Security	Preventive
Remove inactive user accounts, as necessary. CC ID 00517 [Disable identifiers after a defined period of inactivity. 3.5.6]	Technical Security	Corrective
Establish, implement, and maintain access control procedures. CC ID 11663	Establish/Maintain Documentation	Preventive
Grant access to authorized personnel or systems. CC ID 12186	Configuration	Preventive
Document approving and granting access in the access control log. CC ID 06786 [{remote access} Authorize wireless access prior to allowing such connections. 3.1.16]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442	Communicate	Preventive
Include digital identification procedures in the access control program. CC ID 11841	Technical Security	Preventive
Authenticate user identities before unlocking an account. CC ID 11837 [Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. 3.5.2]	Testing	Detective
Identify and control all network access controls. CC ID 00529	Technical Security	Preventive
Manage all external network connections. CC ID 11842	Technical Security	Preventive
Prohibit systems from connecting directly to external networks. CC ID 08709 [Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks. 3.13.7]	Configuration	Preventive
Establish, implement, and maintain a Boundary Defense program. CC ID 00544 [Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. 3.13.1]	Establish/Maintain Documentation	Preventive
Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891	Technical Security	Preventive
Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034	Communicate	Preventive
Segregate systems in accordance with organizational standards. CC ID 12546	Technical Security	Preventive
Implement gateways between security domains. CC ID 16493	Systems Design, Build, and Implementation	Preventive
Implement resource-isolation mechanisms in organizational networks. CC ID 16438	Technical Security	Preventive
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533	Technical Security	Preventive
Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310	Technical Security	Preventive
Design Demilitarized Zones with proper isolation rules. CC ID 00532	Technical Security	Preventive
Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285	Data and Information Management	Preventive
Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998	Technical Security	Preventive
Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993	Technical Security	Preventive
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. 3.13.5]	Data and Information Management	Preventive
Establish, implement, and maintain a network access control standard. CC ID 00546	Establish/Maintain Documentation	Preventive
Include assigned roles and responsibilities in the network access control standard. CC ID 06410	Establish Roles	Preventive
Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373	Technical Security	Preventive
Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821	Technical Security	Preventive
Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274	Configuration	Preventive
Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293	Configuration	Preventive
Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784	Configuration	Preventive
Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588	Technical Security	Preventive
Include configuration management and rulesets in the network access control standard. CC ID 11845	Establish/Maintain Documentation	Preventive
Secure the network access control standard against unauthorized changes. CC ID 11920	Establish/Maintain Documentation	Preventive
Employ centralized management systems to configure and control networks, as necessary. CC ID 12540	Technical Security	Preventive
Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541	Configuration	Preventive
Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270	Process or Activity	Detective
Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948	Establish/Maintain Documentation	Preventive
Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903	Technical Security	Corrective
Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960	Establish/Maintain Documentation	Preventive
Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961	Establish/Maintain Documentation	Preventive
Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard. CC ID 12435	Establish/Maintain Documentation	Preventive
Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434	Establish/Maintain Documentation	Preventive
Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426	Establish/Maintain Documentation	Preventive
Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847	Configuration	Preventive
Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537	Establish/Maintain Documentation	Preventive
Configure network ports to organizational standards. CC ID 14007	Configuration	Preventive
Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547	Establish/Maintain Documentation	Preventive
Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539	Establish/Maintain Documentation	Preventive
Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280	Establish/Maintain Documentation	Preventive
Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033	Establish/Maintain Documentation	Preventive
Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032	Establish/Maintain Documentation	Preventive
Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550	Configuration	Preventive
Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420	Technical Security	Preventive
Configure network access and control points to protect restricted data or restricted information. CC ID 01284	Configuration	Preventive
Protect data stored at external locations. CC ID 16333	Data and Information Management	Preventive
Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174	Configuration	Detective
Protect the firewall's network connection interfaces. CC ID 01955	Technical Security	Preventive
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 [Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). 3.13.6]	Configuration	Preventive
Allow local program exceptions on the firewall, as necessary. CC ID 01956	Configuration	Preventive
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957	Configuration	Preventive
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958	Configuration	Preventive
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849	Configuration	Preventive
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959	Configuration	Preventive
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960	Configuration	Preventive
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961	Configuration	Preventive
Allow notification exceptions on the firewall, as necessary. CC ID 01962	Configuration	Preventive
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964	Configuration	Preventive
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965	Configuration	Preventive
Allow local port exceptions on the firewall, as necessary. CC ID 01966	Configuration	Preventive
Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287	Configuration	Preventive
Configure firewalls to perform dynamic packet filtering. CC ID 01288	Testing	Detective
Establish, implement, and maintain packet filtering requirements. CC ID 16362	Technical Security	Preventive
Configure firewall filtering to only permit established connections into the network. CC ID 12482	Technical Security	Preventive
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295	Data and Information Management	Preventive
Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271	Data and Information Management	Preventive
Synchronize and secure all router configuration files. CC ID 01291	Configuration	Preventive
Synchronize and secure all firewall configuration files. CC ID 11851	Configuration	Preventive
Configure firewalls to generate an audit log. CC ID 12038	Audits and Risk Management	Preventive
Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165	Configuration	Preventive
Record the configuration rules for network access and control points in the configuration management system. CC ID 12105	Establish/Maintain Documentation	Preventive
Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107	Establish/Maintain Documentation	Preventive
Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106	Establish/Maintain Documentation	Preventive
Configure network access and control points to organizational standards. CC ID 12442	Configuration	Detective
Install and configure application layer firewalls for all key web-facing applications. CC ID 01450	Configuration	Preventive
Update application layer firewalls to the most current version. CC ID 12037	Process or Activity	Preventive
Enforce information flow control. CC ID 11781	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [Control the flow of CUI in accordance with approved authorizations. 3.1.3]	Establish/Maintain Documentation	Preventive
Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923	Data and Information Management	Preventive
Establish, implement, and maintain a document printing policy. CC ID 14384	Establish/Maintain Documentation	Preventive
Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain information flow procedures. CC ID 04542 [Control information posted or processed on publicly accessible information systems. 3.1.22 Verify and control/limit connections to and use of external information systems. 3.1.20]	Establish/Maintain Documentation	Preventive
Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242	Data and Information Management	Preventive
Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243	Data and Information Management	Preventive
Establish, implement, and maintain information exchange procedures. CC ID 11782	Establish/Maintain Documentation	Preventive
Perform content sanitization on data-in-transit. CC ID 16512	Data and Information Management	Preventive
Perform content conversion on data-in-transit. CC ID 16510	Data and Information Management	Preventive
Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499	Data and Information Management	Preventive
Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554	Data and Information Management	Preventive
Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859	Data and Information Management	Preventive
Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312	Log Management	Preventive
Review and approve information exchange system connections. CC ID 07143	Technical Security	Preventive
Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104	Technical Security	Preventive
Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107	Technical Security	Preventive
Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097	Establish/Maintain Documentation	Preventive
Revoke membership in the whitelist, as necessary. CC ID 13827	Establish/Maintain Documentation	Corrective
Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183	Configuration	Preventive
Block uncategorized sites using URL filtering. CC ID 12140	Technical Security	Preventive
Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139	Technical Security	Detective
Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234	Data and Information Management	Preventive
Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 [Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny- all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. 3.4.8]	Establish/Maintain Documentation	Preventive
Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094	Behavior	Preventive
Secure access to each system component operating system. CC ID 00551	Configuration	Preventive
Enforce privileged accounts and non-privileged accounts for system access. CC ID 00558 [Use non-privileged accounts or roles when accessing nonsecurity functions. 3.1.6 Prevent non-privileged users from executing privileged functions and audit the execution of such functions. 3.1.7]	Technical Security	Preventive
Create a full text analysis on executed privileged functions. CC ID 06778	Monitor and Evaluate Occurrences	Detective
Separate user functionality from system management functionality. CC ID 11858 [Separate user functionality from information system management functionality. 3.13.3]	Technical Security	Preventive
Control all methods of remote access and teleworking. CC ID 00559 [Enforce safeguarding measures for CUI at alternate work sites (e.g., telework sites). 3.10.6]	Technical Security	Preventive
Assign virtual escorting to authorized personnel. CC ID 16440	Process or Activity	Preventive
Establish, implement, and maintain a remote access and teleworking program. CC ID 04545	Establish/Maintain Documentation	Preventive
Include information security requirements in the remote access and teleworking program. CC ID 15704	Establish/Maintain Documentation	Preventive
Refrain from allowing remote users to copy files to remote devices. CC ID 06792	Technical Security	Preventive
Control remote administration in accordance with organizational standards. CC ID 04459 [Authorize remote execution of privileged commands and remote access to security-relevant information. 3.1.15]	Configuration	Preventive
Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved. CC ID 00560	Testing	Detective
Control remote access through a network access control. CC ID 01421 [Authorize remote execution of privileged commands and remote access to security-relevant information. 3.1.15 Route remote access via managed access control points. 3.1.14]	Technical Security	Preventive
Install and maintain remote control software and other remote control mechanisms on critical systems. CC ID 06371	Configuration	Preventive
Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324	Technical Security	Preventive
Employ multifactor authentication for remote access to the organization's network. CC ID 12505	Technical Security	Preventive
Implement multifactor authentication techniques. CC ID 00561 [Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. 3.5.3 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. 3.7.5]	Configuration	Preventive
Implement phishing-resistant multifactor authentication techniques. CC ID 16541	Technical Security	Preventive
Document and approve requests to bypass multifactor authentication. CC ID 15464	Establish/Maintain Documentation	Preventive
Limit the source addresses from which remote administration is performed. CC ID 16393	Technical Security	Preventive
Protect remote access accounts with encryption. CC ID 00562 [Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. 3.1.13]	Configuration	Preventive
Monitor and evaluate all remote access usage. CC ID 00563 [Monitor and control remote access sessions. 3.1.12]	Monitor and Evaluate Occurrences	Detective
Manage the use of encryption controls and cryptographic controls. CC ID 00570	Technical Security	Preventive
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [Establish and manage cryptographic keys for cryptography employed in the information system. 3.13.10]	Establish/Maintain Documentation	Preventive
Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164	Communicate	Preventive
Bind keys to each identity. CC ID 12337	Technical Security	Preventive
Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152	Establish/Maintain Documentation	Preventive
Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151	Establish/Maintain Documentation	Preventive
Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301	Data and Information Management	Preventive
Generate strong cryptographic keys. CC ID 01299	Data and Information Management	Preventive
Generate unique cryptographic keys for each user. CC ID 12169	Technical Security	Preventive
Use approved random number generators for creating cryptographic keys. CC ID 06574	Data and Information Management	Preventive
Implement decryption keys so that they are not linked to user accounts. CC ID 06851	Technical Security	Preventive
Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540	Establish/Maintain Documentation	Preventive
Disseminate and communicate cryptographic keys securely. CC ID 01300	Data and Information Management	Preventive
Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541	Data and Information Management	Preventive
Store cryptographic keys securely. CC ID 01298	Data and Information Management	Preventive
Restrict access to cryptographic keys. CC ID 01297	Data and Information Management	Preventive
Store cryptographic keys in encrypted format. CC ID 06084	Data and Information Management	Preventive
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085	Technical Security	Preventive
Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127	Establish/Maintain Documentation	Preventive
Change cryptographic keys in accordance with organizational standards. CC ID 01302	Data and Information Management	Preventive
Destroy cryptographic keys promptly after the retention period. CC ID 01303	Data and Information Management	Preventive
Control cryptographic keys with split knowledge and dual control. CC ID 01304	Data and Information Management	Preventive
Prevent the unauthorized substitution of cryptographic keys. CC ID 01305	Data and Information Management	Preventive
Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852	Technical Security	Preventive
Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307	Data and Information Management	Corrective
Replace known or suspected compromised cryptographic keys immediately. CC ID 01306	Data and Information Management	Corrective
Archive outdated cryptographic keys. CC ID 06884	Data and Information Management	Preventive
Archive revoked cryptographic keys. CC ID 11819	Data and Information Management	Preventive
Require key custodians to sign the cryptographic key management policy. CC ID 01308	Establish/Maintain Documentation	Preventive
Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820	Human Resources Management	Preventive
Test cryptographic key management applications, as necessary. CC ID 04829	Testing	Detective
Manage the digital signature cryptographic key pair. CC ID 06576	Data and Information Management	Preventive
Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079	Establish/Maintain Documentation	Preventive
Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725	Establish Roles	Preventive
Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080	Establish/Maintain Documentation	Preventive
Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081	Establish/Maintain Documentation	Preventive
Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082	Establish/Maintain Documentation	Preventive
Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083	Establish/Maintain Documentation	Preventive
Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816	Establish/Maintain Documentation	Preventive
Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092	Technical Security	Preventive
Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084	Technical Security	Preventive
Establish, implement, and maintain Public Key certificate procedures. CC ID 07085	Establish/Maintain Documentation	Preventive
Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817	Establish/Maintain Documentation	Preventive
Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087	Establish/Maintain Documentation	Preventive
Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086	Establish/Maintain Documentation	Preventive
Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091	Technical Security	Preventive
Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090	Records Management	Preventive
Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. 3.13.8 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. 3.13.11]	Technical Security	Preventive
Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749	Configuration	Preventive
Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492	Technical Security	Preventive
Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490	Technical Security	Preventive
Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566	Establish/Maintain Documentation	Preventive
Implement non-repudiation for transactions. CC ID 00567	Testing	Detective
Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416	Technical Security	Preventive
Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568	Technical Security	Preventive
Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021	Technical Security	Preventive
Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020	Technical Security	Preventive
Protect application services information transmitted over a public network from contract disputes. CC ID 12019	Technical Security	Preventive
Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018	Technical Security	Preventive
Establish, implement, and maintain a malicious code protection program. CC ID 00574 [Provide protection from malicious code at appropriate locations within organizational information systems. 3.14.2]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485	Communicate	Preventive
Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484	Communicate	Preventive
Establish, implement, and maintain malicious code protection procedures. CC ID 15483	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a malicious code protection policy. CC ID 15478	Establish/Maintain Documentation	Preventive
Restrict downloading to reduce malicious code attacks. CC ID 04576	Behavior	Preventive
Install security and protection software, as necessary. CC ID 00575	Configuration	Preventive
Install and maintain container security solutions. CC ID 16178	Technical Security	Preventive
Scan for malicious code, as necessary. CC ID 11941 [Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. 3.14.5]	Investigate	Detective
Test all removable storage media for viruses and malicious code. CC ID 11861 [Check media containing diagnostic and test programs for malicious code before the media are used in the information system. 3.7.4]	Testing	Detective
Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311	Testing	Detective
Remove malware when malicious code is discovered. CC ID 13691	Process or Activity	Corrective
Notify interested personnel and affected parties when malware is detected. CC ID 13689	Communicate	Corrective
Protect the system against replay attacks. CC ID 04552 [{privileged accounts} Employ replay-resistant authentication mechanisms for network access to privileged and non- privileged accounts. 3.5.4]	Technical Security	Preventive
Define and assign roles and responsibilities for malicious code protection. CC ID 15474	Establish Roles	Preventive
Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310	Establish/Maintain Documentation	Corrective
Log and react to all malicious code activity. CC ID 07072	Monitor and Evaluate Occurrences	Detective
Analyze the behavior and characteristics of the malicious code. CC ID 10672	Technical Security	Detective
Incorporate the malicious code analysis into the patch management program. CC ID 10673	Technical Security	Corrective
Lock antivirus configurations. CC ID 10047	Configuration	Preventive
Establish, implement, and maintain a virtual environment and shared resources security program. CC ID 06551	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a shared resources management program. CC ID 07096 [Prevent unauthorized and unintended information transfer via shared system resources. 3.13.4]	Establish/Maintain Documentation	Preventive
Maintain ownership of all shared resources. CC ID 12180	Business Processes	Preventive
Employ resource-isolation mechanisms in virtual environments. CC ID 12178	Configuration	Preventive

Common Controls and
mandates by Type 120 Mandated Controls - bold
105 Implied Controls - italic 1350 Implementation

Number of Controls

1575 Total

Actionable Reports or Measurements

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Refrain from including restricted information in the incident response notification. CC ID 16806	Operational management	Preventive
Document the results of incident response tests and provide them to senior management. CC ID 14857	Operational management	Preventive

Audits and Risk Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Address operational anomalies within the incident management system. CC ID 11633	Monitoring and measurement	Preventive
Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634	Monitoring and measurement	Preventive
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 [Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity. 3.3.5]	Monitoring and measurement	Preventive
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596	Monitoring and measurement	Preventive
Audit in scope audit items and compliance documents. CC ID 06730	Audits and risk management	Preventive
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157	Audits and risk management	Detective
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156	Audits and risk management	Detective
Observe processes to determine the effectiveness of in scope controls. CC ID 12155	Audits and risk management	Detective
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154	Audits and risk management	Detective
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144	Audits and risk management	Detective
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556	Audits and risk management	Detective
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555	Audits and risk management	Detective
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109	Audits and risk management	Preventive
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154	Audits and risk management	Preventive
Review the risk to the audit function when the audit personnel status changes. CC ID 01153	Audits and risk management	Preventive
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and risk management	Detective
Configure firewalls to generate an audit log. CC ID 12038	Technical security	Preventive
Configure the "audit file ownership changes" setting to organizational standards. CC ID 08966	System hardening through configuration management	Preventive

Behavior

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a testing program. CC ID 00654	Monitoring and measurement	Preventive
Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748	Monitoring and measurement	Corrective
Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094	Technical security	Preventive
Restrict downloading to reduce malicious code attacks. CC ID 04576	Technical security	Preventive
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311	Physical and environmental protection	Preventive
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702	Physical and environmental protection	Preventive
Manage constituent identification inside the facility. CC ID 02215	Physical and environmental protection	Preventive
Issue visitor identification badges to all non-employees. CC ID 00543	Physical and environmental protection	Preventive
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331	Physical and environmental protection	Preventive
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649	Physical and environmental protection	Preventive
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980	Physical and environmental protection	Preventive
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981	Physical and environmental protection	Preventive
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983	Physical and environmental protection	Preventive
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984	Physical and environmental protection	Preventive
Require removable storage media be in the custody of an authorized individual. CC ID 12319	Physical and environmental protection	Preventive
Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677	Human Resources management	Preventive
Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676	Human Resources management	Preventive
Train all personnel and third parties, as necessary. CC ID 00785	Human Resources management	Preventive
Tailor training to be taught at each person's level of responsibility. CC ID 06674 [Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. 3.2.2]	Human Resources management	Preventive
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 [Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems. 3.2.1]	Human Resources management	Preventive
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [Provide security awareness training on recognizing and reporting potential indicators of insider threat. 3.2.3]	Human Resources management	Preventive
Perform periodic maintenance according to organizational standards. CC ID 01435 [Perform maintenance on organizational information systems. 3.7.1]	Operational management	Preventive
Respond to all alerts from security systems in a timely manner. CC ID 06434 [Monitor information system security alerts and advisories and take appropriate actions in response. 3.14.3]	Operational management	Corrective
Share data loss event information with the media. CC ID 01759	Operational management	Corrective
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Corrective
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365	Operational management	Corrective
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801	Operational management	Detective
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Operational management	Corrective
Avoid false positive incident response notifications. CC ID 04732	Operational management	Detective
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Operational management	Corrective
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Operational management	Corrective
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Operational management	Corrective
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Operational management	Corrective
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Operational management	Preventive
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Operational management	Preventive
Publish the incident response notification in a general circulation periodical. CC ID 04651	Operational management	Corrective
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Operational management	Preventive
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Operational management	Corrective
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807	Operational management	Preventive
Disseminate and communicate software update information to users and regulators. CC ID 06602	Operational management	Preventive

Business Processes

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467	Monitoring and measurement	Preventive
Align corrective actions with the level of environmental impact. CC ID 15193	Monitoring and measurement	Preventive
Accept the attestation engagement when all preconditions are met. CC ID 13933	Audits and risk management	Preventive
Maintain ownership of all shared resources. CC ID 12180	Technical security	Preventive
Include an appeal process in the identification issuance procedures. CC ID 15428	Physical and environmental protection	Preventive
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982	Physical and environmental protection	Preventive
Transport restricted media using a delivery method that can be tracked. CC ID 11777 [Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. 3.8.5]	Physical and environmental protection	Preventive
Require users to refrain from leaving mobile devices unattended. CC ID 16446	Physical and environmental protection	Preventive
Establish, implement, and maintain an education methodology. CC ID 06671	Human Resources management	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630	Operational management	Preventive
Establish, implement, and maintain an asset inventory. CC ID 06631 [Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. 3.4.1]	Operational management	Preventive
Obtain approval before removing maintenance tools from the facility. CC ID 14298	Operational management	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Operational management	Preventive
Establish, implement, and maintain an anti-money laundering program. CC ID 13675	Operational management	Detective
Remediate security violations according to organizational standards. CC ID 12338	Operational management	Preventive
Refrain from charging for providing incident response notifications. CC ID 13876	Operational management	Preventive
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Operational management	Corrective
Eradicate the cause of the incident after the incident has been contained. CC ID 01757	Operational management	Corrective
Manage change requests. CC ID 00887	Operational management	Preventive
Examine all changes to ensure they correspond with the change request. CC ID 12345	Operational management	Detective
Implement changes according to the change control program. CC ID 11776	Operational management	Preventive
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796	Operational management	Preventive
Mitigate the adverse effects of unauthorized changes. CC ID 12244	Operational management	Corrective

Communicate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044	Monitoring and measurement	Preventive
Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418	Monitoring and measurement	Preventive
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633	Audits and risk management	Preventive
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Audits and risk management	Preventive
Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818	Technical security	Corrective
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442	Technical security	Preventive
Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034	Technical security	Preventive
Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164	Technical security	Preventive
Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485	Technical security	Preventive
Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484	Technical security	Preventive
Notify interested personnel and affected parties when malware is detected. CC ID 13689	Technical security	Corrective
Post floor plans of critical facilities in secure locations. CC ID 16138	Physical and environmental protection	Preventive
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461	Physical and environmental protection	Preventive
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630	Human Resources management	Preventive
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems. 3.2.1]	Operational management	Preventive
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Preventive
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Preventive
Submit written requests to delay the notification of affected parties. CC ID 16783	Operational management	Preventive
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Operational management	Corrective
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Operational management	Preventive
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Operational management	Corrective
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142	Operational management	Preventive
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Provide privacy and security notices consistent with applicable CUI rules. 3.1.9]	Operational management	Corrective

Configuration

611

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Document the event information to be logged in the event information log specification. CC ID 00639	Monitoring and measurement	Preventive
Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001	Monitoring and measurement	Preventive
Enable and configure logging on all network access controls. CC ID 01963	Monitoring and measurement	Preventive
Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. 3.3.7]	Monitoring and measurement	Preventive
Centralize network time servers to as few as practical. CC ID 06308	Monitoring and measurement	Preventive
Update the vulnerability scanners' vulnerability list. CC ID 10634	Monitoring and measurement	Corrective
Enforce dual authorization as a part of information flow control for logs. CC ID 10098	Monitoring and measurement	Preventive
Match user accounts to authorized parties. CC ID 12126	Technical security	Detective
Configure access control lists in accordance with organizational standards. CC ID 16465	Technical security	Preventive
Disallow application IDs from running as privileged users. CC ID 10050	Technical security	Detective
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767	Technical security	Preventive
Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822	Technical security	Preventive
Establish, implement, and maintain session lock capabilities. CC ID 01417 [Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity. 3.1.10]	Technical security	Preventive
Limit concurrent sessions according to account type. CC ID 01416	Technical security	Preventive
Configure the "tlsverify" argument to organizational standards. CC ID 14460	Technical security	Preventive
Configure the "tlscacert" argument to organizational standards. CC ID 14521	Technical security	Preventive
Configure the "tlscert" argument to organizational standards. CC ID 14520	Technical security	Preventive
Configure the "tlskey" argument to organizational standards. CC ID 14519	Technical security	Preventive
Enable access control for objects and users on each system. CC ID 04553	Technical security	Preventive
Display previous logon information in the logon banner. CC ID 01415	Technical security	Preventive
Grant access to authorized personnel or systems. CC ID 12186	Technical security	Preventive
Prohibit systems from connecting directly to external networks. CC ID 08709 [Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks. 3.13.7]	Technical security	Preventive
Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274	Technical security	Preventive
Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293	Technical security	Preventive
Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784	Technical security	Preventive
Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541	Technical security	Preventive
Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847	Technical security	Preventive
Configure network ports to organizational standards. CC ID 14007	Technical security	Preventive
Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550	Technical security	Preventive
Configure network access and control points to protect restricted data or restricted information. CC ID 01284	Technical security	Preventive
Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174	Technical security	Detective
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 [Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). 3.13.6]	Technical security	Preventive
Allow local program exceptions on the firewall, as necessary. CC ID 01956	Technical security	Preventive
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957	Technical security	Preventive
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958	Technical security	Preventive
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849	Technical security	Preventive
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959	Technical security	Preventive
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960	Technical security	Preventive
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961	Technical security	Preventive
Allow notification exceptions on the firewall, as necessary. CC ID 01962	Technical security	Preventive
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964	Technical security	Preventive
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965	Technical security	Preventive
Allow local port exceptions on the firewall, as necessary. CC ID 01966	Technical security	Preventive
Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287	Technical security	Preventive
Synchronize and secure all router configuration files. CC ID 01291	Technical security	Preventive
Synchronize and secure all firewall configuration files. CC ID 11851	Technical security	Preventive
Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165	Technical security	Preventive
Configure network access and control points to organizational standards. CC ID 12442	Technical security	Detective
Install and configure application layer firewalls for all key web-facing applications. CC ID 01450	Technical security	Preventive
Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183	Technical security	Preventive
Secure access to each system component operating system. CC ID 00551	Technical security	Preventive
Control remote administration in accordance with organizational standards. CC ID 04459 [Authorize remote execution of privileged commands and remote access to security-relevant information. 3.1.15]	Technical security	Preventive
Install and maintain remote control software and other remote control mechanisms on critical systems. CC ID 06371	Technical security	Preventive
Implement multifactor authentication techniques. CC ID 00561 [Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. 3.5.3 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. 3.7.5]	Technical security	Preventive
Protect remote access accounts with encryption. CC ID 00562 [Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. 3.1.13]	Technical security	Preventive
Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749	Technical security	Preventive
Install security and protection software, as necessary. CC ID 00575	Technical security	Preventive
Lock antivirus configurations. CC ID 10047	Technical security	Preventive
Employ resource-isolation mechanisms in virtual environments. CC ID 12178	Technical security	Preventive
Install doors so that exposed hinges are on the secured side. CC ID 06687	Physical and environmental protection	Preventive
Install emergency doors to permit egress only. CC ID 06688	Physical and environmental protection	Preventive
Install contact alarms on doors, as necessary. CC ID 06710	Physical and environmental protection	Preventive
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650	Physical and environmental protection	Preventive
Install contact alarms on openable windows, as necessary. CC ID 06690	Physical and environmental protection	Preventive
Install glass break alarms on windows, as necessary. CC ID 06691	Physical and environmental protection	Preventive
Configure video cameras to cover all physical entry points. CC ID 06302	Physical and environmental protection	Preventive
Configure video cameras to prevent physical tampering or disablement. CC ID 06303	Physical and environmental protection	Preventive
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693	Physical and environmental protection	Preventive
Serialize all removable storage media. CC ID 00949	Physical and environmental protection	Preventive
Deploy software patches in accordance with organizational standards. CC ID 07032	Operational management	Corrective
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174	Operational management	Corrective
Remove outdated software after software has been updated. CC ID 11792	Operational management	Corrective
Update computer firmware, as necessary. CC ID 11755	Operational management	Corrective
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671	Operational management	Corrective
Establish, implement, and maintain a configuration change log. CC ID 08710	Operational management	Detective
Establish, implement, and maintain idle session termination and logout capabilities. CC ID 01418 [Terminate (automatically) a user session after a defined condition. 3.1.11 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. 3.13.9]	System hardening through configuration management	Preventive
Configure Session Configuration settings in accordance with organizational standards. CC ID 07698	System hardening through configuration management	Preventive
Invalidate unexpected session identifiers. CC ID 15307	System hardening through configuration management	Preventive
Configure the "MaxStartups" settings to organizational standards. CC ID 15329	System hardening through configuration management	Preventive
Reject session identifiers that are not valid. CC ID 15306	System hardening through configuration management	Preventive
Configure the "MaxSessions" settings to organizational standards. CC ID 15330	System hardening through configuration management	Preventive
Configure the "Interactive logon: Message title for users attempting to log on" to organizational standards. CC ID 07699	System hardening through configuration management	Preventive
Configure the "LoginGraceTime" settings to organizational standards. CC ID 15328	System hardening through configuration management	Preventive
Configure the "Network security: Force logoff when logon hours expire" to organizational standards. CC ID 07738	System hardening through configuration management	Preventive
Configure the "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" to organizational standards. CC ID 07758	System hardening through configuration management	Preventive
Configure the "Microsoft network server: Disconnect clients when logon hours expire" to organizational standards. CC ID 07824	System hardening through configuration management	Preventive
Configure the "Microsoft network server: Amount of idle time required before suspending session" to organizational standards. CC ID 07826	System hardening through configuration management	Preventive
Configure the "Interactive logon: Do not display last user name" to organizational standards. CC ID 07832	System hardening through configuration management	Preventive
Configure the "Interactive logon: Display user information when the session is locked" to organizational standards. CC ID 07848	System hardening through configuration management	Preventive
Configure the "Interactive logon: Message text for users attempting to log on" to organizational standards. CC ID 07870	System hardening through configuration management	Preventive
Configure the "Always prompt for password upon connection" to organizational standards. CC ID 08229	System hardening through configuration management	Preventive
Configure the "Interactive logon: Machine inactivity limit" to organizational standards. CC ID 08350	System hardening through configuration management	Preventive
Remove all unnecessary functionality. CC ID 00882	System hardening through configuration management	Preventive
Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827	System hardening through configuration management	Preventive
Disable removable storage media daemon unless the removable storage media daemon is absolutely necessary. CC ID 01477	System hardening through configuration management	Preventive
Disable all unnecessary services unless otherwise noted in a policy exception. CC ID 00880 [Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services. 3.4.7]	System hardening through configuration management	Preventive
Disable rquotad unless rquotad is absolutely necessary. CC ID 01473	System hardening through configuration management	Preventive
Configure the rquotad service to use a static port or a dynamic portmapper port as appropriate. CC ID 05983	System hardening through configuration management	Preventive
Disable telnet unless telnet use is absolutely necessary. CC ID 01478	System hardening through configuration management	Preventive
Disable File Transfer Protocol unless File Transfer Protocol use is absolutely necessary. CC ID 01479	System hardening through configuration management	Preventive
Configure anonymous FTP to restrict the use of restricted data. CC ID 16314	System hardening through configuration management	Preventive
Disable anonymous access to File Transfer Protocol. CC ID 06739	System hardening through configuration management	Preventive
Disable Internet Message Access Protocol unless Internet Message Access Protocol use is absolutely necessary. CC ID 01485	System hardening through configuration management	Preventive
Disable Post Office Protocol unless its use is absolutely necessary. CC ID 01486	System hardening through configuration management	Preventive
Disable SQLServer processes unless SQLServer processes use is absolutely necessary. CC ID 01500	System hardening through configuration management	Preventive
Disable alerter unless alerter use is absolutely necessary. CC ID 01810	System hardening through configuration management	Preventive
Disable Background Intelligent Transfer Service unless Background Intelligent Transfer Service use is absolutely necessary. CC ID 01812	System hardening through configuration management	Preventive
Disable ClipBook unless ClipBook use is absolutely necessary. CC ID 01813	System hardening through configuration management	Preventive
Disable Fax Service unless Fax Service use is absolutely necessary. CC ID 01815	System hardening through configuration management	Preventive
Disable IIS admin service unless IIS admin service use is absolutely necessary. CC ID 01817	System hardening through configuration management	Preventive
Disable indexing service unless indexing service use is absolutely necessary. CC ID 01818	System hardening through configuration management	Preventive
Disable net logon unless net logon use is absolutely necessary. CC ID 01820	System hardening through configuration management	Preventive
Disable Remote Desktop Help Session Manager unless Remote Desktop Help Session Manager use is absolutely necessary. CC ID 01822	System hardening through configuration management	Preventive
Disable the "Offer Remote Assistance" setting. CC ID 04325	System hardening through configuration management	Preventive
Disable the "Solicited Remote Assistance" setting. CC ID 04326	System hardening through configuration management	Preventive
Disable Remote Registry Service unless Remote Registry Service use is absolutely necessary. CC ID 01823	System hardening through configuration management	Preventive
Disable Routing and Remote Access unless Routing and Remote Access use is necessary. CC ID 01824	System hardening through configuration management	Preventive
Disable task scheduler unless task scheduler use is absolutely necessary. CC ID 01829	System hardening through configuration management	Preventive
Disable Terminal Services unless Terminal Services use is absolutely necessary. CC ID 01831	System hardening through configuration management	Preventive
Disable Universal Plug and Play device host unless Universal Plug and Play device host use is absolutely necessary. CC ID 01832	System hardening through configuration management	Preventive
Disable File Service Protocol. CC ID 02167	System hardening through configuration management	Preventive
Disable the License Logging Service unless unless it is absolutely necessary. CC ID 04282	System hardening through configuration management	Preventive
Disable Remote Access Auto Connection Manager unless Remote Access Auto Connection Manager use is absolutely necessary. CC ID 04285	System hardening through configuration management	Preventive
Disable Remote Access Connection Manager unless Remote Access Connection Manager use is absolutely necessary. CC ID 04286	System hardening through configuration management	Preventive
Disable Remote Administration Service unless remote administration management is absolutely necessary. CC ID 04287	System hardening through configuration management	Preventive
Disable remote installation unless remote installation is absolutely necessary. CC ID 04288	System hardening through configuration management	Preventive
Disable Remote Server Manager unless Remote Server Manager is absolutely necessary. CC ID 04289	System hardening through configuration management	Preventive
Disable Remote Server Monitor unless Remote Server Monitor use is absolutely necessary. CC ID 04290	System hardening through configuration management	Preventive
Disable Remote Storage Notification unless Remote Storage Notification use is absolutely necessary. CC ID 04291	System hardening through configuration management	Preventive
Disable Remote Storage Server unless Remote Storage Server use is absolutely necessary. CC ID 04292	System hardening through configuration management	Preventive
Disable telephony services unless telephony services use is absolutely necessary. CC ID 04293	System hardening through configuration management	Preventive
Disable Wireless Zero Configuration service unless Wireless Zero Configuration service use is absolutely necessary. CC ID 04294	System hardening through configuration management	Preventive
Disable SSDP/UPnp unless SSDP/UPnP is absolutely necessary. CC ID 04315	System hardening through configuration management	Preventive
Configure the "ntpd service" setting to organizational standards. CC ID 04911	System hardening through configuration management	Preventive
Configure the "echo service" setting to organizational standards. CC ID 04912	System hardening through configuration management	Preventive
Configure the "echo-dgram service" setting to organizational standards. CC ID 09927	System hardening through configuration management	Preventive
Configure the "echo-stream service" setting to organizational standards. CC ID 09928	System hardening through configuration management	Preventive
Configure the "AllowTcpForwarding" to organizational standards. CC ID 15327	System hardening through configuration management	Preventive
Configure the "tcpmux-server" setting to organizational standards. CC ID 09929	System hardening through configuration management	Preventive
Configure the "netstat service" setting to organizational standards. CC ID 04913	System hardening through configuration management	Preventive
Configure the "character generator protocol (chargen)" setting to organizational standards. CC ID 04914	System hardening through configuration management	Preventive
Configure the "tftpd service" setting to organizational standards. CC ID 04915	System hardening through configuration management	Preventive
Configure the "walld service" setting to organizational standards. CC ID 04916	System hardening through configuration management	Preventive
Configure the "rstatd service" setting to organizational standards. CC ID 04917	System hardening through configuration management	Preventive
Configure the "sprayd service" setting to organizational standards. CC ID 04918	System hardening through configuration management	Preventive
Configure the "rusersd service" setting to organizational standards. CC ID 04919	System hardening through configuration management	Preventive
Configure the "inn service" setting to organizational standards. CC ID 04920	System hardening through configuration management	Preventive
Configure the "font service" setting to organizational standards. CC ID 04921	System hardening through configuration management	Preventive
Configure the "ident service" setting to organizational standards. CC ID 04922	System hardening through configuration management	Preventive
Configure the "rexd service" setting to organizational standards. CC ID 04923	System hardening through configuration management	Preventive
Configure the "daytime service" setting to organizational standards. CC ID 04924	System hardening through configuration management	Preventive
Configure the "dtspc (cde-spc) service" setting to organizational standards. CC ID 04925	System hardening through configuration management	Preventive
Configure the "cmsd service" setting to organizational standards. CC ID 04926	System hardening through configuration management	Preventive
Configure the "ToolTalk service" setting to organizational standards. CC ID 04927	System hardening through configuration management	Preventive
Configure the "discard service" setting to organizational standards. CC ID 04928	System hardening through configuration management	Preventive
Configure the "vino-server service" setting to organizational standards. CC ID 04929	System hardening through configuration management	Preventive
Configure the "bind service" setting to organizational standards. CC ID 04930	System hardening through configuration management	Preventive
Configure the "nfsd service" setting to organizational standards. CC ID 04931	System hardening through configuration management	Preventive
Configure the "mountd service" setting to organizational standards. CC ID 04932	System hardening through configuration management	Preventive
Configure the "statd service" setting to organizational standards. CC ID 04933	System hardening through configuration management	Preventive
Configure the "lockd service" setting to organizational standards. CC ID 04934	System hardening through configuration management	Preventive
Configure the lockd service to use a static port or a dynamic portmapper port for User Datagram Protocol as appropriate. CC ID 05980	System hardening through configuration management	Preventive
Configure the "decode sendmail alias" setting to organizational standards. CC ID 04935	System hardening through configuration management	Preventive
Configure the sendmail vrfy command, as appropriate. CC ID 04936	System hardening through configuration management	Preventive
Configure the sendmail expn command, as appropriate. CC ID 04937	System hardening through configuration management	Preventive
Configure .netrc with an appropriate set of services. CC ID 04938	System hardening through configuration management	Preventive
Enable NFS insecure locks as necessary. CC ID 04939	System hardening through configuration management	Preventive
Configure the "X server ac" setting to organizational standards. CC ID 04940	System hardening through configuration management	Preventive
Configure the "X server core" setting to organizational standards. CC ID 04941	System hardening through configuration management	Preventive
Enable or disable the setroubleshoot service, as appropriate. CC ID 05540	System hardening through configuration management	Preventive
Configure the "X server nolock" setting to organizational standards. CC ID 04942	System hardening through configuration management	Preventive
Enable or disable the mcstrans service, as appropriate. CC ID 05541	System hardening through configuration management	Preventive
Configure the "PAM console" setting to organizational standards. CC ID 04943	System hardening through configuration management	Preventive
Enable or disable the restorecond service, as appropriate. CC ID 05542	System hardening through configuration management	Preventive
Enable the rhnsd service as necessary. CC ID 04944	System hardening through configuration management	Preventive
Enable the yum-updatesd service as necessary. CC ID 04945	System hardening through configuration management	Preventive
Enable the autofs service as necessary. CC ID 04946	System hardening through configuration management	Preventive
Enable the ip6tables service as necessary. CC ID 04947	System hardening through configuration management	Preventive
Configure syslog to organizational standards. CC ID 04949	System hardening through configuration management	Preventive
Enable the auditd service as necessary. CC ID 04950	System hardening through configuration management	Preventive
Enable the logwatch service as necessary. CC ID 04951	System hardening through configuration management	Preventive
Enable the logrotate (syslog rotator) service as necessary. CC ID 04952	System hardening through configuration management	Preventive
Install or uninstall the telnet server package, only if absolutely necessary. CC ID 04953	System hardening through configuration management	Preventive
Enable the ypbind service as necessary. CC ID 04954	System hardening through configuration management	Preventive
Enable the ypserv service as necessary. CC ID 04955	System hardening through configuration management	Preventive
Enable the firstboot service as necessary. CC ID 04956	System hardening through configuration management	Preventive
Enable the gpm service as necessary. CC ID 04957	System hardening through configuration management	Preventive
Enable the irqbalance service as necessary. CC ID 04958	System hardening through configuration management	Preventive
Enable the isdn service as necessary. CC ID 04959	System hardening through configuration management	Preventive
Enable the kdump service as necessary. CC ID 04960	System hardening through configuration management	Preventive
Enable the mdmonitor service as necessary. CC ID 04961	System hardening through configuration management	Preventive
Enable the microcode_ctl service as necessary. CC ID 04962	System hardening through configuration management	Preventive
Enable the pcscd service as necessary. CC ID 04963	System hardening through configuration management	Preventive
Enable the smartd service as necessary. CC ID 04964	System hardening through configuration management	Preventive
Enable the readahead_early service as necessary. CC ID 04965	System hardening through configuration management	Preventive
Enable the readahead_later service as necessary. CC ID 04966	System hardening through configuration management	Preventive
Enable the messagebus service as necessary. CC ID 04967	System hardening through configuration management	Preventive
Enable the haldaemon service as necessary. CC ID 04968	System hardening through configuration management	Preventive
Enable the apmd service as necessary. CC ID 04969	System hardening through configuration management	Preventive
Enable the acpid service as necessary. CC ID 04970	System hardening through configuration management	Preventive
Enable the cpuspeed service as necessary. CC ID 04971	System hardening through configuration management	Preventive
Enable the network service as necessary. CC ID 04972	System hardening through configuration management	Preventive
Enable the hidd service as necessary. CC ID 04973	System hardening through configuration management	Preventive
Enable the crond service as necessary. CC ID 04974	System hardening through configuration management	Preventive
Install and enable the anacron service as necessary. CC ID 04975	System hardening through configuration management	Preventive
Enable the xfs service as necessary. CC ID 04976	System hardening through configuration management	Preventive
Install and enable the Avahi daemon service, as necessary. CC ID 04977	System hardening through configuration management	Preventive
Enable the CUPS service, as necessary. CC ID 04978	System hardening through configuration management	Preventive
Enable the hplip service as necessary. CC ID 04979	System hardening through configuration management	Preventive
Enable the dhcpd service as necessary. CC ID 04980	System hardening through configuration management	Preventive
Enable the nfslock service as necessary. CC ID 04981	System hardening through configuration management	Preventive
Enable the rpcgssd service as necessary. CC ID 04982	System hardening through configuration management	Preventive
Enable the rpcidmapd service as necessary. CC ID 04983	System hardening through configuration management	Preventive
Enable the rpcsvcgssd service as necessary. CC ID 04985	System hardening through configuration management	Preventive
Configure root squashing for all NFS shares, as appropriate. CC ID 04986	System hardening through configuration management	Preventive
Configure write access to NFS shares, as appropriate. CC ID 04987	System hardening through configuration management	Preventive
Configure the named service, as appropriate. CC ID 04988	System hardening through configuration management	Preventive
Configure the vsftpd service, as appropriate. CC ID 04989	System hardening through configuration management	Preventive
Configure the “dovecot” service to organizational standards. CC ID 04990	System hardening through configuration management	Preventive
Configure Server Message Block (SMB) to organizational standards. CC ID 04991	System hardening through configuration management	Preventive
Enable the snmpd service as necessary. CC ID 04992	System hardening through configuration management	Preventive
Enable the calendar manager as necessary. CC ID 04993	System hardening through configuration management	Preventive
Enable the GNOME logon service as necessary. CC ID 04994	System hardening through configuration management	Preventive
Enable the WBEM services as necessary. CC ID 04995	System hardening through configuration management	Preventive
Enable the keyserv service as necessary. CC ID 04996	System hardening through configuration management	Preventive
Enable the Generic Security Service daemon as necessary. CC ID 04997	System hardening through configuration management	Preventive
Enable the volfs service as necessary. CC ID 04998	System hardening through configuration management	Preventive
Enable the smserver service as necessary. CC ID 04999	System hardening through configuration management	Preventive
Enable the mpxio-upgrade service as necessary. CC ID 05000	System hardening through configuration management	Preventive
Enable the metainit service as necessary. CC ID 05001	System hardening through configuration management	Preventive
Enable the meta service as necessary. CC ID 05003	System hardening through configuration management	Preventive
Enable the metaed service as necessary. CC ID 05004	System hardening through configuration management	Preventive
Enable the metamh service as necessary. CC ID 05005	System hardening through configuration management	Preventive
Enable the Local RPC Port Mapping Service as necessary. CC ID 05006	System hardening through configuration management	Preventive
Enable the Kerberos kadmind service as necessary. CC ID 05007	System hardening through configuration management	Preventive
Enable the Kerberos krb5kdc service as necessary. CC ID 05008	System hardening through configuration management	Preventive
Enable the Kerberos kpropd service as necessary. CC ID 05009	System hardening through configuration management	Preventive
Enable the Kerberos ktkt_warnd service as necessary. CC ID 05010	System hardening through configuration management	Preventive
Enable the sadmin service as necessary. CC ID 05011	System hardening through configuration management	Preventive
Enable the IPP listener as necessary. CC ID 05012	System hardening through configuration management	Preventive
Enable the serial port listener as necessary. CC ID 05013	System hardening through configuration management	Preventive
Enable the Smart Card Helper service as necessary. CC ID 05014	System hardening through configuration management	Preventive
Enable the Application Management service as necessary. CC ID 05015	System hardening through configuration management	Preventive
Enable the Resultant Set of Policy (RSoP) Provider service as necessary. CC ID 05016	System hardening through configuration management	Preventive
Enable the Network News Transport Protocol service as necessary. CC ID 05017	System hardening through configuration management	Preventive
Enable the network Dynamic Data Exchange service as necessary. CC ID 05018	System hardening through configuration management	Preventive
Enable the Distributed Link Tracking Server service as necessary. CC ID 05019	System hardening through configuration management	Preventive
Enable the RARP service as necessary. CC ID 05020	System hardening through configuration management	Preventive
Configure the ".NET Framework service" setting to organizational standards. CC ID 05021	System hardening through configuration management	Preventive
Enable the Network DDE Share Database Manager service as necessary. CC ID 05022	System hardening through configuration management	Preventive
Enable the Certificate Services service as necessary. CC ID 05023	System hardening through configuration management	Preventive
Configure the ATI hotkey poller service properly. CC ID 05024	System hardening through configuration management	Preventive
Configure the Interix Subsystem Startup service properly. CC ID 05025	System hardening through configuration management	Preventive
Configure the Cluster Service service properly. CC ID 05026	System hardening through configuration management	Preventive
Configure the IAS Jet Database Access service properly. CC ID 05027	System hardening through configuration management	Preventive
Configure the IAS service properly. CC ID 05028	System hardening through configuration management	Preventive
Configure the IP Version 6 Helper service properly. CC ID 05029	System hardening through configuration management	Preventive
Configure "Message Queuing service" to organizational standards. CC ID 05030	System hardening through configuration management	Preventive
Configure the Message Queuing Down Level Clients service properly. CC ID 05031	System hardening through configuration management	Preventive
Configure the Windows Management Instrumentation Driver Extensions service properly. CC ID 05033	System hardening through configuration management	Preventive
Configure the TCP/IP NetBIOS Helper Service properly. CC ID 05034	System hardening through configuration management	Preventive
Configure the Utility Manager service properly. CC ID 05035	System hardening through configuration management	Preventive
Configure the secondary logon service properly. CC ID 05036	System hardening through configuration management	Preventive
Configure the Windows Management Instrumentation service properly. CC ID 05037	System hardening through configuration management	Preventive
Configure the Workstation service properly. CC ID 05038	System hardening through configuration management	Preventive
Configure the Windows Installer service properly. CC ID 05039	System hardening through configuration management	Preventive
Configure the Windows System Resource Manager service properly. CC ID 05040	System hardening through configuration management	Preventive
Configure the WinHTTP Web Proxy Auto-Discovery Service properly. CC ID 05041	System hardening through configuration management	Preventive
Configure the Services for Unix Client for NFS service properly. CC ID 05042	System hardening through configuration management	Preventive
Configure the Services for Unix Server for PCNFS service properly. CC ID 05043	System hardening through configuration management	Preventive
Configure the Services for Unix Perl Socket service properly. CC ID 05044	System hardening through configuration management	Preventive
Configure the Services for Unix User Name Mapping service properly. CC ID 05045	System hardening through configuration management	Preventive
Configure the Services for Unix Windows Cron service properly. CC ID 05046	System hardening through configuration management	Preventive
Configure the Windows Media Services service properly. CC ID 05047	System hardening through configuration management	Preventive
Configure the Services for Netware Service Advertising Protocol (SAP) Agent properly. CC ID 05048	System hardening through configuration management	Preventive
Configure the Web Element Manager service properly. CC ID 05049	System hardening through configuration management	Preventive
Configure the Remote Installation Services Single Instance Storage (SIS) Groveler service properly. CC ID 05050	System hardening through configuration management	Preventive
Configure the Terminal Services Licensing service properly. CC ID 05051	System hardening through configuration management	Preventive
Configure the COM+ Event System service properly. CC ID 05052	System hardening through configuration management	Preventive
Configure the Event Log service properly. CC ID 05053	System hardening through configuration management	Preventive
Configure the Infrared Monitor service properly. CC ID 05054	System hardening through configuration management	Preventive
Configure the Services for Unix Server for NFS service properly. CC ID 05055	System hardening through configuration management	Preventive
Configure the System Event Notification Service properly. CC ID 05056	System hardening through configuration management	Preventive
Configure the NTLM Security Support Provider service properly. CC ID 05057	System hardening through configuration management	Preventive
Configure the Performance Logs and Alerts service properly. CC ID 05058	System hardening through configuration management	Preventive
Configure the Protected Storage service properly. CC ID 05059	System hardening through configuration management	Preventive
Configure the QoS Admission Control (RSVP) service properly. CC ID 05060	System hardening through configuration management	Preventive
Configure the Remote Procedure Call service properly. CC ID 05061	System hardening through configuration management	Preventive
Configure the Removable Storage service properly. CC ID 05062	System hardening through configuration management	Preventive
Configure the Server service properly. CC ID 05063	System hardening through configuration management	Preventive
Configure the Security Accounts Manager service properly. CC ID 05064	System hardening through configuration management	Preventive
Configure the “Network Connections” service to organizational standards. CC ID 05065	System hardening through configuration management	Preventive
Configure the Logical Disk Manager service properly. CC ID 05066	System hardening through configuration management	Preventive
Configure the Logical Disk Manager Administrative Service properly. CC ID 05067	System hardening through configuration management	Preventive
Configure the File Replication service properly. CC ID 05068	System hardening through configuration management	Preventive
Configure the Kerberos Key Distribution Center service properly. CC ID 05069	System hardening through configuration management	Preventive
Configure the Intersite Messaging service properly. CC ID 05070	System hardening through configuration management	Preventive
Configure the Remote Procedure Call locator service properly. CC ID 05071	System hardening through configuration management	Preventive
Configure the Distributed File System service properly. CC ID 05072	System hardening through configuration management	Preventive
Configure the Windows Internet Name Service service properly. CC ID 05073	System hardening through configuration management	Preventive
Configure the FTP Publishing Service properly. CC ID 05074	System hardening through configuration management	Preventive
Configure the Windows Search service properly. CC ID 05075	System hardening through configuration management	Preventive
Configure the Microsoft Peer-to-Peer Networking Services service properly. CC ID 05076	System hardening through configuration management	Preventive
Configure the Remote Shell service properly. CC ID 05077	System hardening through configuration management	Preventive
Configure Simple TCP/IP services to organizational standards. CC ID 05078	System hardening through configuration management	Preventive
Configure the Print Services for Unix service properly. CC ID 05079	System hardening through configuration management	Preventive
Configure the File Shares service to organizational standards. CC ID 05080	System hardening through configuration management	Preventive
Configure the NetMeeting service properly. CC ID 05081	System hardening through configuration management	Preventive
Configure the Application Layer Gateway service properly. CC ID 05082	System hardening through configuration management	Preventive
Configure the Cryptographic Services service properly. CC ID 05083	System hardening through configuration management	Preventive
Configure the Help and Support Service properly. CC ID 05084	System hardening through configuration management	Preventive
Configure the Human Interface Device Access service properly. CC ID 05085	System hardening through configuration management	Preventive
Configure the IMAPI CD-Burning COM service properly. CC ID 05086	System hardening through configuration management	Preventive
Configure the MS Software Shadow Copy Provider service properly. CC ID 05087	System hardening through configuration management	Preventive
Configure the Network Location Awareness service properly. CC ID 05088	System hardening through configuration management	Preventive
Configure the Portable Media Serial Number Service service properly. CC ID 05089	System hardening through configuration management	Preventive
Configure the System Restore Service service properly. CC ID 05090	System hardening through configuration management	Preventive
Configure the Themes service properly. CC ID 05091	System hardening through configuration management	Preventive
Configure the Uninterruptible Power Supply service properly. CC ID 05092	System hardening through configuration management	Preventive
Configure the Upload Manager service properly. CC ID 05093	System hardening through configuration management	Preventive
Configure the Volume Shadow Copy Service properly. CC ID 05094	System hardening through configuration management	Preventive
Configure the WebClient service properly. CC ID 05095	System hardening through configuration management	Preventive
Configure the Windows Audio service properly. CC ID 05096	System hardening through configuration management	Preventive
Configure the Windows Image Acquisition service properly. CC ID 05097	System hardening through configuration management	Preventive
Configure the WMI Performance Adapter service properly. CC ID 05098	System hardening through configuration management	Preventive
Enable file uploads via vsftpd service, as appropriate. CC ID 05100	System hardening through configuration management	Preventive
Disable or remove sadmind unless use of sadmind is absolutely necessary. CC ID 06885	System hardening through configuration management	Preventive
Configure the "SNMP version 1" setting to organizational standards. CC ID 08976	System hardening through configuration management	Preventive
Configure the "xdmcp service" setting to organizational standards. CC ID 08985	System hardening through configuration management	Preventive
Configure authenticators to comply with organizational standards. CC ID 06412	System hardening through configuration management	Preventive
Configure the system to require new users to change their authenticator on first use. CC ID 05268 [Allow temporary password use for system logons with an immediate change to a permanent password. 3.5.9]	System hardening through configuration management	Preventive
Configure the system to encrypt authenticators. CC ID 06735 [Store and transmit only encrypted representation of passwords. 3.5.10]	System hardening through configuration management	Preventive
Configure the system to mask authenticators. CC ID 02037 [Obscure feedback of authentication information. 3.5.11]	System hardening through configuration management	Preventive
Configure the system security parameters to prevent system misuse or information misappropriation. CC ID 00881	System hardening through configuration management	Preventive
Configure the default locking Screen saver timeout to a predetermined time period. CC ID 01570 [Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity. 3.1.10]	System hardening through configuration management	Preventive
Configure Wireless Access Points in accordance with organizational standards. CC ID 12477	System hardening through configuration management	Preventive
Enable two-factor authentication for identifying and authenticating Wireless Local Area Network users. CC ID 04595 [Protect wireless access using authentication and encryption. 3.1.17]	System hardening through configuration management	Preventive
Configure mobile device settings in accordance with organizational standards. CC ID 04600	System hardening through configuration management	Preventive
Enable data-at-rest encryption on mobile devices. CC ID 04842 [Protect the confidentiality of CUI at rest. 3.13.16]	System hardening through configuration management	Preventive
Configure Logging settings in accordance with organizational standards. CC ID 07611 [Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. 3.3.1]	System hardening through configuration management	Preventive
Configure "CloudTrail" to organizational standards. CC ID 15443	System hardening through configuration management	Preventive
Configure "CloudTrail log file validation" to organizational standards. CC ID 15437	System hardening through configuration management	Preventive
Configure "VPC flow logging" to organizational standards. CC ID 15436	System hardening through configuration management	Preventive
Configure "object-level logging" to organizational standards. CC ID 15433	System hardening through configuration management	Preventive
Configure "Turn on PowerShell Transcription" to organizational standards. CC ID 15415	System hardening through configuration management	Preventive
Configure "Turn on PowerShell Script Block Logging" to organizational standards. CC ID 15413	System hardening through configuration management	Preventive
Configure "Audit PNP Activity" to organizational standards. CC ID 15393	System hardening through configuration management	Preventive
Configure "Include command line in process creation events" to organizational standards. CC ID 15358	System hardening through configuration management	Preventive
Configure "Audit Group Membership" to organizational standards. CC ID 15341	System hardening through configuration management	Preventive
Configure the "audit_backlog_limit" setting to organizational standards. CC ID 15324	System hardening through configuration management	Preventive
Configure the "/etc/docker/daemon.json" files and directories auditing to organizational standards. CC ID 14467	System hardening through configuration management	Detective
Configure the "systemd-journald" to organizational standards. CC ID 15326	System hardening through configuration management	Preventive
Configure the "/etc/docker" files and directories auditing to organizational standards. CC ID 14459	System hardening through configuration management	Detective
Configure the "docker.socket" files and directories auditing to organizational standards. CC ID 14458	System hardening through configuration management	Detective
Configure the "docker.service" files and directories auditing to organizational standards. CC ID 14454	System hardening through configuration management	Detective
Configure the "/var/lib/docker" files and directories auditing to organizational standards. CC ID 14453	System hardening through configuration management	Detective
Configure the "/usr/sbin/runc" files and directories auditing to organizational standards. CC ID 14452	System hardening through configuration management	Detective
Configure the "/usr/bin/containerd" files and directories auditing to organizational standards. CC ID 14451	System hardening through configuration management	Detective
Configure the "/etc/default/docker" files and directories auditing to organizational standards. CC ID 14450	System hardening through configuration management	Detective
Configure the "/etc/sysconfig/docker" files and directories auditing to organizational standards. CC ID 14449	System hardening through configuration management	Detective
Configure the storage parameters for all logs. CC ID 06330	System hardening through configuration management	Preventive
Configure the "Audit Policy: Object Access: SAM" to organizational standards. CC ID 07612	System hardening through configuration management	Preventive
Configure sufficient log storage capacity and prevent the capacity from being exceeded. CC ID 01425	System hardening through configuration management	Preventive
Configure the log retention method. CC ID 01715	System hardening through configuration management	Preventive
Configure the log retention size. CC ID 01716	System hardening through configuration management	Preventive
Configure syslogd to send logs to a Remote LogHost. CC ID 01526	System hardening through configuration management	Preventive
Configure the "Audit Policy: Account Management: User Account Management" to organizational standards. CC ID 07613	System hardening through configuration management	Preventive
Configure the security parameters for all logs. CC ID 01712	System hardening through configuration management	Preventive
Configure the log so that it cannot be disabled. CC ID 00595	System hardening through configuration management	Preventive
Configure the event log size capacity limits for the application log, the security log, and the system log. CC ID 01713	System hardening through configuration management	Preventive
Configure the application log, the security log, and the system log to restrict guest access. CC ID 01714	System hardening through configuration management	Preventive
Configure the "mss: (warninglevel) percentage threshold for the security event log at which the system will generate a warning" setting. CC ID 04275	System hardening through configuration management	Preventive
Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc. CC ID 06331 [Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. 3.3.2]	System hardening through configuration management	Preventive
Configure the "Audit Policy: System: System Integrity" to organizational standards. CC ID 07652	System hardening through configuration management	Preventive
Configure the log to capture the user's identification. CC ID 01334	System hardening through configuration management	Preventive
Configure the log to capture a date and time stamp. CC ID 01336 [Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. 3.3.7]	System hardening through configuration management	Preventive
Configure the log to uniquely identify each asset. CC ID 01339	System hardening through configuration management	Preventive
Configure the log to capture remote access information. CC ID 05596	System hardening through configuration management	Detective
Configure the log to capture the type of each event. CC ID 06423	System hardening through configuration management	Preventive
Configure the log to capture each event's success or failure indication. CC ID 06424	System hardening through configuration management	Preventive
Configure all logs to capture auditable events or actionable events. CC ID 06332	System hardening through configuration management	Preventive
Configure the "Audit Policy: Object Access: File Share" to organizational standards. CC ID 07655	System hardening through configuration management	Preventive
Configure the log to capture account lockouts. CC ID 16470	System hardening through configuration management	Preventive
Configure the log to capture execution events. CC ID 16469	System hardening through configuration management	Preventive
Configure the log to capture AWS Organizations changes. CC ID 15445	System hardening through configuration management	Preventive
Configure the log to capture Identity and Access Management policy changes. CC ID 15442	System hardening through configuration management	Preventive
Configure the log to capture management console sign-in without multi-factor authentication. CC ID 15441	System hardening through configuration management	Preventive
Configure the log to capture route table changes. CC ID 15439	System hardening through configuration management	Preventive
Configure the log to capture virtual private cloud changes. CC ID 15435	System hardening through configuration management	Preventive
Configure the log to capture changes to encryption keys. CC ID 15432	System hardening through configuration management	Preventive
Configure the log to capture unauthorized API calls. CC ID 15429	System hardening through configuration management	Preventive
Configure the log to capture changes to network gateways. CC ID 15421	System hardening through configuration management	Preventive
Configure the log to capture all spoofed addresses. CC ID 01313	System hardening through configuration management	Preventive
Configure the "logging level" to organizational standards. CC ID 14456	System hardening through configuration management	Detective
Configure inetd tracing. CC ID 01523	System hardening through configuration management	Preventive
Configure the system to capture messages sent to the syslog AUTH facility. CC ID 01525	System hardening through configuration management	Preventive
Configure Cron logging. CC ID 01528	System hardening through configuration management	Preventive
Configure the kernel level auditing setting. CC ID 01530	System hardening through configuration management	Preventive
Configure the "audit successful file system mounts" setting to organizational standards. CC ID 09923	System hardening through configuration management	Preventive
Configure system accounting/system events. CC ID 01529	System hardening through configuration management	Preventive
Configure the privilege use auditing setting. CC ID 01699	System hardening through configuration management	Preventive
Configure the log to record the Denial of Access that results from an excessive number of unsuccessful logon attempts. CC ID 01919	System hardening through configuration management	Preventive
Configure the Audit Process Tracking setting. CC ID 01700	System hardening through configuration management	Preventive
Configure the EEPROM security-mode accesses and EEPROM log-failed accesses. CC ID 01575	System hardening through configuration management	Preventive
Configure the log to capture user identifier, address, port blocking or blacklisting. CC ID 01918	System hardening through configuration management	Preventive
Enable directory service access events, as appropriate. CC ID 05616	System hardening through configuration management	Preventive
Configure the log to capture failed transactions. CC ID 06334	System hardening through configuration management	Preventive
Configure the log to capture successful transactions. CC ID 06335	System hardening through configuration management	Preventive
Audit non attributable events (na class). CC ID 05604	System hardening through configuration management	Preventive
Configure the log to capture configuration changes. CC ID 06881	System hardening through configuration management	Preventive
Log, monitor, and review all changes to time settings on critical systems. CC ID 11608	System hardening through configuration management	Preventive
Configure the log to capture all changes to certificates. CC ID 05595	System hardening through configuration management	Preventive
Configure the "inetd logging" setting to organizational standards. CC ID 08970	System hardening through configuration management	Preventive
Configure the "audit sudoers" setting to organizational standards. CC ID 09950	System hardening through configuration management	Preventive
Configure the "Audit Policy: Object Access: Registry" to organizational standards. CC ID 07658	System hardening through configuration management	Preventive
Configure the event log settings for specific Operating System functions. CC ID 06337	System hardening through configuration management	Preventive
Configure the "Audit: Audit the use of Backup and Restore privilege" setting. CC ID 01724	System hardening through configuration management	Preventive
Configure the "Audit: Shut down the system immediately if unable to log security audits" setting. CC ID 01725	System hardening through configuration management	Preventive
Configure "Audit account management" to organizational standards. CC ID 02039	System hardening through configuration management	Preventive
Configure the "Audit: Force audit policy subcategory settings (Windows Vista or later)" setting. CC ID 04387	System hardening through configuration management	Preventive
Configure console logging. CC ID 04454	System hardening through configuration management	Preventive
Configure boot error logging. CC ID 04455	System hardening through configuration management	Preventive
Disable the "Audit password" setting in NetWare. CC ID 04456	System hardening through configuration management	Preventive
Configure the "Disable Logging" setting. CC ID 05590	System hardening through configuration management	Preventive
Enable BIN mode auditing. CC ID 05591	System hardening through configuration management	Preventive
Enable or disable the BSM auditing setting, as appropriate. CC ID 05592	System hardening through configuration management	Preventive
Set the X server audit level appropriately. CC ID 05600	System hardening through configuration management	Preventive
Configure the "Turn on session logging" properly. CC ID 05618	System hardening through configuration management	Preventive
Configure Sendmail with the appropriate logging levels. CC ID 06028	System hardening through configuration management	Preventive
Enable or disable auditing in the runcontrol scripts, as appropriate. CC ID 06029	System hardening through configuration management	Preventive
Enable or disable auditing for user accounts, as appropriate. CC ID 06030	System hardening through configuration management	Preventive
Enable or disable auditing at boot time, as appropriate. CC ID 06031	System hardening through configuration management	Preventive
Enable or disable the auditing of chgrp usage, as appropriate. CC ID 06033	System hardening through configuration management	Preventive
Enable or disable the auditing of mkgroup usage, as appropriate. CC ID 06034	System hardening through configuration management	Preventive
Enable or disable the auditing of rmgroup usage, as appropriate. CC ID 06035	System hardening through configuration management	Preventive
Enable or disable the auditing of the exit function, as appropriate. CC ID 06036	System hardening through configuration management	Preventive
Generate an alert when an audit log failure occurs. CC ID 06737 [{generate} Alert in the event of an audit process failure. 3.3.4]	System hardening through configuration management	Preventive
Configure the "Audit Policy: Logon-Logoff: Logoff" to organizational standards. CC ID 07662	System hardening through configuration management	Preventive
Configure additional log settings. CC ID 06333	System hardening through configuration management	Preventive
Configure additional logging for the FTP daemon. CC ID 01524	System hardening through configuration management	Preventive
Configure additional log file parameters appropriately. CC ID 06338	System hardening through configuration management	Preventive
Configure the "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to organizational standards. CC ID 07664	System hardening through configuration management	Preventive
Create the /var/adm/loginlog file. CC ID 01527	System hardening through configuration management	Preventive
Verify the audit config file contains only accounts that should be present. CC ID 05594	System hardening through configuration management	Preventive
Specify the PRI audit file properly. CC ID 05597	System hardening through configuration management	Preventive
Specify the SEC audit file properly. CC ID 05598	System hardening through configuration management	Preventive
Verify the user audit file contains the appropriate never-audit flags. CC ID 05605	System hardening through configuration management	Preventive
Configure the "Background upload of a roaming user profile's registry file while user is logged on" setting to organizational standards. CC ID 10761	System hardening through configuration management	Preventive
Configure the "Audit Policy: Object Access: File System" to organizational standards. CC ID 07666	System hardening through configuration management	Preventive
Configure the "Backup log automatically when full" setting for the "setup log" to organizational standards. CC ID 10762	System hardening through configuration management	Preventive
Configure the "Audit Policy: Logon-Logoff: Logon" to organizational standards. CC ID 07669	System hardening through configuration management	Preventive
Configure the "Audit Policy: Account Logon: Kerberos Authentication Service" to organizational standards. CC ID 07679	System hardening through configuration management	Preventive
Configure the "Applications preference logging and tracing" setting to organizational standards. CC ID 10774	System hardening through configuration management	Preventive
Configure the "Audit Policy: Logon-Logoff: IPsec Extended Mode" to organizational standards. CC ID 07683	System hardening through configuration management	Preventive
Configure the "Data Sources preference logging and tracing" setting to organizational standards. CC ID 10779	System hardening through configuration management	Preventive
Configure the "Audit Policy: Object Access: Handle Manipulation" to organizational standards. CC ID 07684	System hardening through configuration management	Preventive
Configure the "Devices preference logging and tracing" setting to organizational standards. CC ID 10782	System hardening through configuration management	Preventive
Configure the "Drive Maps preference logging and tracing" setting to organizational standards. CC ID 10783	System hardening through configuration management	Preventive
Configure the "Audit Policy: Object Access: Detailed File Share" to organizational standards. CC ID 07687	System hardening through configuration management	Preventive
Configure the "Audit Policy: Logon-Logoff: Network Policy Server" to organizational standards. CC ID 07701	System hardening through configuration management	Preventive
Configure the "Environment preference logging and tracing" setting to organizational standards. CC ID 10784	System hardening through configuration management	Preventive
Configure the "Audit Policy: Detailed Tracking: Process Creation" to organizational standards. CC ID 07707	System hardening through configuration management	Preventive
Configure the "Files preference logging and tracing" setting to organizational standards. CC ID 10785	System hardening through configuration management	Preventive
Configure the "Audit Policy: System: IPsec Driver" to organizational standards. CC ID 07708	System hardening through configuration management	Preventive
Configure the "Folder Options preference logging and tracing" setting to organizational standards. CC ID 10786	System hardening through configuration management	Preventive
Configure the "Audit Policy: Logon-Logoff: Account Lockout" to organizational standards. CC ID 07713	System hardening through configuration management	Preventive
Configure the "Folders preference logging and tracing" setting to organizational standards. CC ID 10787	System hardening through configuration management	Preventive
Configure the "Audit Policy: Object Access: Kernel Object" to organizational standards. CC ID 07720	System hardening through configuration management	Preventive
Configure the "Ini Files preference logging and tracing" setting to organizational standards. CC ID 10788	System hardening through configuration management	Preventive
Configure the "Internet Settings preference logging and tracing" setting to organizational standards. CC ID 10789	System hardening through configuration management	Preventive
Configure the "Audit Policy: Object Access: Other Object Access Events" to organizational standards. CC ID 07724	System hardening through configuration management	Preventive
Configure the "Local Users and Groups preference logging and tracing" setting to organizational standards. CC ID 10793	System hardening through configuration management	Preventive
Configure the "Audit Policy: DS Access: Directory Service Replication" to organizational standards. CC ID 07734	System hardening through configuration management	Preventive
Configure the "Audit Policy: Policy Change: Audit Policy Change" to organizational standards. CC ID 07735	System hardening through configuration management	Preventive
Configure the "Regional Options preference logging and tracing" setting to organizational standards. CC ID 10802	System hardening through configuration management	Preventive
Configure the "Registry preference logging and tracing" setting to organizational standards. CC ID 10803	System hardening through configuration management	Preventive
Configure the "Audit Policy: DS Access: Directory Service Changes" to organizational standards. CC ID 07736	System hardening through configuration management	Preventive
Configure the "Audit Policy: Object Access: Certification Services" to organizational standards. CC ID 07742	System hardening through configuration management	Preventive
Configure the "Scheduled Tasks preference logging and tracing" setting to organizational standards. CC ID 10815	System hardening through configuration management	Preventive
Configure the "Services preference logging and tracing" setting to organizational standards. CC ID 10818	System hardening through configuration management	Preventive
Configure the "Maximum Log Size (KB)" to organizational standards. CC ID 07744	System hardening through configuration management	Preventive
Configure the "Audit Policy: Detailed Tracking: DPAPI Activity" to organizational standards. CC ID 07746	System hardening through configuration management	Preventive
Configure the "Shortcuts preference logging and tracing" setting to organizational standards. CC ID 10819	System hardening through configuration management	Preventive
Configure the "Start Menu preference logging and tracing" setting to organizational standards. CC ID 10821	System hardening through configuration management	Preventive
Configure the "Audit Policy: Account Management: Other Account Management Events" to organizational standards. CC ID 07751	System hardening through configuration management	Preventive
Configure the "Delete data from devices running Microsoft firmware when a user logs off from the computer." setting to organizational standards. CC ID 10846	System hardening through configuration management	Preventive
Configure the "Audit Policy: Account Management: Computer Account Management" to organizational standards. CC ID 07752	System hardening through configuration management	Preventive
Configure the "Disable logging via package settings" setting to organizational standards. CC ID 10864	System hardening through configuration management	Preventive
Configure the "Audit Policy: Privilege Use: Non Sensitive Privilege Use" to organizational standards. CC ID 07756	System hardening through configuration management	Preventive
Configure the "Do not forcefully unload the users registry at user logoff" setting to organizational standards. CC ID 10930	System hardening through configuration management	Preventive
Configure the "Audit Policy: Object Access: Application Generated" to organizational standards. CC ID 07757	System hardening through configuration management	Preventive
Configure the "Audit Policy: DS Access: Detailed Directory Service Replication" to organizational standards. CC ID 07764	System hardening through configuration management	Preventive
Configure the "Do not log users on with temporary profiles" setting to organizational standards. CC ID 10931	System hardening through configuration management	Preventive
Configure the "Audit Policy: Privilege Use: Other Privilege Use Events" to organizational standards. CC ID 07776	System hardening through configuration management	Preventive
Configure the "Log Access" setting for the "application log" to organizational standards. CC ID 11026	System hardening through configuration management	Preventive
Configure the "Log Access" setting for the "setup log" to organizational standards. CC ID 11027	System hardening through configuration management	Preventive
Configure the "Audit Policy: Account Logon: Kerberos Service Ticket Operations" to organizational standards. CC ID 07786	System hardening through configuration management	Preventive
Configure the "Audit Policy: DS Access: Directory Service Access" to organizational standards. CC ID 07790	System hardening through configuration management	Preventive
Configure the "Log Access" setting for the "system log" to organizational standards. CC ID 11028	System hardening through configuration management	Preventive
Configure the "Retain old events" to organizational standards. CC ID 07791	System hardening through configuration management	Preventive
Configure the "Log directory pruning retry events" setting to organizational standards. CC ID 11029	System hardening through configuration management	Preventive
Configure the "Audit: Audit the use of Backup and Restore privilege" to organizational standards. CC ID 07792	System hardening through configuration management	Preventive
Configure the "Log event when quota limit exceeded" setting to organizational standards. CC ID 11030	System hardening through configuration management	Preventive
Configure the "Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change" to organizational standards. CC ID 07793	System hardening through configuration management	Preventive
Configure the "Log File Path" setting for the "application log" to organizational standards. CC ID 11033	System hardening through configuration management	Preventive
Configure the "Audit Policy: Policy Change: Other Policy Change Events" to organizational standards. CC ID 07810	System hardening through configuration management	Preventive
Configure the "Log File Path" setting for the "setup log" to organizational standards. CC ID 11034	System hardening through configuration management	Preventive
Configure the "Audit: Shut down system immediately if unable to log security audits" to organizational standards. CC ID 07812	System hardening through configuration management	Preventive
Configure the "Log File Path" setting for the "system log" to organizational standards. CC ID 11035	System hardening through configuration management	Preventive
Configure the "Logging" setting to organizational standards. CC ID 11036	System hardening through configuration management	Preventive
Configure the "Audit Policy: System: Other System Events" to organizational standards. CC ID 07817	System hardening through configuration management	Preventive
Configure the "Remove "Disconnect" option from Shut Down dialog" setting to organizational standards. CC ID 11126	System hardening through configuration management	Preventive
Configure the "Audit Policy: Account Management: Application Group Management" to organizational standards. CC ID 07819	System hardening through configuration management	Preventive
Configure the "Remove browse dialog box for new source" setting to organizational standards. CC ID 11127	System hardening through configuration management	Preventive
Configure the "MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" to organizational standards. CC ID 07820	System hardening through configuration management	Preventive
Configure the "Restricts the UI language Windows uses for all logged users" setting to organizational standards. CC ID 11147	System hardening through configuration management	Preventive
Configure the "Audit Policy: Account Logon: Other Account Logon Events" to organizational standards. CC ID 07825	System hardening through configuration management	Preventive
Configure the "Audit Policy: Account Management: Distribution Group Management" to organizational standards. CC ID 07828	System hardening through configuration management	Preventive
Configure the "Set roaming profile path for all users logging onto this computer" setting to organizational standards. CC ID 11182	System hardening through configuration management	Preventive
Configure the "Set the Time interval in minutes for logging accounting data" setting to organizational standards. CC ID 11193	System hardening through configuration management	Preventive
Configure the "Audit: Audit the access of global system objects" to organizational standards. CC ID 07831	System hardening through configuration management	Preventive
Configure the "Turn off Resultant Set of Policy logging" setting to organizational standards. CC ID 11307	System hardening through configuration management	Preventive
Configure the "Audit Policy: Logon-Logoff: Special Logon" to organizational standards. CC ID 07835	System hardening through configuration management	Preventive
Configure the "Turn on extensive logging for Active Directory Domain Services domain controllers that are running Server for NIS" setting to organizational standards. CC ID 11343	System hardening through configuration management	Preventive
Configure the "Audit Policy: Detailed Tracking: RPC Events" to organizational standards. CC ID 07840	System hardening through configuration management	Preventive
Configure the "Audit Policy: Policy Change: Authentication Policy Change" to organizational standards. CC ID 07846	System hardening through configuration management	Preventive
Configure the "Turn on extensive logging for Password Synchronization" setting to organizational standards. CC ID 11344	System hardening through configuration management	Preventive
Configure the "Audit Policy: Detailed Tracking: Process Termination" to organizational standards. CC ID 07849	System hardening through configuration management	Preventive
Configure the "Turn on logging" setting to organizational standards. CC ID 11345	System hardening through configuration management	Preventive
Configure the "Audit Policy: Logon-Logoff: IPsec Quick Mode" to organizational standards. CC ID 07852	System hardening through configuration management	Preventive
Configure the "Turn on session logging" setting to organizational standards. CC ID 11350	System hardening through configuration management	Preventive
Configure the "Audit Policy: Object Access: Filtering Platform Packet Drop" to organizational standards. CC ID 07856	System hardening through configuration management	Preventive
Configure the "Audit Policy: Object Access: Filtering Platform Connection" to organizational standards. CC ID 07864	System hardening through configuration management	Preventive
Configure the "Audit Policy: Policy Change: Authorization Policy Change" to organizational standards. CC ID 07875	System hardening through configuration management	Preventive
Configure the "Audit Policy: Account Management: Security Group Management" to organizational standards. CC ID 07880	System hardening through configuration management	Preventive
Configure the "Audit Policy: Privilege Use: Sensitive Privilege Use" to organizational standards. CC ID 07887	System hardening through configuration management	Preventive
Configure the "Audit Policy: Logon-Logoff: IPsec Main Mode" to organizational standards. CC ID 07888	System hardening through configuration management	Preventive
Configure the "Audit Policy: Account Logon: Credential Validation" to organizational standards. CC ID 07892	System hardening through configuration management	Preventive
Configure the "Audit Policy: Policy Change: Filtering Platform Policy Change" to organizational standards. CC ID 07895	System hardening through configuration management	Preventive
Configure the "Audit Policy: Logon-Logoff: Other Logon/Logoff Events" to organizational standards. CC ID 07899	System hardening through configuration management	Preventive
Configure the "Audit Policy: System: Security State Change" to organizational standards. CC ID 07903	System hardening through configuration management	Preventive
Configure the "Audit Policy: System: Security System Extension" to organizational standards. CC ID 07904	System hardening through configuration management	Preventive
Configure the "Audit account logon events" to organizational standards. CC ID 08188	System hardening through configuration management	Preventive
Configure the "Retention method for security log" to organizational standards. CC ID 08197	System hardening through configuration management	Preventive
Configure the "Retention method for system log" to organizational standards. CC ID 08211	System hardening through configuration management	Preventive
Configure the "Audit logon events" to organizational standards. CC ID 08221	System hardening through configuration management	Preventive
Configure the "Retention method for application log" to organizational standards. CC ID 08226	System hardening through configuration management	Preventive
Configure the "Retain security log" to organizational standards. CC ID 08241	System hardening through configuration management	Preventive
Configure the "Audit system events" to organizational standards. CC ID 08244	System hardening through configuration management	Preventive
Configure the "Retain application log" to organizational standards. CC ID 08246	System hardening through configuration management	Preventive
Configure the "Prevent local guests group from accessing application log" to organizational standards. CC ID 08248	System hardening through configuration management	Preventive
Configure the "Maximum security log size" to organizational standards. CC ID 08251	System hardening through configuration management	Preventive
Configure the "Retain system log" to organizational standards. CC ID 08258	System hardening through configuration management	Preventive
Configure the "Audit privilege use" to organizational standards. CC ID 08266	System hardening through configuration management	Preventive
Configure the "Audit policy change" to organizational standards. CC ID 08272	System hardening through configuration management	Preventive
Configure the "Audit object access" to organizational standards. CC ID 08278	System hardening through configuration management	Preventive
Configure the "Audit process tracking" to organizational standards. CC ID 08283	System hardening through configuration management	Preventive
Configure the "Maximum system log size" to organizational standards. CC ID 08286	System hardening through configuration management	Preventive
Configure the "Maximum application log size" to organizational standards. CC ID 08296	System hardening through configuration management	Preventive
Configure the "Prevent local guests group from accessing security log" to organizational standards. CC ID 08297	System hardening through configuration management	Preventive
Configure the "Audit directory service access" to organizational standards. CC ID 08304	System hardening through configuration management	Preventive
Configure the "Audit account management" to organizational standards. CC ID 08316	System hardening through configuration management	Preventive
Configure the "Prevent local guests group from accessing system log" to organizational standards. CC ID 08336	System hardening through configuration management	Preventive
Configure the "Specify the maximum log file size (KB)" to organizational standards. CC ID 08352	System hardening through configuration management	Preventive
Configure the "Message tracking logging - Mailbox" to organizational standards. CC ID 08360	System hardening through configuration management	Preventive
Configure the "Turn on Connectivity logging" to organizational standards. CC ID 08398	System hardening through configuration management	Preventive
Configure the "Windows Firewall: Domain: Logging: Size limit (KB)" to organizational standards. CC ID 08405	System hardening through configuration management	Preventive
Configure the "Control Event Log behavior when the log file reaches its maximum size" to organizational standards. CC ID 08444	System hardening through configuration management	Preventive
Configure the "Windows Firewall: Private: Logging: Log dropped packets" to organizational standards. CC ID 08445	System hardening through configuration management	Preventive
Configure the "Windows Firewall: Public: Logging: Log dropped packets" to organizational standards. CC ID 08454	System hardening through configuration management	Preventive
Configure the "Configure Protocol logging" to organizational standards. CC ID 08463	System hardening through configuration management	Preventive
Configure the "Message tracking logging - Transport" to organizational standards. CC ID 08477	System hardening through configuration management	Preventive
Configure the "Windows Firewall: Domain: Logging: Log dropped packets" to organizational standards. CC ID 08501	System hardening through configuration management	Preventive
Configure the "Audit Policy: Object Access: Removable Storage" to organizational standards. CC ID 08504	System hardening through configuration management	Preventive
Configure the "Windows Firewall: Domain: Logging: Name" to organizational standards. CC ID 08543	System hardening through configuration management	Preventive
Configure the "Windows Firewall: Public: Logging: Log successful connections" to organizational standards. CC ID 08545	System hardening through configuration management	Preventive
Configure the "Audit Policy: Object Access: Central Access Policy Staging" to organizational standards. CC ID 08558	System hardening through configuration management	Preventive
Configure the "Windows Firewall: Public: Logging: Name" to organizational standards. CC ID 08565	System hardening through configuration management	Preventive
Configure the "Windows Firewall: Private: Logging: Size limit (KB)" to organizational standards. CC ID 08606	System hardening through configuration management	Preventive
Configure the "audit change user functions" setting to organizational standards. CC ID 08982	System hardening through configuration management	Preventive
Configure the "audit the use of chmod command" setting to organizational standards. CC ID 08983	System hardening through configuration management	Preventive
Configure the "audit the chown command" setting to organizational standards. CC ID 08984	System hardening through configuration management	Preventive
Configure the "Collect Session Initiation Information" setting to organizational standards. CC ID 09948	System hardening through configuration management	Preventive
Configure the "Collect Discretionary Access Control Permission Modification Events" setting to organizational standards. CC ID 09949	System hardening through configuration management	Preventive
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Fault Tolerant Heap" to organizational standards. CC ID 10808	System hardening through configuration management	Preventive
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Boot Performance Diagnostics" to organizational standards. CC ID 10809	System hardening through configuration management	Preventive
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Memory Leak Diagnosis" to organizational standards. CC ID 10810	System hardening through configuration management	Preventive
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Resource Exhaustion Detection and Resolution" to organizational standards. CC ID 10811	System hardening through configuration management	Preventive
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Shutdown Performance Diagnostics" to organizational standards. CC ID 10812	System hardening through configuration management	Preventive
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Standby/Resume Performance Diagnostics" to organizational standards. CC ID 10813	System hardening through configuration management	Preventive
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows System Responsiveness Diagnostics" to organizational standards. CC ID 10814	System hardening through configuration management	Preventive
Configure the "Default quota limit and warning level" setting to organizational standards. CC ID 10840	System hardening through configuration management	Preventive
Configure the "Detect application failures caused by deprecated COM objects" setting to organizational standards. CC ID 10851	System hardening through configuration management	Preventive
Configure the "Detect application failures caused by deprecated Windows DLLs" setting to organizational standards. CC ID 10852	System hardening through configuration management	Preventive
Configure the "Detect application install failures" setting to organizational standards. CC ID 10853	System hardening through configuration management	Preventive
Configure the "Detect application installers that need to be run as administrator" setting to organizational standards. CC ID 10854	System hardening through configuration management	Preventive
Configure the "Detect applications unable to launch installers under UAC" setting to organizational standards. CC ID 10855	System hardening through configuration management	Preventive
Configure the "Diagnostics: Configure scenario execution level" setting to organizational standards. CC ID 10856	System hardening through configuration management	Preventive
Configure the "Disk Diagnostic: Configure execution level" setting to organizational standards. CC ID 10883	System hardening through configuration management	Preventive
Configure the "Log event when quota warning level exceeded" setting to organizational standards. CC ID 11031	System hardening through configuration management	Preventive
Configure the "Log File Debug Output Level" setting to organizational standards. CC ID 11032	System hardening through configuration management	Preventive
Configure the "Microsoft Support Diagnostic Tool: Configure execution level" setting to organizational standards. CC ID 11043	System hardening through configuration management	Preventive
Configure the "Primary DNS Suffix Devolution Level" setting to organizational standards. CC ID 11096	System hardening through configuration management	Preventive
Configure the "Require user authentication for remote connections by using Network Level Authentication" setting to organizational standards. CC ID 11138	System hardening through configuration management	Preventive
Configure the "Specify channel binding token hardening level" setting to organizational standards. CC ID 11209	System hardening through configuration management	Preventive
Configure the "Update Security Level" setting to organizational standards. CC ID 11357	System hardening through configuration management	Preventive
Configure the "Update Top Level Domain Zones" setting to organizational standards. CC ID 11358	System hardening through configuration management	Preventive
Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards. CC ID 07621	System hardening through configuration management	Preventive
Configure the "Password must meet complexity requirements" to organizational standards. CC ID 07743 [Enforce a minimum password complexity and change of characters when new passwords are created. 3.5.7]	System hardening through configuration management	Preventive
Configure the "Enforce password history" to organizational standards. CC ID 07877 [Prevent reuse of identifiers for a defined period. 3.5.5 Prohibit password reuse for a specified number of generations. 3.5.8]	System hardening through configuration management	Preventive
Configure security and protection software according to Organizational Standards. CC ID 11917	System hardening through configuration management	Preventive

Data and Information Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include the system components that generate audit records in the event logging procedures. CC ID 16426	Monitoring and measurement	Preventive
Overwrite the oldest records when audit logging fails. CC ID 14308	Monitoring and measurement	Preventive
Establish and maintain contact information for user accounts, as necessary. CC ID 15418	Technical security	Preventive
Enforce access restrictions for restricted data. CC ID 01921	Technical security	Preventive
Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285	Technical security	Preventive
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. 3.13.5]	Technical security	Preventive
Protect data stored at external locations. CC ID 16333	Technical security	Preventive
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295	Technical security	Preventive
Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271	Technical security	Preventive
Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923	Technical security	Preventive
Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242	Technical security	Preventive
Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243	Technical security	Preventive
Perform content sanitization on data-in-transit. CC ID 16512	Technical security	Preventive
Perform content conversion on data-in-transit. CC ID 16510	Technical security	Preventive
Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499	Technical security	Preventive
Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554	Technical security	Preventive
Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859	Technical security	Preventive
Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234	Technical security	Preventive
Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301	Technical security	Preventive
Generate strong cryptographic keys. CC ID 01299	Technical security	Preventive
Use approved random number generators for creating cryptographic keys. CC ID 06574	Technical security	Preventive
Disseminate and communicate cryptographic keys securely. CC ID 01300	Technical security	Preventive
Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541	Technical security	Preventive
Store cryptographic keys securely. CC ID 01298	Technical security	Preventive
Restrict access to cryptographic keys. CC ID 01297	Technical security	Preventive
Store cryptographic keys in encrypted format. CC ID 06084	Technical security	Preventive
Change cryptographic keys in accordance with organizational standards. CC ID 01302	Technical security	Preventive
Destroy cryptographic keys promptly after the retention period. CC ID 01303	Technical security	Preventive
Control cryptographic keys with split knowledge and dual control. CC ID 01304	Technical security	Preventive
Prevent the unauthorized substitution of cryptographic keys. CC ID 01305	Technical security	Preventive
Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307	Technical security	Corrective
Replace known or suspected compromised cryptographic keys immediately. CC ID 01306	Technical security	Corrective
Archive outdated cryptographic keys. CC ID 06884	Technical security	Preventive
Archive revoked cryptographic keys. CC ID 11819	Technical security	Preventive
Manage the digital signature cryptographic key pair. CC ID 06576	Technical security	Preventive
Track restricted storage media while it is in transit. CC ID 00967	Physical and environmental protection	Detective
Establish, implement, and maintain removable storage media controls. CC ID 06680 [Limit use of organizational portable storage devices on external information systems. 3.1.21 Control the use of removable media on information system components. 3.8.7]	Physical and environmental protection	Preventive
Control access to restricted storage media. CC ID 04889 [Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. 3.8.5]	Physical and environmental protection	Preventive
Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242	Physical and environmental protection	Preventive
Encrypt information stored on mobile devices. CC ID 01422 [Encrypt CUI on mobile devices. 3.1.19]	Physical and environmental protection	Preventive
Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309	Human Resources management	Corrective
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289	Operational management	Preventive
Record a unique name for each asset in the asset inventory. CC ID 16305	Operational management	Preventive
Record the status of information systems in the asset inventory. CC ID 16304	Operational management	Preventive
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301	Operational management	Preventive
Record software license information for each asset in the asset inventory. CC ID 11736	Operational management	Preventive
Record the operating system version for applicable assets in the asset inventory. CC ID 11748	Operational management	Preventive
Record rooms at external locations in the asset inventory. CC ID 16302	Operational management	Preventive
Record trusted keys and certificates in the asset inventory. CC ID 15486	Operational management	Preventive
Record cipher suites and protocols in the asset inventory. CC ID 15489	Operational management	Preventive
Share incident information with interested personnel and affected parties. CC ID 01212	Operational management	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Preventive
Report data loss event information to breach notification organizations. CC ID 01210	Operational management	Corrective
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463	Operational management	Preventive
Include a description of the restored data in the restoration log. CC ID 15462	Operational management	Preventive
Approve tested change requests. CC ID 11783 [Track, review, approve/disapprove, and audit changes to information systems. 3.4.3]	Operational management	Preventive
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809	Operational management	Preventive
Disable the use of removable storage media for systems that process restricted data or restricted information, as necessary. CC ID 06681 [Prohibit the use of portable storage devices when such devices have no identifiable owner. 3.8.8]	System hardening through configuration management	Preventive
Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 [Ensure equipment removed for off-site maintenance is sanitized of any CUI. 3.7.3]	Records management	Preventive
Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 [Sanitize or destroy information system media containing CUI before disposal or release for reuse. 3.8.3]	Records management	Preventive
Label restricted storage media appropriately. CC ID 00966	Records management	Preventive
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896	Records management	Preventive
Protect confidential information during the system development life cycle program. CC ID 13479	Systems design, build, and implementation	Preventive

Establish Roles

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Technical security	Preventive
Include assigned roles and responsibilities in the network access control standard. CC ID 06410	Technical security	Preventive
Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725	Technical security	Preventive
Define and assign roles and responsibilities for malicious code protection. CC ID 15474	Technical security	Preventive
Employ security guards to provide physical security, as necessary. CC ID 06653	Physical and environmental protection	Preventive
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764	Human Resources management	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Operational management	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Operational management	Preventive

Establish/Maintain Documentation

347

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain an event logging policy. CC ID 15217	Monitoring and measurement	Preventive
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774	Monitoring and measurement	Corrective
Include identity information of suspects in the suspicious activity report. CC ID 16648	Monitoring and measurement	Preventive
Review and update the list of auditable events in the event logging procedures. CC ID 10097 [Review and update audited events. 3.3.3]	Monitoring and measurement	Preventive
Establish, implement, and maintain a vulnerability management program. CC ID 15721	Monitoring and measurement	Preventive
Establish, implement, and maintain a vulnerability assessment program. CC ID 11636	Monitoring and measurement	Preventive
Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097	Monitoring and measurement	Preventive
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Preventive
Establish, implement, and maintain a log management program. CC ID 00673 [Limit management of audit functionality to a subset of privileged users. 3.3.9]	Monitoring and measurement	Preventive
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595	Monitoring and measurement	Preventive
Include risks and opportunities in the corrective action plan. CC ID 15178	Monitoring and measurement	Preventive
Include environmental aspects in the corrective action plan. CC ID 15177	Monitoring and measurement	Preventive
Include the completion date in the corrective action plan. CC ID 13272	Monitoring and measurement	Preventive
Establish, implement, and maintain an audit program. CC ID 00684	Audits and risk management	Preventive
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Preventive
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Audits and risk management	Preventive
Include physical assets in the scope of the risk assessment. CC ID 13075	Audits and risk management	Preventive
Include the results of the risk assessment in the risk assessment report. CC ID 06481	Audits and risk management	Preventive
Update the risk assessment upon discovery of a new threat. CC ID 00708	Audits and risk management	Detective
Update the risk assessment upon changes to the risk profile. CC ID 11627	Audits and risk management	Detective
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Audits and risk management	Preventive
Create a risk assessment report based on the risk assessment results. CC ID 15695	Audits and risk management	Preventive
Establish, implement, and maintain an access control program. CC ID 11702	Technical security	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513	Technical security	Preventive
Add all devices requiring access control to the Access Control List. CC ID 06264	Technical security	Preventive
Include the objects and users subject to access control in the security policy. CC ID 11836	Technical security	Preventive
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500	Technical security	Preventive
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501	Technical security	Preventive
Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771	Technical security	Preventive
Establish, implement, and maintain access control procedures. CC ID 11663	Technical security	Preventive
Document approving and granting access in the access control log. CC ID 06786 [{remote access} Authorize wireless access prior to allowing such connections. 3.1.16]	Technical security	Preventive
Establish, implement, and maintain a Boundary Defense program. CC ID 00544 [Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. 3.13.1]	Technical security	Preventive
Establish, implement, and maintain a network access control standard. CC ID 00546	Technical security	Preventive
Include configuration management and rulesets in the network access control standard. CC ID 11845	Technical security	Preventive
Secure the network access control standard against unauthorized changes. CC ID 11920	Technical security	Preventive
Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948	Technical security	Preventive
Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960	Technical security	Preventive
Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961	Technical security	Preventive
Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard. CC ID 12435	Technical security	Preventive
Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434	Technical security	Preventive
Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426	Technical security	Preventive
Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537	Technical security	Preventive
Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547	Technical security	Preventive
Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539	Technical security	Preventive
Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280	Technical security	Preventive
Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033	Technical security	Preventive
Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032	Technical security	Preventive
Record the configuration rules for network access and control points in the configuration management system. CC ID 12105	Technical security	Preventive
Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107	Technical security	Preventive
Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106	Technical security	Preventive
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [Control the flow of CUI in accordance with approved authorizations. 3.1.3]	Technical security	Preventive
Establish, implement, and maintain a document printing policy. CC ID 14384	Technical security	Preventive
Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396	Technical security	Preventive
Establish, implement, and maintain information flow procedures. CC ID 04542 [Control information posted or processed on publicly accessible information systems. 3.1.22 Verify and control/limit connections to and use of external information systems. 3.1.20]	Technical security	Preventive
Establish, implement, and maintain information exchange procedures. CC ID 11782	Technical security	Preventive
Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097	Technical security	Preventive
Revoke membership in the whitelist, as necessary. CC ID 13827	Technical security	Corrective
Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 [Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny- all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. 3.4.8]	Technical security	Preventive
Establish, implement, and maintain a remote access and teleworking program. CC ID 04545	Technical security	Preventive
Include information security requirements in the remote access and teleworking program. CC ID 15704	Technical security	Preventive
Document and approve requests to bypass multifactor authentication. CC ID 15464	Technical security	Preventive
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [Establish and manage cryptographic keys for cryptography employed in the information system. 3.13.10]	Technical security	Preventive
Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152	Technical security	Preventive
Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151	Technical security	Preventive
Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540	Technical security	Preventive
Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127	Technical security	Preventive
Require key custodians to sign the cryptographic key management policy. CC ID 01308	Technical security	Preventive
Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587	Technical security	Preventive
Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079	Technical security	Preventive
Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080	Technical security	Preventive
Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081	Technical security	Preventive
Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082	Technical security	Preventive
Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089	Technical security	Preventive
Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083	Technical security	Preventive
Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816	Technical security	Preventive
Establish, implement, and maintain Public Key certificate procedures. CC ID 07085	Technical security	Preventive
Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817	Technical security	Preventive
Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087	Technical security	Preventive
Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086	Technical security	Preventive
Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566	Technical security	Preventive
Establish, implement, and maintain a malicious code protection program. CC ID 00574 [Provide protection from malicious code at appropriate locations within organizational information systems. 3.14.2]	Technical security	Preventive
Establish, implement, and maintain malicious code protection procedures. CC ID 15483	Technical security	Preventive
Establish, implement, and maintain a malicious code protection policy. CC ID 15478	Technical security	Preventive
Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310	Technical security	Corrective
Establish, implement, and maintain a virtual environment and shared resources security program. CC ID 06551	Technical security	Preventive
Establish, implement, and maintain a shared resources management program. CC ID 07096 [Prevent unauthorized and unintended information transfer via shared system resources. 3.13.4]	Technical security	Preventive
Establish, implement, and maintain a physical security program. CC ID 11757	Physical and environmental protection	Preventive
Establish, implement, and maintain a facility physical security program. CC ID 00711 [Protect and monitor the physical facility and support infrastructure for those information systems. 3.10.2]	Physical and environmental protection	Preventive
Establish, implement, and maintain opening procedures for businesses. CC ID 16671	Physical and environmental protection	Preventive
Establish, implement, and maintain closing procedures for businesses. CC ID 16670	Physical and environmental protection	Preventive
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050	Physical and environmental protection	Preventive
Define communication methods for reporting crimes. CC ID 06349	Physical and environmental protection	Preventive
Include identification cards or badges in the physical security program. CC ID 14818	Physical and environmental protection	Preventive
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581	Physical and environmental protection	Preventive
Establish, implement, and maintain floor plans. CC ID 16419	Physical and environmental protection	Preventive
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420	Physical and environmental protection	Preventive
Post and maintain security signage for all facilities. CC ID 02201	Physical and environmental protection	Preventive
Identify and document physical access controls for all physical entry points. CC ID 01637	Physical and environmental protection	Preventive
Establish, implement, and maintain physical access procedures. CC ID 13629	Physical and environmental protection	Preventive
Establish, implement, and maintain a visitor access permission policy. CC ID 06699	Physical and environmental protection	Preventive
Escort visitors within the facility, as necessary. CC ID 06417 [Escort visitors and monitor visitor activity. 3.10.3]	Physical and environmental protection	Preventive
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048	Physical and environmental protection	Preventive
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436	Physical and environmental protection	Preventive
Authorize physical access to sensitive areas based on job functions. CC ID 12462	Physical and environmental protection	Preventive
Establish, implement, and maintain physical identification procedures. CC ID 00713	Physical and environmental protection	Preventive
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819	Physical and environmental protection	Preventive
Document all lost badges in a lost badge list. CC ID 12448	Physical and environmental protection	Corrective
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598	Physical and environmental protection	Preventive
Include error handling controls in identification issuance procedures. CC ID 13709	Physical and environmental protection	Preventive
Include information security in the identification issuance procedures. CC ID 15425	Physical and environmental protection	Preventive
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426	Physical and environmental protection	Preventive
Include an identity registration process in the identification issuance procedures. CC ID 11671	Physical and environmental protection	Preventive
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599	Physical and environmental protection	Preventive
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596	Physical and environmental protection	Preventive
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306	Physical and environmental protection	Preventive
Establish, implement, and maintain a door security standard. CC ID 06686	Physical and environmental protection	Preventive
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 [Control and manage physical access devices. 3.10.5]	Physical and environmental protection	Preventive
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715	Physical and environmental protection	Preventive
Establish, implement, and maintain a window security standard. CC ID 06689	Physical and environmental protection	Preventive
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204	Physical and environmental protection	Preventive
Establish, implement, and maintain after hours facility access procedures. CC ID 06340	Physical and environmental protection	Preventive
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538	Physical and environmental protection	Preventive
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672	Physical and environmental protection	Preventive
Establish, implement, and maintain emergency exit procedures. CC ID 01252	Physical and environmental protection	Preventive
Establish, Implement, and maintain a camera operating policy. CC ID 15456	Physical and environmental protection	Preventive
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700	Physical and environmental protection	Preventive
Record the date and time of entry in the visitor log. CC ID 13255	Physical and environmental protection	Preventive
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466	Physical and environmental protection	Preventive
Establish, implement, and maintain a physical access log. CC ID 12080 [Maintain audit logs of physical access. 3.10.4]	Physical and environmental protection	Preventive
Establish, implement, and maintain physical security threat reports. CC ID 02207	Physical and environmental protection	Preventive
Establish, implement, and maintain a facility wall standard. CC ID 06692	Physical and environmental protection	Preventive
Establish, implement, and maintain storage media access control procedures. CC ID 00959 [Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital. 3.8.1 Limit access to CUI on information system media to authorized users. 3.8.2]	Physical and environmental protection	Preventive
Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200	Physical and environmental protection	Preventive
Establish, implement, and maintain mobile device security guidelines. CC ID 04723 [Control connection of mobile devices. 3.1.18]	Physical and environmental protection	Preventive
Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292	Physical and environmental protection	Preventive
Include legal requirements in the mobile device security guidelines. CC ID 12291	Physical and environmental protection	Preventive
Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290	Physical and environmental protection	Preventive
Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289	Physical and environmental protection	Preventive
Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288	Physical and environmental protection	Preventive
Establish, implement, and maintain a personnel management program. CC ID 14018	Human Resources management	Preventive
Establish, implement, and maintain a personnel security program. CC ID 10628	Human Resources management	Preventive
Establish, implement, and maintain security clearance procedures. CC ID 00783	Human Resources management	Preventive
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 [Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers. 3.9.2]	Human Resources management	Preventive
Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631	Human Resources management	Preventive
Establish, implement, and maintain training plans. CC ID 00828	Human Resources management	Preventive
Establish, implement, and maintain a security awareness program. CC ID 11746	Human Resources management	Preventive
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363	Human Resources management	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Preventive
Establish, implement, and maintain operational control procedures. CC ID 00831	Operational management	Preventive
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 [Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. 3.13.14]	Operational management	Preventive
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350	Operational management	Preventive
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 [Control and monitor user-installed software. 3.4.9]	Operational management	Preventive
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689	Operational management	Preventive
Include all account types in the Information Technology inventory. CC ID 13311	Operational management	Preventive
Include each Information System's major applications in the Information Technology inventory. CC ID 01407	Operational management	Preventive
Categorize all major applications according to the business information they process. CC ID 07182	Operational management	Preventive
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164	Operational management	Preventive
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408	Operational management	Preventive
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409	Operational management	Preventive
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729	Operational management	Preventive
Establish, implement, and maintain a hardware asset inventory. CC ID 00691	Operational management	Preventive
Include network equipment in the Information Technology inventory. CC ID 00693	Operational management	Preventive
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719	Operational management	Preventive
Include software in the Information Technology inventory. CC ID 00692	Operational management	Preventive
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093	Operational management	Preventive
Establish, implement, and maintain a storage media inventory. CC ID 00694	Operational management	Preventive
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962	Operational management	Detective
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260	Operational management	Preventive
Add inventoried assets to the asset register database, as necessary. CC ID 07051	Operational management	Preventive
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181	Operational management	Preventive
Record the decommission date for applicable assets in the asset inventory. CC ID 14920	Operational management	Preventive
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918	Operational management	Preventive
Record the review date for applicable assets in the asset inventory. CC ID 14919	Operational management	Preventive
Record services for applicable assets in the asset inventory. CC ID 13733	Operational management	Preventive
Record protocols for applicable assets in the asset inventory. CC ID 13734	Operational management	Preventive
Record the software version in the asset inventory. CC ID 12196	Operational management	Preventive
Record the publisher for applicable assets in the asset inventory. CC ID 13725	Operational management	Preventive
Record the authentication system in the asset inventory. CC ID 13724	Operational management	Preventive
Tag unsupported assets in the asset inventory. CC ID 13723	Operational management	Preventive
Record the install date for applicable assets in the asset inventory. CC ID 13720	Operational management	Preventive
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465	Operational management	Preventive
Record the asset tag for physical assets in the asset inventory. CC ID 06632	Operational management	Preventive
Record the host name of applicable assets in the asset inventory. CC ID 13722	Operational management	Preventive
Record network ports for applicable assets in the asset inventory. CC ID 13730	Operational management	Preventive
Record the MAC address for applicable assets in the asset inventory. CC ID 13721	Operational management	Preventive
Record the operating system type for applicable assets in the asset inventory. CC ID 06633	Operational management	Preventive
Record the department associated with the asset in the asset inventory. CC ID 12084	Operational management	Preventive
Record the physical location for applicable assets in the asset inventory. CC ID 06634	Operational management	Preventive
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635	Operational management	Preventive
Record the firmware version for applicable assets in the asset inventory. CC ID 12195	Operational management	Preventive
Record the related business function for applicable assets in the asset inventory. CC ID 06636	Operational management	Preventive
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637	Operational management	Preventive
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638	Operational management	Preventive
Link the software asset inventory to the hardware asset inventory. CC ID 12085	Operational management	Preventive
Record the owner for applicable assets in the asset inventory. CC ID 06640	Operational management	Preventive
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696	Operational management	Preventive
Record all changes to assets in the asset inventory. CC ID 12190	Operational management	Preventive
Record cloud service derived data in the asset inventory. CC ID 13007	Operational management	Preventive
Include cloud service customer data in the asset inventory. CC ID 13006	Operational management	Preventive
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885	Operational management	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Preventive
Establish, implement, and maintain an incident management policy. CC ID 16414	Operational management	Preventive
Define the uses and capabilities of the Incident Management program. CC ID 00854	Operational management	Preventive
Include incident escalation procedures in the Incident Management program. CC ID 00856 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Operational management	Preventive
Define the characteristics of the Incident Management program. CC ID 00855	Operational management	Preventive
Include the criteria for a data loss event in the Incident Management program. CC ID 12179	Operational management	Preventive
Include the criteria for an incident in the Incident Management program. CC ID 12173	Operational management	Preventive
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504	Operational management	Preventive
Include detection procedures in the Incident Management program. CC ID 00588	Operational management	Preventive
Define and document impact thresholds to be used in categorizing incidents. CC ID 10033	Operational management	Preventive
Document the incident and any relevant evidence in the incident report. CC ID 08659 [Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization. 3.6.2]	Operational management	Detective
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095	Operational management	Preventive
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674	Operational management	Detective
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678	Operational management	Detective
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Corrective
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Preventive
Include data loss event notifications in the Incident Response program. CC ID 00364	Operational management	Preventive
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954	Operational management	Preventive
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Operational management	Preventive
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Operational management	Preventive
Establish, implement, and maintain incident response notifications. CC ID 12975	Operational management	Corrective
Include information required by law in incident response notifications. CC ID 00802	Operational management	Detective
Title breach notifications "Notice of Data Breach". CC ID 12977	Operational management	Preventive
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Operational management	Preventive
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Operational management	Preventive
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Operational management	Preventive
Use plain language to write incident response notifications. CC ID 12976	Operational management	Preventive
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Operational management	Preventive
Include the affected parties rights in the incident response notification. CC ID 16811	Operational management	Preventive
Include details of the investigation in incident response notifications. CC ID 12296	Operational management	Preventive
Include the issuer's name in incident response notifications. CC ID 12062	Operational management	Preventive
Include a "What Happened" heading in breach notifications. CC ID 12978	Operational management	Preventive
Include a general description of the data loss event in incident response notifications. CC ID 04734	Operational management	Preventive
Include time information in incident response notifications. CC ID 04745	Operational management	Preventive
Include the identification of the data source in incident response notifications. CC ID 12305	Operational management	Preventive
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Operational management	Preventive
Include the type of information that was lost in incident response notifications. CC ID 04735	Operational management	Preventive
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Operational management	Preventive
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Operational management	Preventive
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Operational management	Preventive
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Operational management	Preventive
Include a "For More Information" heading in breach notifications. CC ID 12981	Operational management	Preventive
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Operational management	Preventive
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Operational management	Preventive
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Operational management	Preventive
Include any consequences in the incident response notifications. CC ID 12604	Operational management	Preventive
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Operational management	Preventive
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Operational management	Preventive
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Operational management	Detective
Include contact information in incident response notifications. CC ID 04739	Operational management	Preventive
Include contact information in the substitute incident response notification. CC ID 16776	Operational management	Preventive
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Operational management	Preventive
Establish, implement, and maintain a containment strategy. CC ID 13480	Operational management	Preventive
Include the containment approach in the containment strategy. CC ID 13486	Operational management	Preventive
Include response times in the containment strategy. CC ID 13485	Operational management	Preventive
Include incident recovery procedures in the Incident Management program. CC ID 01758 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Operational management	Corrective
Establish, implement, and maintain a restoration log. CC ID 12745	Operational management	Preventive
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592	Operational management	Preventive
Analyze security violations in Suspicious Activity Reports. CC ID 00591	Operational management	Preventive
Update the incident response procedures using the lessons learned. CC ID 01233	Operational management	Preventive
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Operational management	Preventive
Include incident response procedures in the Incident Management program. CC ID 01218	Operational management	Preventive
Include incident management procedures in the Incident Management program. CC ID 12689	Operational management	Preventive
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Operational management	Corrective
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Operational management	Preventive
Include after-action analysis procedures in the Incident Management program. CC ID 01219 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Operational management	Preventive
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844	Operational management	Preventive
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830	Operational management	Preventive
Log incidents in the Incident Management audit log. CC ID 00857 [Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization. 3.6.2]	Operational management	Preventive
Include corrective actions in the incident management audit log. CC ID 16466	Operational management	Preventive
Include emergency processing priorities in the Incident Management program. CC ID 00859	Operational management	Preventive
Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387	Operational management	Preventive
Include incident record closure procedures in the Incident Management program. CC ID 01620	Operational management	Preventive
Include incident reporting procedures in the Incident Management program. CC ID 11772 [Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization. 3.6.2]	Operational management	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Operational management	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Operational management	Preventive
Establish, implement, and maintain incident response procedures. CC ID 01206 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Operational management	Detective
Include references to industry best practices in the incident response procedures. CC ID 11956	Operational management	Preventive
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949	Operational management	Preventive
Include business recovery procedures in the Incident Response program. CC ID 11774 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Operational management	Preventive
Establish, implement, and maintain a change control program. CC ID 00886 [Track, review, approve/disapprove, and audit changes to information systems. 3.4.3]	Operational management	Preventive
Include potential consequences of unintended changes in the change control program. CC ID 12243	Operational management	Preventive
Include version control in the change control program. CC ID 13119	Operational management	Preventive
Include service design and transition in the change control program. CC ID 13920	Operational management	Preventive
Establish, implement, and maintain a back-out plan. CC ID 13623	Operational management	Preventive
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373	Operational management	Preventive
Approve back-out plans, as necessary. CC ID 13627	Operational management	Corrective
Include documentation of the impact level of proposed changes in the change request. CC ID 11942	Operational management	Preventive
Establish and maintain a change request approver list. CC ID 06795	Operational management	Preventive
Document all change requests in change request forms. CC ID 06794 [Track, review, approve/disapprove, and audit changes to information systems. 3.4.3]	Operational management	Preventive
Establish, implement, and maintain emergency change procedures. CC ID 00890	Operational management	Preventive
Log emergency changes after they have been performed. CC ID 12733	Operational management	Preventive
Provide audit trails for all approved changes. CC ID 13120	Operational management	Preventive
Document the sources of all software updates. CC ID 13316	Operational management	Preventive
Establish, implement, and maintain a patch management policy. CC ID 16432	Operational management	Preventive
Establish, implement, and maintain patch management procedures. CC ID 15224	Operational management	Preventive
Establish, implement, and maintain a patch log. CC ID 01642	Operational management	Preventive
Establish, implement, and maintain a software release policy. CC ID 00893	Operational management	Preventive
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391	Operational management	Detective
Establish, implement, and maintain a change acceptance testing log. CC ID 06392	Operational management	Corrective
Update associated documentation after the system configuration has been changed. CC ID 00891	Operational management	Preventive
Document approved configuration deviations. CC ID 08711	Operational management	Corrective
Establish, implement, and maintain a Configuration Management program. CC ID 00867	System hardening through configuration management	Preventive
Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Establish and enforce security configuration settings for information technology products employed in organizational information systems. 3.4.2 Employ the principle of least functionality by configuring the information system to provide only essential capabilities. 3.4.6 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. 3.4.1]	System hardening through configuration management	Preventive
Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285	System hardening through configuration management	Preventive
Include the differences between test environments and production environments in the baseline configuration. CC ID 13284	System hardening through configuration management	Preventive
Include the applied security patches in the baseline configuration. CC ID 13271	System hardening through configuration management	Preventive
Include the installed application software and version numbers in the baseline configuration. CC ID 13270	System hardening through configuration management	Preventive
Include installed custom software in the baseline configuration. CC ID 13274	System hardening through configuration management	Preventive
Include network ports in the baseline configuration. CC ID 13273	System hardening through configuration management	Preventive
Include the operating systems and version numbers in the baseline configuration. CC ID 13269	System hardening through configuration management	Preventive
Establish, implement, and maintain system hardening procedures. CC ID 12001	System hardening through configuration management	Preventive
Establish, implement, and maintain an authenticator standard. CC ID 01702	System hardening through configuration management	Preventive
Establish, implement, and maintain an authenticator management system. CC ID 12031	System hardening through configuration management	Preventive
Establish, implement, and maintain authenticator procedures. CC ID 12002	System hardening through configuration management	Preventive
Configure the "kernel arguments" setting for "auditing early in the boot process" to organizational standards. CC ID 08749	System hardening through configuration management	Preventive
Configure the "record date and time modification events" setting for "auditing" to organizational standards. CC ID 08750	System hardening through configuration management	Preventive
Configure the "record user/group information modification events" setting for "auditing" to organizational standards. CC ID 08751	System hardening through configuration management	Preventive
Configure the "record changes to the system network environment" setting for "auditing" to organizational standards. CC ID 08752	System hardening through configuration management	Preventive
Configure the "record changes to the system's mandatory access controls" setting for "auditing" to organizational standards. CC ID 08753	System hardening through configuration management	Preventive
Configure the "record logon and logout events" setting for "auditing" to organizational standards. CC ID 08754	System hardening through configuration management	Preventive
Configure the "record process and session initiation events" setting for "auditing" to organizational standards. CC ID 08755	System hardening through configuration management	Preventive
Configure the "record changes to discretionary access control permissions" setting for "auditing" to organizational standards. CC ID 08756	System hardening through configuration management	Preventive
Configure the "record unauthorized attempts to access files" setting for "auditing" to organizational standards. CC ID 08757	System hardening through configuration management	Preventive
Configure the "record use of privileged commands" setting for "auditing" to organizational standards. CC ID 08758	System hardening through configuration management	Preventive
Configure the "record data export to media events" setting for "auditing" to organizational standards. CC ID 08759	System hardening through configuration management	Preventive
Configure the "record file and program deletion events" setting for "auditing" to organizational standards. CC ID 08760	System hardening through configuration management	Preventive
Configure the "record administrator and security personnel action events" setting for "auditing" to organizational standards. CC ID 08761	System hardening through configuration management	Preventive
Configure the "record kernel module loading and unloading events" setting for "auditing" to organizational standards. CC ID 08762	System hardening through configuration management	Preventive
Configure the "Ensure auditd configuration is immutable" setting for "auditing" to organizational standards. CC ID 08763	System hardening through configuration management	Preventive
Establish, implement, and maintain records management policies. CC ID 00903	Records management	Preventive
Define each system's preservation requirements for records and logs. CC ID 00904	Records management	Detective
Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657	Records management	Preventive
Establish, implement, and maintain records management procedures. CC ID 11619	Records management	Preventive
Establish, implement, and maintain document security requirements for the output of records. CC ID 11656	Records management	Preventive
Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 [Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital. 3.8.1]	Records management	Preventive
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931	Records management	Preventive
Establish, implement, and maintain security label procedures. CC ID 06747 [Mark media with necessary CUI markings and distribution limitations. 3.8.4]	Records management	Preventive
Establish, implement, and maintain restricted material identification procedures. CC ID 01889	Records management	Preventive
Conspicuously locate the restricted record's overall classification. CC ID 01890	Records management	Preventive
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891	Records management	Preventive
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892	Records management	Preventive
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893	Records management	Preventive
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894	Records management	Preventive

Human Resources Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950	Monitoring and measurement	Detective
Define roles for information systems. CC ID 12454	Technical security	Preventive
Define access needs for each role assigned to an information system. CC ID 12455	Technical security	Preventive
Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820	Technical security	Preventive
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030	Physical and environmental protection	Preventive
Direct each employee to be responsible for their identification card or badge. CC ID 12332	Physical and environmental protection	Preventive
Assign employees the responsibility for controlling their identification badges. CC ID 12333	Physical and environmental protection	Preventive
Perform security clearance procedures, as necessary. CC ID 06644 [Screen individuals prior to authorizing access to information systems containing CUI. 3.9.1]	Human Resources management	Preventive
Establish and maintain security clearances. CC ID 01634	Human Resources management	Preventive
Assign an owner of the personnel status change and termination procedures. CC ID 11805	Human Resources management	Preventive
Notify the security manager, in writing, prior to an employee's job change. CC ID 12283	Human Resources management	Preventive
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992	Human Resources management	Preventive
Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692	Human Resources management	Corrective
Conduct exit interviews upon termination of employment. CC ID 14290	Human Resources management	Preventive
Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449	Human Resources management	Detective
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344	Operational management	Preventive
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873	Operational management	Preventive
Define and assign the roles and responsibilities for Incident Management program. CC ID 13055	Operational management	Preventive
Implement security controls for personnel that have accessed information absent authorization. CC ID 10611	Operational management	Corrective

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Physical and environmental protection CC ID 00709	Physical and environmental protection	IT Impact Zone
Operational and Systems Continuity CC ID 00731	Operational and Systems Continuity	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
System hardening through configuration management CC ID 00860	System hardening through configuration management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Systems design, build, and implementation CC ID 00989	Systems design, build, and implementation	IT Impact Zone

Investigate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925	Monitoring and measurement	Corrective
Rank discovered vulnerabilities. CC ID 11940	Monitoring and measurement	Detective
Scan for malicious code, as necessary. CC ID 11941 [Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. 3.14.5]	Technical security	Detective
Detect anomalies in physical barriers. CC ID 13533	Physical and environmental protection	Detective
Report anomalies in the visitor log to appropriate personnel. CC ID 14755	Physical and environmental protection	Detective
Identify root causes of incidents that force system changes. CC ID 13482	Operational management	Detective
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677	Operational management	Detective
Analyze the incident response process following an incident response. CC ID 13179	Operational management	Detective
Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298	Operational management	Preventive
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042	Operational management	Detective
Identify the affected parties during incident investigations. CC ID 16781	Operational management	Detective
Interview suspects during incident investigations, as necessary. CC ID 14041	Operational management	Detective
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038	Operational management	Detective
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126	Operational management	Detective
Collect data about the network environment when certifying the network. CC ID 13125	Operational management	Detective

Log Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Detective
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 [Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. 3.3.1]	Monitoring and measurement	Detective
Establish, implement, and maintain event logging procedures. CC ID 01335	Monitoring and measurement	Detective
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643	Monitoring and measurement	Preventive
Protect the event logs from failure. CC ID 06290	Monitoring and measurement	Preventive
Review and update event logs and audit logs, as necessary. CC ID 00596	Monitoring and measurement	Detective
Eliminate false positives in event logs and audit logs. CC ID 07047	Monitoring and measurement	Corrective
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207	Monitoring and measurement	Detective
Reproduce the event log if a log failure is captured. CC ID 01426	Monitoring and measurement	Preventive
Enable logging for all systems that meet a traceability criteria. CC ID 00640	Monitoring and measurement	Detective
Analyze firewall logs for the correct capturing of data. CC ID 00549	Monitoring and measurement	Detective
Define the frequency to capture and log events. CC ID 06313	Monitoring and measurement	Preventive
Include logging frequencies in the event logging procedures. CC ID 00642	Monitoring and measurement	Preventive
Restrict access to logs to authorized individuals. CC ID 01342	Monitoring and measurement	Preventive
Refrain from recording unnecessary restricted data in logs. CC ID 06318	Monitoring and measurement	Preventive
Back up logs according to backup procedures. CC ID 01344	Monitoring and measurement	Preventive
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346	Monitoring and measurement	Preventive
Identify hosts with logs that are not being stored. CC ID 06314	Monitoring and measurement	Preventive
Identify hosts with logs that are being stored at the system level only. CC ID 06315	Monitoring and measurement	Preventive
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316	Monitoring and measurement	Preventive
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317	Monitoring and measurement	Preventive
Protect logs from unauthorized activity. CC ID 01345 [Protect audit information and audit tools from unauthorized access, modification, and deletion. 3.3.8]	Monitoring and measurement	Preventive
Perform testing and validating activities on all logs. CC ID 06322	Monitoring and measurement	Preventive
Archive the audit trail in accordance with compliance requirements. CC ID 00674	Monitoring and measurement	Preventive
Preserve the identity of individuals in audit trails. CC ID 10594	Monitoring and measurement	Preventive
Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312	Technical security	Preventive
Establish and maintain a visitor log. CC ID 00715	Physical and environmental protection	Preventive
Record the visitor's name in the visitor log. CC ID 00557	Physical and environmental protection	Preventive
Record the visitor's organization in the visitor log. CC ID 12121	Physical and environmental protection	Preventive
Record the visitor's acceptable access areas in the visitor log. CC ID 12237	Physical and environmental protection	Preventive
Retain all records in the visitor log as prescribed by law. CC ID 00572	Physical and environmental protection	Preventive
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641	Physical and environmental protection	Preventive
Log when the vault is accessed. CC ID 06725	Physical and environmental protection	Detective
Log when the cabinet is accessed. CC ID 11674	Physical and environmental protection	Detective
Store facility access logs in off-site storage. CC ID 06958	Physical and environmental protection	Preventive
Log the transfer of removable storage media. CC ID 12322	Physical and environmental protection	Preventive
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754	Operational management	Corrective
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Detective
Include who the incident was reported to in the incident management audit log. CC ID 16487	Operational management	Preventive
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238	Operational management	Corrective
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234	Operational management	Preventive
Provide the reference database used to verify input data in the logging capability. CC ID 15018	System hardening through configuration management	Preventive
Configure the log to capture audit log initialization, along with auditable event selection. CC ID 00649	System hardening through configuration management	Detective
Configure the log to capture creates, reads, updates, or deletes of records containing personal data. CC ID 11890	System hardening through configuration management	Detective
Configure the log to capture the information referent when personal data is being accessed. CC ID 11968	System hardening through configuration management	Detective
Configure the log to capture each auditable event's origination. CC ID 01338	System hardening through configuration management	Detective
Configure the log to capture the amount of data uploaded and downloaded. CC ID 16494	System hardening through configuration management	Preventive
Configure the log to capture startups and shutdowns. CC ID 16491	System hardening through configuration management	Preventive
Configure the log to capture user queries and searches. CC ID 16479	System hardening through configuration management	Preventive
Configure the log to capture Internet Protocol addresses. CC ID 16495	System hardening through configuration management	Preventive
Configure the log to capture error messages. CC ID 16477	System hardening through configuration management	Preventive
Configure the log to capture system failures. CC ID 16475	System hardening through configuration management	Preventive
Configure the log to capture all malicious code that has been discovered, quarantined, and/or eradicated. CC ID 00577	System hardening through configuration management	Detective
Capture successful operating system access and successful software access. CC ID 00527	System hardening through configuration management	Detective
Configure the log to capture hardware and software access attempts. CC ID 01220	System hardening through configuration management	Detective
Configure the log to capture logons, logouts, logon attempts, and logout attempts. CC ID 01915	System hardening through configuration management	Detective
Configure the log to capture access to restricted data or restricted information. CC ID 00644	System hardening through configuration management	Detective
Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 [Prevent non-privileged users from executing privileged functions and audit the execution of such functions. 3.1.7]	System hardening through configuration management	Detective
Configure the log to capture identification and authentication mechanism use. CC ID 00648	System hardening through configuration management	Detective
Configure the log to capture all access to the audit trail. CC ID 00646	System hardening through configuration management	Detective
Configure the log to capture Object access to key directories or key files. CC ID 01697	System hardening through configuration management	Detective
Configure the log to capture both access and access attempts to security-relevant objects and security-relevant directories. CC ID 01916	System hardening through configuration management	Detective
Configure the log to capture system level object creation and deletion. CC ID 00650	System hardening through configuration management	Detective
Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes. CC ID 01698	System hardening through configuration management	Detective
Configure the log to capture user account additions, modifications, and deletions. CC ID 16482	System hardening through configuration management	Preventive
Configure the log to capture user authenticator changes. CC ID 01917	System hardening through configuration management	Detective
Enable or disable NFS server logging, as appropriate. CC ID 05593	System hardening through configuration management	Detective
Log Pluggable Authentication Modules access at an appropriate level. CC ID 05599	System hardening through configuration management	Detective
Enable or disable the logging of "martian" packets (impossible addresses), as appropriate. CC ID 05601	System hardening through configuration management	Detective
Enable or disable dhcpd logging, as appropriate. CC ID 05602	System hardening through configuration management	Detective
Enable or disable attempted stack exploit logging, as appropriate. CC ID 05614	System hardening through configuration management	Detective
Enable or disable the debug logging option, as appropriate. CC ID 05617	System hardening through configuration management	Detective
Enable or disable the logging of vsftpd transactions, as appropriate. CC ID 06032	System hardening through configuration management	Detective
Configure the log to send alerts for each auditable events success or failure. CC ID 01337	System hardening through configuration management	Preventive
Verify auditing is logged to an appropriate directory. CC ID 05603	System hardening through configuration management	Detective
Enable or disable the /var/log/authlog log, as appropriate. CC ID 05606	System hardening through configuration management	Detective
Enable or disable the /var/log/syslog log, as appropriate. CC ID 05607	System hardening through configuration management	Detective
Enable or disable the /var/adm/messages log, as appropriate. CC ID 05608	System hardening through configuration management	Detective
Enable or disable the /var/adm/sulog log, as appropriate. CC ID 05609	System hardening through configuration management	Detective
Enable or disable the /var/adm/utmp(x) log, as appropriate. CC ID 05610	System hardening through configuration management	Detective
Enable or disable the /var/adm/wtmp(x) log, as appropriate. CC ID 05611	System hardening through configuration management	Detective
Enable or disable the /var/adm/sshlog log, as appropriate. CC ID 05612	System hardening through configuration management	Detective
Enable or disable the /var/log/pamlog log, as appropriate. CC ID 05613	System hardening through configuration management	Detective
Perform filesystem logging and filesystem journaling. CC ID 05615	System hardening through configuration management	Detective

Maintenance

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295	Operational management	Preventive
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291	Operational management	Preventive
Restart systems on a periodic basis. CC ID 16498	Operational management	Preventive
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251	Operational management	Preventive
Separate the production environment from development environment or test environment for the change control process. CC ID 11864	Operational management	Preventive

Monitor and Evaluate Occurrences

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitoring and measurement	Preventive
Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Monitor information system security alerts and advisories and take appropriate actions in response. 3.14.3 Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. 3.14.6]	Monitoring and measurement	Detective
Monitor systems for blended attacks and multiple component incidents. CC ID 01225	Monitoring and measurement	Detective
Monitor systems for Denial of Service attacks. CC ID 01222	Monitoring and measurement	Detective
Monitor systems for unauthorized data transfers. CC ID 12971	Monitoring and measurement	Preventive
Monitor systems for access to restricted data or restricted information. CC ID 04721	Monitoring and measurement	Detective
Detect unauthorized access to systems. CC ID 06798 [Identify unauthorized use of the information system. 3.14.7]	Monitoring and measurement	Detective
Incorporate potential red flags into the organization's incident management system. CC ID 04652	Monitoring and measurement	Detective
Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430	Monitoring and measurement	Detective
Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808	Monitoring and measurement	Detective
Monitor systems for unauthorized mobile code. CC ID 10034 [Control and monitor the use of mobile code. 3.13.13]	Monitoring and measurement	Preventive
Establish, implement, and maintain a corrective action plan. CC ID 00675 [Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems. 3.12.2]	Monitoring and measurement	Detective
Include monitoring in the corrective action plan. CC ID 11645	Monitoring and measurement	Detective
Enforce information flow control. CC ID 11781	Technical security	Preventive
Create a full text analysis on executed privileged functions. CC ID 06778	Technical security	Detective
Monitor and evaluate all remote access usage. CC ID 00563 [Monitor and control remote access sessions. 3.1.12]	Technical security	Detective
Log and react to all malicious code activity. CC ID 07072	Technical security	Detective
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 [Supervise the maintenance activities of maintenance personnel without required access authorization. 3.7.6]	Physical and environmental protection	Preventive
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638	Physical and environmental protection	Detective
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675	Physical and environmental protection	Preventive
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328	Physical and environmental protection	Detective
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609	Physical and environmental protection	Detective
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677	Physical and environmental protection	Detective
Monitor for alarmed security doors being propped open. CC ID 06684	Physical and environmental protection	Detective
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052	Operational management	Corrective
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053	Operational management	Corrective
Determine the incident severity level when assessing the security incidents. CC ID 01650	Operational management	Corrective
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453	Operational management	Detective
Require personnel to monitor for and report suspicious account activity. CC ID 16462	Operational management	Detective
Respond to and triage when an incident is detected. CC ID 06942	Operational management	Detective
Escalate incidents, as necessary. CC ID 14861	Operational management	Corrective
Check the precursors and indicators when assessing the security incidents. CC ID 01761	Operational management	Corrective
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265	Operational management	Detective
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234	Operational management	Preventive

Physical and Environmental Protection

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Protect the facility from crime. CC ID 06347	Physical and environmental protection	Preventive
Protect facilities from eavesdropping. CC ID 02222	Physical and environmental protection	Preventive
Inspect telephones for eavesdropping devices. CC ID 02223	Physical and environmental protection	Detective
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440	Physical and environmental protection	Preventive
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441	Physical and environmental protection	Preventive
Create security zones in facilities, as necessary. CC ID 16295	Physical and environmental protection	Preventive
Establish clear zones around any sensitive facilities. CC ID 02214	Physical and environmental protection	Preventive
Inspect items brought into the facility. CC ID 06341	Physical and environmental protection	Preventive
Maintain all physical security systems. CC ID 02206	Physical and environmental protection	Preventive
Maintain all security alarm systems. CC ID 11669	Physical and environmental protection	Preventive
Control physical access to (and within) the facility. CC ID 01329	Physical and environmental protection	Preventive
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419	Physical and environmental protection	Preventive
Secure physical entry points with physical access controls or security guards. CC ID 01640	Physical and environmental protection	Detective
Configure the access control system to grant access only during authorized working hours. CC ID 12325	Physical and environmental protection	Preventive
Check the visitor's stated identity against a provided government issued identification. CC ID 06701	Physical and environmental protection	Preventive
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463	Physical and environmental protection	Corrective
Issue photo identification badges to all employees. CC ID 12326	Physical and environmental protection	Preventive
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334	Physical and environmental protection	Preventive
Manage visitor identification inside the facility. CC ID 11670	Physical and environmental protection	Preventive
Secure unissued visitor identification badges. CC ID 06712	Physical and environmental protection	Preventive
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331	Physical and environmental protection	Preventive
Restrict access to the badge system to authorized personnel. CC ID 12043	Physical and environmental protection	Preventive
Enforce dual control for badge assignments. CC ID 12328	Physical and environmental protection	Preventive
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327	Physical and environmental protection	Preventive
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282	Physical and environmental protection	Preventive
Prevent tailgating through physical entry points. CC ID 06685	Physical and environmental protection	Preventive
Use locks to protect against unauthorized physical access. CC ID 06342	Physical and environmental protection	Preventive
Install and maintain security lighting at all physical entry points. CC ID 02205	Physical and environmental protection	Preventive
Use vandal resistant light fixtures for all security lighting. CC ID 16130	Physical and environmental protection	Preventive
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210	Physical and environmental protection	Preventive
Secure the loading dock with physical access controls or security guards. CC ID 06703	Physical and environmental protection	Preventive
Isolate loading areas from information processing facilities, if possible. CC ID 12028	Physical and environmental protection	Preventive
Screen incoming mail and deliveries. CC ID 06719	Physical and environmental protection	Preventive
Protect access to the facility's mechanical systems area. CC ID 02212	Physical and environmental protection	Preventive
Establish, implement, and maintain elevator security guidelines. CC ID 02232	Physical and environmental protection	Preventive
Establish, implement, and maintain stairwell security guidelines. CC ID 02233	Physical and environmental protection	Preventive
Establish, implement, and maintain glass opening security guidelines. CC ID 02234	Physical and environmental protection	Preventive
Establish a security room, if necessary. CC ID 00738	Physical and environmental protection	Preventive
Implement physical security standards for mainframe rooms or data centers. CC ID 00749	Physical and environmental protection	Preventive
Establish and maintain equipment security cages in a shared space environment. CC ID 06711	Physical and environmental protection	Preventive
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716	Physical and environmental protection	Preventive
Lock all lockable equipment cabinets. CC ID 11673	Physical and environmental protection	Detective
Establish, implement, and maintain vault physical security standards. CC ID 02203	Physical and environmental protection	Preventive
Monitor physical entry point alarms. CC ID 01639	Physical and environmental protection	Detective
Build and maintain fencing, as necessary. CC ID 02235	Physical and environmental protection	Preventive
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352	Physical and environmental protection	Preventive
Physically segregate business areas in accordance with organizational standards. CC ID 16718	Physical and environmental protection	Preventive
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372	Physical and environmental protection	Preventive
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718	Physical and environmental protection	Preventive
Restrict physical access to distributed assets. CC ID 11865 [Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. 3.10.1]	Physical and environmental protection	Preventive
House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873	Physical and environmental protection	Preventive
Protect electronic storage media with physical access controls. CC ID 00720	Physical and environmental protection	Preventive
Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664	Physical and environmental protection	Preventive
Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717	Physical and environmental protection	Preventive
Protect the combinations for all combination locks. CC ID 02199	Physical and environmental protection	Preventive
Establish and maintain eavesdropping protection for vaults. CC ID 02231	Physical and environmental protection	Preventive
Include the use of privacy filters in the mobile device security guidelines. CC ID 16452	Physical and environmental protection	Preventive
Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430	Physical and environmental protection	Preventive
Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429	Physical and environmental protection	Preventive
Conduct environmental surveys. CC ID 00690	Operational management	Preventive
Control and monitor all maintenance tools. CC ID 01432 [Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance. 3.7.2]	Operational management	Detective
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874	Operational management	Preventive

Process or Activity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Review documentation to determine the effectiveness of in scope controls. CC ID 16522	Audits and risk management	Preventive
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301	Technical security	Preventive
Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270	Technical security	Detective
Update application layer firewalls to the most current version. CC ID 12037	Technical security	Preventive
Assign virtual escorting to authorized personnel. CC ID 16440	Technical security	Preventive
Remove malware when malicious code is discovered. CC ID 13691	Technical security	Corrective
Implement physical identification processes. CC ID 13715	Physical and environmental protection	Preventive
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717	Physical and environmental protection	Preventive
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714	Physical and environmental protection	Preventive
Include identity proofing processes in the identification issuance procedures. CC ID 06597	Physical and environmental protection	Preventive
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885	Operational management	Preventive
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Operational management	Corrective
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Operational management	Corrective
Contain the incident to prevent further loss. CC ID 01751	Operational management	Corrective
Revoke the written request to delay the notification. CC ID 16843	Operational management	Preventive
Post the incident response notification on the organization's website. CC ID 16809	Operational management	Preventive
Document the determination for providing a substitute incident response notification. CC ID 16841	Operational management	Preventive
Conduct incident investigations, as necessary. CC ID 13826	Operational management	Detective
Perform emergency changes, as necessary. CC ID 12707	Operational management	Preventive
Back up emergency changes after the change has been performed. CC ID 12734	Operational management	Preventive
Conduct network certifications prior to approving change requests for networks. CC ID 13121	Operational management	Detective
Establish, implement, and maintain a patch management program. CC ID 00896 [Identify, report, and correct information and information system flaws in a timely manner. 3.14.1]	Operational management	Preventive

Records Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Maintain vulnerability scan reports as organizational records. CC ID 12092	Monitoring and measurement	Preventive
Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090	Technical security	Preventive
Retain video events according to Records Management procedures. CC ID 06304	Physical and environmental protection	Preventive
Control the transiting and internal distribution or external distribution of assets. CC ID 00963	Physical and environmental protection	Preventive
Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961	Physical and environmental protection	Preventive
Treat archive media as evidence. CC ID 00960	Physical and environmental protection	Preventive
Control the storage of restricted storage media. CC ID 00965	Physical and environmental protection	Preventive
Include source code in the asset inventory. CC ID 14858	Operational management	Preventive
Establish, implement, and maintain incident management audit logs. CC ID 13514	Operational management	Preventive
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420	Records management	Detective
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943	Records management	Preventive

Systems Continuity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Back up audit trails according to backup procedures. CC ID 11642	Monitoring and measurement	Preventive
Prepare the alternate facility for an emergency offsite relocation. CC ID 00744	Operational and Systems Continuity	Preventive
Protect backup systems and restoration systems at the alternate facility. CC ID 04883 [Protect the confidentiality of backup CUI at storage locations. 3.8.9]	Operational and Systems Continuity	Preventive

Systems Design, Build, and Implementation

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Implement gateways between security domains. CC ID 16493	Technical security	Preventive
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695	Operational management	Preventive
Validate the system before implementing approved changes. CC ID 01510 [Track, review, approve/disapprove, and audit changes to information systems. 3.4.3]	Operational management	Preventive
Establish, implement, and maintain traceability documentation. CC ID 16388	Operational management	Preventive
Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823	Systems design, build, and implementation	Preventive
Include information security throughout the system development life cycle. CC ID 12042 [Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems. 3.13.2]	Systems design, build, and implementation	Preventive

Technical Security

132

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Identify cybersecurity events in event logs and audit logs. CC ID 13206	Monitoring and measurement	Detective
Perform vulnerability scans, as necessary. CC ID 11637 [Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified. 3.11.2]	Monitoring and measurement	Detective
Identify and document security vulnerabilities. CC ID 11857	Monitoring and measurement	Detective
Use dedicated user accounts when conducting vulnerability scans. CC ID 12098	Monitoring and measurement	Preventive
Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638	Monitoring and measurement	Detective
Correlate vulnerability scan reports from the various systems. CC ID 10636	Monitoring and measurement	Detective
Perform vulnerability scans prior to installing payment applications. CC ID 12192	Monitoring and measurement	Detective
Implement scanning tools, as necessary. CC ID 14282	Monitoring and measurement	Detective
Repeat vulnerability scanning after an approved change occurs. CC ID 12468	Monitoring and measurement	Detective
Perform external vulnerability scans, as necessary. CC ID 11624	Monitoring and measurement	Detective
Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635	Monitoring and measurement	Detective
Deploy log normalization tools, as necessary. CC ID 12141	Monitoring and measurement	Preventive
Restrict access to audit trails to a need to know basis. CC ID 11641	Monitoring and measurement	Preventive
Identify information system users. CC ID 12081 [Identify information system users, processes acting on behalf of users, or devices. 3.5.1]	Technical security	Detective
Review user accounts. CC ID 00525	Technical security	Detective
Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 [Identify information system users, processes acting on behalf of users, or devices. 3.5.1]	Technical security	Detective
Review shared accounts. CC ID 11840	Technical security	Detective
Control access rights to organizational assets. CC ID 00004 [Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). 3.1.1]	Technical security	Preventive
Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835	Technical security	Preventive
Define access needs for each system component of an information system. CC ID 12456	Technical security	Preventive
Define the level of privilege required for each system component of an information system. CC ID 12457	Technical security	Preventive
Establish access rights based on least privilege. CC ID 01411 [Limit information system access to the types of transactions and functions that authorized users are permitted to execute. 3.1.2 Employ the principle of least privilege, including for specific security functions and privileged accounts. 3.1.5]	Technical security	Preventive
Assign user permissions based on job responsibilities. CC ID 00538	Technical security	Preventive
Assign user privileges after they have management sign off. CC ID 00542	Technical security	Preventive
Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 [Limit unsuccessful logon attempts. 3.1.8]	Technical security	Preventive
Disallow unlocking user accounts absent system administrator approval. CC ID 01413	Technical security	Preventive
Establish session authenticity through Transport Layer Security. CC ID 01627 [Protect the authenticity of communications sessions. 3.13.15]	Technical security	Preventive
Include all system components in the access control system. CC ID 11939	Technical security	Preventive
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850	Technical security	Preventive
Enable attribute-based access control for objects and users on information systems. CC ID 16351	Technical security	Preventive
Enable role-based access control for objects and users on information systems. CC ID 12458	Technical security	Preventive
Enforce access restrictions for change control. CC ID 01428 [{physical access restriction} Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system. 3.4.5]	Technical security	Preventive
Permit a limited set of user actions absent identification and authentication. CC ID 04849	Technical security	Preventive
Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262	Technical security	Preventive
Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770	Technical security	Preventive
Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964	Technical security	Preventive
Establish, implement, and maintain User Access Management procedures. CC ID 00514	Technical security	Preventive
Remove inactive user accounts, as necessary. CC ID 00517 [Disable identifiers after a defined period of inactivity. 3.5.6]	Technical security	Corrective
Include digital identification procedures in the access control program. CC ID 11841	Technical security	Preventive
Identify and control all network access controls. CC ID 00529	Technical security	Preventive
Manage all external network connections. CC ID 11842	Technical security	Preventive
Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891	Technical security	Preventive
Segregate systems in accordance with organizational standards. CC ID 12546	Technical security	Preventive
Implement resource-isolation mechanisms in organizational networks. CC ID 16438	Technical security	Preventive
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533	Technical security	Preventive
Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310	Technical security	Preventive
Design Demilitarized Zones with proper isolation rules. CC ID 00532	Technical security	Preventive
Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998	Technical security	Preventive
Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993	Technical security	Preventive
Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373	Technical security	Preventive
Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821	Technical security	Preventive
Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588	Technical security	Preventive
Employ centralized management systems to configure and control networks, as necessary. CC ID 12540	Technical security	Preventive
Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903	Technical security	Corrective
Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420	Technical security	Preventive
Protect the firewall's network connection interfaces. CC ID 01955	Technical security	Preventive
Establish, implement, and maintain packet filtering requirements. CC ID 16362	Technical security	Preventive
Configure firewall filtering to only permit established connections into the network. CC ID 12482	Technical security	Preventive
Review and approve information exchange system connections. CC ID 07143	Technical security	Preventive
Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104	Technical security	Preventive
Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107	Technical security	Preventive
Block uncategorized sites using URL filtering. CC ID 12140	Technical security	Preventive
Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139	Technical security	Detective
Enforce privileged accounts and non-privileged accounts for system access. CC ID 00558 [Use non-privileged accounts or roles when accessing nonsecurity functions. 3.1.6 Prevent non-privileged users from executing privileged functions and audit the execution of such functions. 3.1.7]	Technical security	Preventive
Separate user functionality from system management functionality. CC ID 11858 [Separate user functionality from information system management functionality. 3.13.3]	Technical security	Preventive
Control all methods of remote access and teleworking. CC ID 00559 [Enforce safeguarding measures for CUI at alternate work sites (e.g., telework sites). 3.10.6]	Technical security	Preventive
Refrain from allowing remote users to copy files to remote devices. CC ID 06792	Technical security	Preventive
Control remote access through a network access control. CC ID 01421 [Authorize remote execution of privileged commands and remote access to security-relevant information. 3.1.15 Route remote access via managed access control points. 3.1.14]	Technical security	Preventive
Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324	Technical security	Preventive
Employ multifactor authentication for remote access to the organization's network. CC ID 12505	Technical security	Preventive
Implement phishing-resistant multifactor authentication techniques. CC ID 16541	Technical security	Preventive
Limit the source addresses from which remote administration is performed. CC ID 16393	Technical security	Preventive
Manage the use of encryption controls and cryptographic controls. CC ID 00570	Technical security	Preventive
Bind keys to each identity. CC ID 12337	Technical security	Preventive
Generate unique cryptographic keys for each user. CC ID 12169	Technical security	Preventive
Implement decryption keys so that they are not linked to user accounts. CC ID 06851	Technical security	Preventive
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085	Technical security	Preventive
Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852	Technical security	Preventive
Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092	Technical security	Preventive
Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084	Technical security	Preventive
Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091	Technical security	Preventive
Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. 3.13.8 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. 3.13.11]	Technical security	Preventive
Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492	Technical security	Preventive
Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490	Technical security	Preventive
Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416	Technical security	Preventive
Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568	Technical security	Preventive
Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021	Technical security	Preventive
Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020	Technical security	Preventive
Protect application services information transmitted over a public network from contract disputes. CC ID 12019	Technical security	Preventive
Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018	Technical security	Preventive
Install and maintain container security solutions. CC ID 16178	Technical security	Preventive
Protect the system against replay attacks. CC ID 04552 [{privileged accounts} Employ replay-resistant authentication mechanisms for network access to privileged and non- privileged accounts. 3.5.4]	Technical security	Preventive
Analyze the behavior and characteristics of the malicious code. CC ID 10672	Technical security	Detective
Incorporate the malicious code analysis into the patch management program. CC ID 10673	Technical security	Corrective
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455	Physical and environmental protection	Preventive
Secure unissued access mechanisms. CC ID 06713	Physical and environmental protection	Preventive
Change cipher lock codes, as necessary. CC ID 06651	Physical and environmental protection	Preventive
Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 [Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. 3.13.12]	Physical and environmental protection	Preventive
Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 [Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. 3.13.12]	Physical and environmental protection	Preventive
Terminate user accounts when notified that an individual is terminated. CC ID 11614	Human Resources management	Corrective
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826	Human Resources management	Corrective
Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960	Human Resources management	Preventive
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054	Operational management	Preventive
Link the authentication system to the asset inventory. CC ID 13718	Operational management	Preventive
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110	Operational management	Detective
Control remote maintenance according to the system's asset classification. CC ID 01433	Operational management	Preventive
Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 [Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. 3.7.5]	Operational management	Preventive
Employ dedicated systems during system maintenance. CC ID 12108	Operational management	Preventive
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114	Operational management	Preventive
Categorize the incident following an incident response. CC ID 13208	Operational management	Preventive
Wipe data and memory after an incident has been detected. CC ID 16850	Operational management	Corrective
Refrain from accessing compromised systems. CC ID 01752	Operational management	Corrective
Isolate compromised systems from the network. CC ID 01753	Operational management	Corrective
Change authenticators after a security incident has been detected. CC ID 06789	Operational management	Corrective
Change wireless access variables after a data loss event has been detected. CC ID 01756	Operational management	Corrective
Re-image compromised systems with secure builds. CC ID 12086	Operational management	Corrective
Integrate configuration management procedures into the incident management program. CC ID 13647	Operational management	Preventive
Respond when an integrity violation is detected, as necessary. CC ID 10678	Operational management	Corrective
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Operational management	Corrective
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Operational management	Corrective
Integrate configuration management procedures into the change control program. CC ID 13646	Operational management	Preventive
Implement patch management software, as necessary. CC ID 12094	Operational management	Preventive
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087	Operational management	Preventive
Review the patch log for missing patches. CC ID 13186	Operational management	Detective
Patch software. CC ID 11825	Operational management	Corrective
Patch the operating system, as necessary. CC ID 11824	Operational management	Corrective
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682	Operational management	Detective
Refrain from using assertion lifetimes to limit each session. CC ID 13871	System hardening through configuration management	Preventive
Establish, implement, and maintain authenticators. CC ID 15305	System hardening through configuration management	Preventive
Configure the log to capture all URL requests. CC ID 12138	System hardening through configuration management	Detective
Establish, implement, and maintain online storage controls. CC ID 00942	Records management	Preventive
Provide encryption for different types of electronic storage media. CC ID 00945 [Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. 3.8.6]	Records management	Preventive

Testing

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 [Provide audit reduction and report generation to support on-demand analysis and reporting. 3.3.6]	Monitoring and measurement	Preventive
Repeat vulnerability scanning, as necessary. CC ID 11646 [Remediate vulnerabilities in accordance with assessments of risk. 3.11.3]	Monitoring and measurement	Detective
Perform internal vulnerability scans, as necessary. CC ID 00656	Monitoring and measurement	Detective
Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039	Monitoring and measurement	Preventive
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980	Audits and risk management	Detective
Document test plans for auditing in scope controls. CC ID 06985	Audits and risk management	Detective
Determine the effectiveness of in scope controls. CC ID 06984 [Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application. 3.12.1 Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls. 3.12.3]	Audits and risk management	Detective
Perform risk assessments for all target environments, as necessary. CC ID 06452 [Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI. 3.11.1]	Audits and risk management	Preventive
Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455	Technical security	Detective
Authenticate user identities before unlocking an account. CC ID 11837 [Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. 3.5.2]	Technical security	Detective
Configure firewalls to perform dynamic packet filtering. CC ID 01288	Technical security	Detective
Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved. CC ID 00560	Technical security	Detective
Test cryptographic key management applications, as necessary. CC ID 04829	Technical security	Detective
Implement non-repudiation for transactions. CC ID 00567	Technical security	Detective
Test all removable storage media for viruses and malicious code. CC ID 11861 [Check media containing diagnostic and test programs for malicious code before the media are used in the information system. 3.7.4]	Technical security	Detective
Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311	Technical security	Detective
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330	Physical and environmental protection	Preventive
Implement operational requirements for card readers. CC ID 02225	Physical and environmental protection	Preventive
Test locks for physical security vulnerabilities. CC ID 04880	Physical and environmental protection	Detective
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782	Human Resources management	Detective
Implement segregation of duties in roles and responsibilities. CC ID 00774 [Separate the duties of individuals to reduce the risk of malevolent activity without collusion. 3.1.4]	Human Resources management	Detective
Conduct maintenance with authorized personnel. CC ID 01434 [Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance. 3.7.2]	Operational management	Detective
Assess all incidents to determine what information was accessed. CC ID 01226	Operational management	Corrective
Test incident monitoring procedures. CC ID 13194	Operational management	Detective
Test the incident response procedures. CC ID 01216 [Test the organizational incident response capability. 3.6.3]	Operational management	Detective
Test proposed changes prior to their approval. CC ID 00548	Operational management	Detective
Perform risk assessments prior to approving change requests. CC ID 00888 [Analyze the security impact of changes prior to implementation. 3.4.4]	Operational management	Preventive
Perform a patch test prior to deploying a patch. CC ID 00898	Operational management	Detective
Test software patches for any potential compromise of the system's security. CC ID 13175	Operational management	Detective
Review changes to computer firmware. CC ID 12226	Operational management	Detective
Certify changes to computer firmware are free of malicious logic. CC ID 12227	Operational management	Detective
Test the system's operational functionality after implementing approved changes. CC ID 06294	Operational management	Detective
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541	Operational management	Detective
Configure security and protection software to check for up-to-date signature files. CC ID 00576 [Update malicious code protection mechanisms when new releases are available. 3.14.4]	System hardening through configuration management	Detective

Training

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Human Resources management	Preventive

Common Controls and
mandates by Classification 120 Mandated Controls - bold
105 Implied Controls - italic 1350 Implementation

Number of Controls

1575 Total

Corrective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774	Monitoring and measurement	Establish/Maintain Documentation
Eliminate false positives in event logs and audit logs. CC ID 07047	Monitoring and measurement	Log Management
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925	Monitoring and measurement	Investigate
Update the vulnerability scanners' vulnerability list. CC ID 10634	Monitoring and measurement	Configuration
Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748	Monitoring and measurement	Behavior
Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818	Technical security	Communicate
Remove inactive user accounts, as necessary. CC ID 00517 [Disable identifiers after a defined period of inactivity. 3.5.6]	Technical security	Technical Security
Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903	Technical security	Technical Security
Revoke membership in the whitelist, as necessary. CC ID 13827	Technical security	Establish/Maintain Documentation
Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307	Technical security	Data and Information Management
Replace known or suspected compromised cryptographic keys immediately. CC ID 01306	Technical security	Data and Information Management
Remove malware when malicious code is discovered. CC ID 13691	Technical security	Process or Activity
Notify interested personnel and affected parties when malware is detected. CC ID 13689	Technical security	Communicate
Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310	Technical security	Establish/Maintain Documentation
Incorporate the malicious code analysis into the patch management program. CC ID 10673	Technical security	Technical Security
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463	Physical and environmental protection	Physical and Environmental Protection
Document all lost badges in a lost badge list. CC ID 12448	Physical and environmental protection	Establish/Maintain Documentation
Terminate user accounts when notified that an individual is terminated. CC ID 11614	Human Resources management	Technical Security
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826	Human Resources management	Technical Security
Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309	Human Resources management	Data and Information Management
Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692	Human Resources management	Human Resources Management
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052	Operational management	Monitor and Evaluate Occurrences
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053	Operational management	Monitor and Evaluate Occurrences
Determine the incident severity level when assessing the security incidents. CC ID 01650	Operational management	Monitor and Evaluate Occurrences
Escalate incidents, as necessary. CC ID 14861	Operational management	Monitor and Evaluate Occurrences
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Operational management	Process or Activity
Respond to all alerts from security systems in a timely manner. CC ID 06434 [Monitor information system security alerts and advisories and take appropriate actions in response. 3.14.3]	Operational management	Behavior
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Operational management	Process or Activity
Contain the incident to prevent further loss. CC ID 01751	Operational management	Process or Activity
Wipe data and memory after an incident has been detected. CC ID 16850	Operational management	Technical Security
Refrain from accessing compromised systems. CC ID 01752	Operational management	Technical Security
Isolate compromised systems from the network. CC ID 01753	Operational management	Technical Security
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754	Operational management	Log Management
Change authenticators after a security incident has been detected. CC ID 06789	Operational management	Technical Security
Assess all incidents to determine what information was accessed. CC ID 01226	Operational management	Testing
Check the precursors and indicators when assessing the security incidents. CC ID 01761	Operational management	Monitor and Evaluate Occurrences
Share incident information with interested personnel and affected parties. CC ID 01212	Operational management	Data and Information Management
Share data loss event information with the media. CC ID 01759	Operational management	Behavior
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Establish/Maintain Documentation
Report data loss event information to breach notification organizations. CC ID 01210	Operational management	Data and Information Management
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Behavior
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365	Operational management	Behavior
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Operational management	Behavior
Establish, implement, and maintain incident response notifications. CC ID 12975	Operational management	Establish/Maintain Documentation
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Operational management	Communicate
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Operational management	Business Processes
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Operational management	Behavior
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Operational management	Behavior
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Operational management	Behavior
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Operational management	Behavior
Publish the incident response notification in a general circulation periodical. CC ID 04651	Operational management	Behavior
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Operational management	Behavior
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Operational management	Communicate
Include incident recovery procedures in the Incident Management program. CC ID 01758 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Operational management	Establish/Maintain Documentation
Change wireless access variables after a data loss event has been detected. CC ID 01756	Operational management	Technical Security
Eradicate the cause of the incident after the incident has been contained. CC ID 01757	Operational management	Business Processes
Implement security controls for personnel that have accessed information absent authorization. CC ID 10611	Operational management	Human Resources Management
Re-image compromised systems with secure builds. CC ID 12086	Operational management	Technical Security
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Operational management	Establish/Maintain Documentation
Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238	Operational management	Log Management
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Provide privacy and security notices consistent with applicable CUI rules. 3.1.9]	Operational management	Communicate
Respond when an integrity violation is detected, as necessary. CC ID 10678	Operational management	Technical Security
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Operational management	Technical Security
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Operational management	Technical Security
Approve back-out plans, as necessary. CC ID 13627	Operational management	Establish/Maintain Documentation
Deploy software patches in accordance with organizational standards. CC ID 07032	Operational management	Configuration
Patch software. CC ID 11825	Operational management	Technical Security
Patch the operating system, as necessary. CC ID 11824	Operational management	Technical Security
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174	Operational management	Configuration
Remove outdated software after software has been updated. CC ID 11792	Operational management	Configuration
Update computer firmware, as necessary. CC ID 11755	Operational management	Configuration
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671	Operational management	Configuration
Mitigate the adverse effects of unauthorized changes. CC ID 12244	Operational management	Business Processes
Establish, implement, and maintain a change acceptance testing log. CC ID 06392	Operational management	Establish/Maintain Documentation
Document approved configuration deviations. CC ID 08711	Operational management	Establish/Maintain Documentation

Detective

177

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Log Management
Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Monitor information system security alerts and advisories and take appropriate actions in response. 3.14.3 Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. 3.14.6]	Monitoring and measurement	Monitor and Evaluate Occurrences
Monitor systems for blended attacks and multiple component incidents. CC ID 01225	Monitoring and measurement	Monitor and Evaluate Occurrences
Monitor systems for Denial of Service attacks. CC ID 01222	Monitoring and measurement	Monitor and Evaluate Occurrences
Monitor systems for access to restricted data or restricted information. CC ID 04721	Monitoring and measurement	Monitor and Evaluate Occurrences
Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950	Monitoring and measurement	Human Resources Management
Detect unauthorized access to systems. CC ID 06798 [Identify unauthorized use of the information system. 3.14.7]	Monitoring and measurement	Monitor and Evaluate Occurrences
Incorporate potential red flags into the organization's incident management system. CC ID 04652	Monitoring and measurement	Monitor and Evaluate Occurrences
Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430	Monitoring and measurement	Monitor and Evaluate Occurrences
Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808	Monitoring and measurement	Monitor and Evaluate Occurrences
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 [Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. 3.3.1]	Monitoring and measurement	Log Management
Establish, implement, and maintain event logging procedures. CC ID 01335	Monitoring and measurement	Log Management
Review and update event logs and audit logs, as necessary. CC ID 00596	Monitoring and measurement	Log Management
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207	Monitoring and measurement	Log Management
Identify cybersecurity events in event logs and audit logs. CC ID 13206	Monitoring and measurement	Technical Security
Enable logging for all systems that meet a traceability criteria. CC ID 00640	Monitoring and measurement	Log Management
Analyze firewall logs for the correct capturing of data. CC ID 00549	Monitoring and measurement	Log Management
Perform vulnerability scans, as necessary. CC ID 11637 [Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified. 3.11.2]	Monitoring and measurement	Technical Security
Repeat vulnerability scanning, as necessary. CC ID 11646 [Remediate vulnerabilities in accordance with assessments of risk. 3.11.3]	Monitoring and measurement	Testing
Identify and document security vulnerabilities. CC ID 11857	Monitoring and measurement	Technical Security
Rank discovered vulnerabilities. CC ID 11940	Monitoring and measurement	Investigate
Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638	Monitoring and measurement	Technical Security
Correlate vulnerability scan reports from the various systems. CC ID 10636	Monitoring and measurement	Technical Security
Perform internal vulnerability scans, as necessary. CC ID 00656	Monitoring and measurement	Testing
Perform vulnerability scans prior to installing payment applications. CC ID 12192	Monitoring and measurement	Technical Security
Implement scanning tools, as necessary. CC ID 14282	Monitoring and measurement	Technical Security
Repeat vulnerability scanning after an approved change occurs. CC ID 12468	Monitoring and measurement	Technical Security
Perform external vulnerability scans, as necessary. CC ID 11624	Monitoring and measurement	Technical Security
Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635	Monitoring and measurement	Technical Security
Establish, implement, and maintain a corrective action plan. CC ID 00675 [Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems. 3.12.2]	Monitoring and measurement	Monitor and Evaluate Occurrences
Include monitoring in the corrective action plan. CC ID 11645	Monitoring and measurement	Monitor and Evaluate Occurrences
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980	Audits and risk management	Testing
Document test plans for auditing in scope controls. CC ID 06985	Audits and risk management	Testing
Determine the effectiveness of in scope controls. CC ID 06984 [Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application. 3.12.1 Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls. 3.12.3]	Audits and risk management	Testing
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157	Audits and risk management	Audits and Risk Management
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156	Audits and risk management	Audits and Risk Management
Observe processes to determine the effectiveness of in scope controls. CC ID 12155	Audits and risk management	Audits and Risk Management
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154	Audits and risk management	Audits and Risk Management
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144	Audits and risk management	Audits and Risk Management
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556	Audits and risk management	Audits and Risk Management
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555	Audits and risk management	Audits and Risk Management
Update the risk assessment upon discovery of a new threat. CC ID 00708	Audits and risk management	Establish/Maintain Documentation
Update the risk assessment upon changes to the risk profile. CC ID 11627	Audits and risk management	Establish/Maintain Documentation
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and risk management	Audits and Risk Management
Identify information system users. CC ID 12081 [Identify information system users, processes acting on behalf of users, or devices. 3.5.1]	Technical security	Technical Security
Review user accounts. CC ID 00525	Technical security	Technical Security
Match user accounts to authorized parties. CC ID 12126	Technical security	Configuration
Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 [Identify information system users, processes acting on behalf of users, or devices. 3.5.1]	Technical security	Technical Security
Review shared accounts. CC ID 11840	Technical security	Technical Security
Disallow application IDs from running as privileged users. CC ID 10050	Technical security	Configuration
Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455	Technical security	Testing
Authenticate user identities before unlocking an account. CC ID 11837 [Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. 3.5.2]	Technical security	Testing
Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270	Technical security	Process or Activity
Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174	Technical security	Configuration
Configure firewalls to perform dynamic packet filtering. CC ID 01288	Technical security	Testing
Configure network access and control points to organizational standards. CC ID 12442	Technical security	Configuration
Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139	Technical security	Technical Security
Create a full text analysis on executed privileged functions. CC ID 06778	Technical security	Monitor and Evaluate Occurrences
Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved. CC ID 00560	Technical security	Testing
Monitor and evaluate all remote access usage. CC ID 00563 [Monitor and control remote access sessions. 3.1.12]	Technical security	Monitor and Evaluate Occurrences
Test cryptographic key management applications, as necessary. CC ID 04829	Technical security	Testing
Implement non-repudiation for transactions. CC ID 00567	Technical security	Testing
Scan for malicious code, as necessary. CC ID 11941 [Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. 3.14.5]	Technical security	Investigate
Test all removable storage media for viruses and malicious code. CC ID 11861 [Check media containing diagnostic and test programs for malicious code before the media are used in the information system. 3.7.4]	Technical security	Testing
Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311	Technical security	Testing
Log and react to all malicious code activity. CC ID 07072	Technical security	Monitor and Evaluate Occurrences
Analyze the behavior and characteristics of the malicious code. CC ID 10672	Technical security	Technical Security
Inspect telephones for eavesdropping devices. CC ID 02223	Physical and environmental protection	Physical and Environmental Protection
Detect anomalies in physical barriers. CC ID 13533	Physical and environmental protection	Investigate
Secure physical entry points with physical access controls or security guards. CC ID 01640	Physical and environmental protection	Physical and Environmental Protection
Test locks for physical security vulnerabilities. CC ID 04880	Physical and environmental protection	Testing
Lock all lockable equipment cabinets. CC ID 11673	Physical and environmental protection	Physical and Environmental Protection
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638	Physical and environmental protection	Monitor and Evaluate Occurrences
Report anomalies in the visitor log to appropriate personnel. CC ID 14755	Physical and environmental protection	Investigate
Log when the vault is accessed. CC ID 06725	Physical and environmental protection	Log Management
Log when the cabinet is accessed. CC ID 11674	Physical and environmental protection	Log Management
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328	Physical and environmental protection	Monitor and Evaluate Occurrences
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609	Physical and environmental protection	Monitor and Evaluate Occurrences
Monitor physical entry point alarms. CC ID 01639	Physical and environmental protection	Physical and Environmental Protection
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677	Physical and environmental protection	Monitor and Evaluate Occurrences
Monitor for alarmed security doors being propped open. CC ID 06684	Physical and environmental protection	Monitor and Evaluate Occurrences
Track restricted storage media while it is in transit. CC ID 00967	Physical and environmental protection	Data and Information Management
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782	Human Resources management	Testing
Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449	Human Resources management	Human Resources Management
Implement segregation of duties in roles and responsibilities. CC ID 00774 [Separate the duties of individuals to reduce the risk of malevolent activity without collusion. 3.1.4]	Human Resources management	Testing
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962	Operational management	Establish/Maintain Documentation
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110	Operational management	Technical Security
Control and monitor all maintenance tools. CC ID 01432 [Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance. 3.7.2]	Operational management	Physical and Environmental Protection
Conduct maintenance with authorized personnel. CC ID 01434 [Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance. 3.7.2]	Operational management	Testing
Establish, implement, and maintain an anti-money laundering program. CC ID 13675	Operational management	Business Processes
Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453	Operational management	Monitor and Evaluate Occurrences
Require personnel to monitor for and report suspicious account activity. CC ID 16462	Operational management	Monitor and Evaluate Occurrences
Identify root causes of incidents that force system changes. CC ID 13482	Operational management	Investigate
Respond to and triage when an incident is detected. CC ID 06942	Operational management	Monitor and Evaluate Occurrences
Document the incident and any relevant evidence in the incident report. CC ID 08659 [Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization. 3.6.2]	Operational management	Establish/Maintain Documentation
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677	Operational management	Investigate
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674	Operational management	Establish/Maintain Documentation
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678	Operational management	Establish/Maintain Documentation
Analyze the incident response process following an incident response. CC ID 13179	Operational management	Investigate
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Log Management
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801	Operational management	Behavior
Avoid false positive incident response notifications. CC ID 04732	Operational management	Behavior
Include information required by law in incident response notifications. CC ID 00802	Operational management	Establish/Maintain Documentation
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Operational management	Establish/Maintain Documentation
Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265	Operational management	Monitor and Evaluate Occurrences
Test incident monitoring procedures. CC ID 13194	Operational management	Testing
Conduct incident investigations, as necessary. CC ID 13826	Operational management	Process or Activity
Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042	Operational management	Investigate
Identify the affected parties during incident investigations. CC ID 16781	Operational management	Investigate
Interview suspects during incident investigations, as necessary. CC ID 14041	Operational management	Investigate
Interview victims and witnesses during incident investigations, as necessary. CC ID 14038	Operational management	Investigate
Establish, implement, and maintain incident response procedures. CC ID 01206 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Operational management	Establish/Maintain Documentation
Test the incident response procedures. CC ID 01216 [Test the organizational incident response capability. 3.6.3]	Operational management	Testing
Test proposed changes prior to their approval. CC ID 00548	Operational management	Testing
Examine all changes to ensure they correspond with the change request. CC ID 12345	Operational management	Business Processes
Conduct network certifications prior to approving change requests for networks. CC ID 13121	Operational management	Process or Activity
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126	Operational management	Investigate
Collect data about the network environment when certifying the network. CC ID 13125	Operational management	Investigate
Review the patch log for missing patches. CC ID 13186	Operational management	Technical Security
Perform a patch test prior to deploying a patch. CC ID 00898	Operational management	Testing
Test software patches for any potential compromise of the system's security. CC ID 13175	Operational management	Testing
Review changes to computer firmware. CC ID 12226	Operational management	Testing
Certify changes to computer firmware are free of malicious logic. CC ID 12227	Operational management	Testing
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682	Operational management	Technical Security
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391	Operational management	Establish/Maintain Documentation
Test the system's operational functionality after implementing approved changes. CC ID 06294	Operational management	Testing
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541	Operational management	Testing
Establish, implement, and maintain a configuration change log. CC ID 08710	Operational management	Configuration
Configure the "/etc/docker/daemon.json" files and directories auditing to organizational standards. CC ID 14467	System hardening through configuration management	Configuration
Configure the "/etc/docker" files and directories auditing to organizational standards. CC ID 14459	System hardening through configuration management	Configuration
Configure the "docker.socket" files and directories auditing to organizational standards. CC ID 14458	System hardening through configuration management	Configuration
Configure the "docker.service" files and directories auditing to organizational standards. CC ID 14454	System hardening through configuration management	Configuration
Configure the "/var/lib/docker" files and directories auditing to organizational standards. CC ID 14453	System hardening through configuration management	Configuration
Configure the "/usr/sbin/runc" files and directories auditing to organizational standards. CC ID 14452	System hardening through configuration management	Configuration
Configure the "/usr/bin/containerd" files and directories auditing to organizational standards. CC ID 14451	System hardening through configuration management	Configuration
Configure the "/etc/default/docker" files and directories auditing to organizational standards. CC ID 14450	System hardening through configuration management	Configuration
Configure the "/etc/sysconfig/docker" files and directories auditing to organizational standards. CC ID 14449	System hardening through configuration management	Configuration
Configure the log to capture audit log initialization, along with auditable event selection. CC ID 00649	System hardening through configuration management	Log Management
Configure the log to capture creates, reads, updates, or deletes of records containing personal data. CC ID 11890	System hardening through configuration management	Log Management
Configure the log to capture the information referent when personal data is being accessed. CC ID 11968	System hardening through configuration management	Log Management
Configure the log to capture each auditable event's origination. CC ID 01338	System hardening through configuration management	Log Management
Configure the log to capture remote access information. CC ID 05596	System hardening through configuration management	Configuration
Configure the log to capture all malicious code that has been discovered, quarantined, and/or eradicated. CC ID 00577	System hardening through configuration management	Log Management
Configure the "logging level" to organizational standards. CC ID 14456	System hardening through configuration management	Configuration
Capture successful operating system access and successful software access. CC ID 00527	System hardening through configuration management	Log Management
Configure the log to capture hardware and software access attempts. CC ID 01220	System hardening through configuration management	Log Management
Configure the log to capture all URL requests. CC ID 12138	System hardening through configuration management	Technical Security
Configure the log to capture logons, logouts, logon attempts, and logout attempts. CC ID 01915	System hardening through configuration management	Log Management
Configure the log to capture access to restricted data or restricted information. CC ID 00644	System hardening through configuration management	Log Management
Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 [Prevent non-privileged users from executing privileged functions and audit the execution of such functions. 3.1.7]	System hardening through configuration management	Log Management
Configure the log to capture identification and authentication mechanism use. CC ID 00648	System hardening through configuration management	Log Management
Configure the log to capture all access to the audit trail. CC ID 00646	System hardening through configuration management	Log Management
Configure the log to capture Object access to key directories or key files. CC ID 01697	System hardening through configuration management	Log Management
Configure the log to capture both access and access attempts to security-relevant objects and security-relevant directories. CC ID 01916	System hardening through configuration management	Log Management
Configure the log to capture system level object creation and deletion. CC ID 00650	System hardening through configuration management	Log Management
Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes. CC ID 01698	System hardening through configuration management	Log Management
Configure the log to capture user authenticator changes. CC ID 01917	System hardening through configuration management	Log Management
Enable or disable NFS server logging, as appropriate. CC ID 05593	System hardening through configuration management	Log Management
Log Pluggable Authentication Modules access at an appropriate level. CC ID 05599	System hardening through configuration management	Log Management
Enable or disable the logging of "martian" packets (impossible addresses), as appropriate. CC ID 05601	System hardening through configuration management	Log Management
Enable or disable dhcpd logging, as appropriate. CC ID 05602	System hardening through configuration management	Log Management
Enable or disable attempted stack exploit logging, as appropriate. CC ID 05614	System hardening through configuration management	Log Management
Enable or disable the debug logging option, as appropriate. CC ID 05617	System hardening through configuration management	Log Management
Enable or disable the logging of vsftpd transactions, as appropriate. CC ID 06032	System hardening through configuration management	Log Management
Verify auditing is logged to an appropriate directory. CC ID 05603	System hardening through configuration management	Log Management
Enable or disable the /var/log/authlog log, as appropriate. CC ID 05606	System hardening through configuration management	Log Management
Enable or disable the /var/log/syslog log, as appropriate. CC ID 05607	System hardening through configuration management	Log Management
Enable or disable the /var/adm/messages log, as appropriate. CC ID 05608	System hardening through configuration management	Log Management
Enable or disable the /var/adm/sulog log, as appropriate. CC ID 05609	System hardening through configuration management	Log Management
Enable or disable the /var/adm/utmp(x) log, as appropriate. CC ID 05610	System hardening through configuration management	Log Management
Enable or disable the /var/adm/wtmp(x) log, as appropriate. CC ID 05611	System hardening through configuration management	Log Management
Enable or disable the /var/adm/sshlog log, as appropriate. CC ID 05612	System hardening through configuration management	Log Management
Enable or disable the /var/log/pamlog log, as appropriate. CC ID 05613	System hardening through configuration management	Log Management
Perform filesystem logging and filesystem journaling. CC ID 05615	System hardening through configuration management	Log Management
Configure security and protection software to check for up-to-date signature files. CC ID 00576 [Update malicious code protection mechanisms when new releases are available. 3.14.4]	System hardening through configuration management	Testing
Define each system's preservation requirements for records and logs. CC ID 00904	Records management	Establish/Maintain Documentation
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420	Records management	Records Management

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Physical and environmental protection CC ID 00709	Physical and environmental protection	IT Impact Zone
Operational and Systems Continuity CC ID 00731	Operational and Systems Continuity	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
System hardening through configuration management CC ID 00860	System hardening through configuration management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Systems design, build, and implementation CC ID 00989	Systems design, build, and implementation	IT Impact Zone

Preventive

1313

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitoring and measurement	Monitor and Evaluate Occurrences
Monitor systems for unauthorized data transfers. CC ID 12971	Monitoring and measurement	Monitor and Evaluate Occurrences
Address operational anomalies within the incident management system. CC ID 11633	Monitoring and measurement	Audits and Risk Management
Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634	Monitoring and measurement	Audits and Risk Management
Monitor systems for unauthorized mobile code. CC ID 10034 [Control and monitor the use of mobile code. 3.13.13]	Monitoring and measurement	Monitor and Evaluate Occurrences
Establish, implement, and maintain an event logging policy. CC ID 15217	Monitoring and measurement	Establish/Maintain Documentation
Include the system components that generate audit records in the event logging procedures. CC ID 16426	Monitoring and measurement	Data and Information Management
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643	Monitoring and measurement	Log Management
Protect the event logs from failure. CC ID 06290	Monitoring and measurement	Log Management
Overwrite the oldest records when audit logging fails. CC ID 14308	Monitoring and measurement	Data and Information Management
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 [Provide audit reduction and report generation to support on-demand analysis and reporting. 3.3.6]	Monitoring and measurement	Testing
Include identity information of suspects in the suspicious activity report. CC ID 16648	Monitoring and measurement	Establish/Maintain Documentation
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 [Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity. 3.3.5]	Monitoring and measurement	Audits and Risk Management
Reproduce the event log if a log failure is captured. CC ID 01426	Monitoring and measurement	Log Management
Document the event information to be logged in the event information log specification. CC ID 00639	Monitoring and measurement	Configuration
Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001	Monitoring and measurement	Configuration
Enable and configure logging on all network access controls. CC ID 01963	Monitoring and measurement	Configuration
Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. 3.3.7]	Monitoring and measurement	Configuration
Centralize network time servers to as few as practical. CC ID 06308	Monitoring and measurement	Configuration
Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044	Monitoring and measurement	Communicate
Define the frequency to capture and log events. CC ID 06313	Monitoring and measurement	Log Management
Include logging frequencies in the event logging procedures. CC ID 00642	Monitoring and measurement	Log Management
Review and update the list of auditable events in the event logging procedures. CC ID 10097 [Review and update audited events. 3.3.3]	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a testing program. CC ID 00654	Monitoring and measurement	Behavior
Establish, implement, and maintain a vulnerability management program. CC ID 15721	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a vulnerability assessment program. CC ID 11636	Monitoring and measurement	Establish/Maintain Documentation
Use dedicated user accounts when conducting vulnerability scans. CC ID 12098	Monitoring and measurement	Technical Security
Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418	Monitoring and measurement	Communicate
Maintain vulnerability scan reports as organizational records. CC ID 12092	Monitoring and measurement	Records Management
Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467	Monitoring and measurement	Business Processes
Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039	Monitoring and measurement	Testing
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a log management program. CC ID 00673 [Limit management of audit functionality to a subset of privileged users. 3.3.9]	Monitoring and measurement	Establish/Maintain Documentation
Deploy log normalization tools, as necessary. CC ID 12141	Monitoring and measurement	Technical Security
Restrict access to logs to authorized individuals. CC ID 01342	Monitoring and measurement	Log Management
Restrict access to audit trails to a need to know basis. CC ID 11641	Monitoring and measurement	Technical Security
Refrain from recording unnecessary restricted data in logs. CC ID 06318	Monitoring and measurement	Log Management
Back up audit trails according to backup procedures. CC ID 11642	Monitoring and measurement	Systems Continuity
Back up logs according to backup procedures. CC ID 01344	Monitoring and measurement	Log Management
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346	Monitoring and measurement	Log Management
Identify hosts with logs that are not being stored. CC ID 06314	Monitoring and measurement	Log Management
Identify hosts with logs that are being stored at the system level only. CC ID 06315	Monitoring and measurement	Log Management
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316	Monitoring and measurement	Log Management
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317	Monitoring and measurement	Log Management
Protect logs from unauthorized activity. CC ID 01345 [Protect audit information and audit tools from unauthorized access, modification, and deletion. 3.3.8]	Monitoring and measurement	Log Management
Perform testing and validating activities on all logs. CC ID 06322	Monitoring and measurement	Log Management
Archive the audit trail in accordance with compliance requirements. CC ID 00674	Monitoring and measurement	Log Management
Enforce dual authorization as a part of information flow control for logs. CC ID 10098	Monitoring and measurement	Configuration
Preserve the identity of individuals in audit trails. CC ID 10594	Monitoring and measurement	Log Management
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595	Monitoring and measurement	Establish/Maintain Documentation
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596	Monitoring and measurement	Audits and Risk Management
Align corrective actions with the level of environmental impact. CC ID 15193	Monitoring and measurement	Business Processes
Include risks and opportunities in the corrective action plan. CC ID 15178	Monitoring and measurement	Establish/Maintain Documentation
Include environmental aspects in the corrective action plan. CC ID 15177	Monitoring and measurement	Establish/Maintain Documentation
Include the completion date in the corrective action plan. CC ID 13272	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain an audit program. CC ID 00684	Audits and risk management	Establish/Maintain Documentation
Accept the attestation engagement when all preconditions are met. CC ID 13933	Audits and risk management	Business Processes
Audit in scope audit items and compliance documents. CC ID 06730	Audits and risk management	Audits and Risk Management
Review documentation to determine the effectiveness of in scope controls. CC ID 16522	Audits and risk management	Process or Activity
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Establish/Maintain Documentation
Perform risk assessments for all target environments, as necessary. CC ID 06452 [Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI. 3.11.1]	Audits and risk management	Testing
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Audits and risk management	Establish/Maintain Documentation
Include physical assets in the scope of the risk assessment. CC ID 13075	Audits and risk management	Establish/Maintain Documentation
Include the results of the risk assessment in the risk assessment report. CC ID 06481	Audits and risk management	Establish/Maintain Documentation
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109	Audits and risk management	Audits and Risk Management
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154	Audits and risk management	Audits and Risk Management
Review the risk to the audit function when the audit personnel status changes. CC ID 01153	Audits and risk management	Audits and Risk Management
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Audits and risk management	Establish/Maintain Documentation
Create a risk assessment report based on the risk assessment results. CC ID 15695	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633	Audits and risk management	Communicate
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Audits and risk management	Communicate
Establish, implement, and maintain an access control program. CC ID 11702	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an access rights management plan. CC ID 00513	Technical security	Establish/Maintain Documentation
Establish and maintain contact information for user accounts, as necessary. CC ID 15418	Technical security	Data and Information Management
Control access rights to organizational assets. CC ID 00004 [Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). 3.1.1]	Technical security	Technical Security
Configure access control lists in accordance with organizational standards. CC ID 16465	Technical security	Configuration
Add all devices requiring access control to the Access Control List. CC ID 06264	Technical security	Establish/Maintain Documentation
Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835	Technical security	Technical Security
Define roles for information systems. CC ID 12454	Technical security	Human Resources Management
Define access needs for each role assigned to an information system. CC ID 12455	Technical security	Human Resources Management
Define access needs for each system component of an information system. CC ID 12456	Technical security	Technical Security
Define the level of privilege required for each system component of an information system. CC ID 12457	Technical security	Technical Security
Establish access rights based on least privilege. CC ID 01411 [Limit information system access to the types of transactions and functions that authorized users are permitted to execute. 3.1.2 Employ the principle of least privilege, including for specific security functions and privileged accounts. 3.1.5]	Technical security	Technical Security
Assign user permissions based on job responsibilities. CC ID 00538	Technical security	Technical Security
Assign user privileges after they have management sign off. CC ID 00542	Technical security	Technical Security
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767	Technical security	Configuration
Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 [Limit unsuccessful logon attempts. 3.1.8]	Technical security	Technical Security
Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822	Technical security	Configuration
Disallow unlocking user accounts absent system administrator approval. CC ID 01413	Technical security	Technical Security
Establish, implement, and maintain session lock capabilities. CC ID 01417 [Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity. 3.1.10]	Technical security	Configuration
Limit concurrent sessions according to account type. CC ID 01416	Technical security	Configuration
Establish session authenticity through Transport Layer Security. CC ID 01627 [Protect the authenticity of communications sessions. 3.13.15]	Technical security	Technical Security
Configure the "tlsverify" argument to organizational standards. CC ID 14460	Technical security	Configuration
Configure the "tlscacert" argument to organizational standards. CC ID 14521	Technical security	Configuration
Configure the "tlscert" argument to organizational standards. CC ID 14520	Technical security	Configuration
Configure the "tlskey" argument to organizational standards. CC ID 14519	Technical security	Configuration
Enable access control for objects and users on each system. CC ID 04553	Technical security	Configuration
Include all system components in the access control system. CC ID 11939	Technical security	Technical Security
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301	Technical security	Process or Activity
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850	Technical security	Technical Security
Enable attribute-based access control for objects and users on information systems. CC ID 16351	Technical security	Technical Security
Enable role-based access control for objects and users on information systems. CC ID 12458	Technical security	Technical Security
Include the objects and users subject to access control in the security policy. CC ID 11836	Technical security	Establish/Maintain Documentation
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Technical security	Establish Roles
Enforce access restrictions for change control. CC ID 01428 [{physical access restriction} Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system. 3.4.5]	Technical security	Technical Security
Enforce access restrictions for restricted data. CC ID 01921	Technical security	Data and Information Management
Permit a limited set of user actions absent identification and authentication. CC ID 04849	Technical security	Technical Security
Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262	Technical security	Technical Security
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500	Technical security	Establish/Maintain Documentation
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501	Technical security	Establish/Maintain Documentation
Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770	Technical security	Technical Security
Display previous logon information in the logon banner. CC ID 01415	Technical security	Configuration
Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771	Technical security	Establish/Maintain Documentation
Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964	Technical security	Technical Security
Establish, implement, and maintain User Access Management procedures. CC ID 00514	Technical security	Technical Security
Establish, implement, and maintain access control procedures. CC ID 11663	Technical security	Establish/Maintain Documentation
Grant access to authorized personnel or systems. CC ID 12186	Technical security	Configuration
Document approving and granting access in the access control log. CC ID 06786 [{remote access} Authorize wireless access prior to allowing such connections. 3.1.16]	Technical security	Establish/Maintain Documentation
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442	Technical security	Communicate
Include digital identification procedures in the access control program. CC ID 11841	Technical security	Technical Security
Identify and control all network access controls. CC ID 00529	Technical security	Technical Security
Manage all external network connections. CC ID 11842	Technical security	Technical Security
Prohibit systems from connecting directly to external networks. CC ID 08709 [Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks. 3.13.7]	Technical security	Configuration
Establish, implement, and maintain a Boundary Defense program. CC ID 00544 [Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. 3.13.1]	Technical security	Establish/Maintain Documentation
Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891	Technical security	Technical Security
Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034	Technical security	Communicate
Segregate systems in accordance with organizational standards. CC ID 12546	Technical security	Technical Security
Implement gateways between security domains. CC ID 16493	Technical security	Systems Design, Build, and Implementation
Implement resource-isolation mechanisms in organizational networks. CC ID 16438	Technical security	Technical Security
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533	Technical security	Technical Security
Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310	Technical security	Technical Security
Design Demilitarized Zones with proper isolation rules. CC ID 00532	Technical security	Technical Security
Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285	Technical security	Data and Information Management
Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998	Technical security	Technical Security
Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993	Technical security	Technical Security
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. 3.13.5]	Technical security	Data and Information Management
Establish, implement, and maintain a network access control standard. CC ID 00546	Technical security	Establish/Maintain Documentation
Include assigned roles and responsibilities in the network access control standard. CC ID 06410	Technical security	Establish Roles
Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373	Technical security	Technical Security
Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821	Technical security	Technical Security
Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274	Technical security	Configuration
Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293	Technical security	Configuration
Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784	Technical security	Configuration
Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588	Technical security	Technical Security
Include configuration management and rulesets in the network access control standard. CC ID 11845	Technical security	Establish/Maintain Documentation
Secure the network access control standard against unauthorized changes. CC ID 11920	Technical security	Establish/Maintain Documentation
Employ centralized management systems to configure and control networks, as necessary. CC ID 12540	Technical security	Technical Security
Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541	Technical security	Configuration
Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948	Technical security	Establish/Maintain Documentation
Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960	Technical security	Establish/Maintain Documentation
Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961	Technical security	Establish/Maintain Documentation
Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard. CC ID 12435	Technical security	Establish/Maintain Documentation
Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434	Technical security	Establish/Maintain Documentation
Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426	Technical security	Establish/Maintain Documentation
Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847	Technical security	Configuration
Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537	Technical security	Establish/Maintain Documentation
Configure network ports to organizational standards. CC ID 14007	Technical security	Configuration
Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547	Technical security	Establish/Maintain Documentation
Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539	Technical security	Establish/Maintain Documentation
Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280	Technical security	Establish/Maintain Documentation
Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033	Technical security	Establish/Maintain Documentation
Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032	Technical security	Establish/Maintain Documentation
Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550	Technical security	Configuration
Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420	Technical security	Technical Security
Configure network access and control points to protect restricted data or restricted information. CC ID 01284	Technical security	Configuration
Protect data stored at external locations. CC ID 16333	Technical security	Data and Information Management
Protect the firewall's network connection interfaces. CC ID 01955	Technical security	Technical Security
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 [Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). 3.13.6]	Technical security	Configuration
Allow local program exceptions on the firewall, as necessary. CC ID 01956	Technical security	Configuration
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957	Technical security	Configuration
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958	Technical security	Configuration
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849	Technical security	Configuration
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959	Technical security	Configuration
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960	Technical security	Configuration
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961	Technical security	Configuration
Allow notification exceptions on the firewall, as necessary. CC ID 01962	Technical security	Configuration
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964	Technical security	Configuration
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965	Technical security	Configuration
Allow local port exceptions on the firewall, as necessary. CC ID 01966	Technical security	Configuration
Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287	Technical security	Configuration
Establish, implement, and maintain packet filtering requirements. CC ID 16362	Technical security	Technical Security
Configure firewall filtering to only permit established connections into the network. CC ID 12482	Technical security	Technical Security
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295	Technical security	Data and Information Management
Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271	Technical security	Data and Information Management
Synchronize and secure all router configuration files. CC ID 01291	Technical security	Configuration
Synchronize and secure all firewall configuration files. CC ID 11851	Technical security	Configuration
Configure firewalls to generate an audit log. CC ID 12038	Technical security	Audits and Risk Management
Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165	Technical security	Configuration
Record the configuration rules for network access and control points in the configuration management system. CC ID 12105	Technical security	Establish/Maintain Documentation
Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107	Technical security	Establish/Maintain Documentation
Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106	Technical security	Establish/Maintain Documentation
Install and configure application layer firewalls for all key web-facing applications. CC ID 01450	Technical security	Configuration
Update application layer firewalls to the most current version. CC ID 12037	Technical security	Process or Activity
Enforce information flow control. CC ID 11781	Technical security	Monitor and Evaluate Occurrences
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [Control the flow of CUI in accordance with approved authorizations. 3.1.3]	Technical security	Establish/Maintain Documentation
Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923	Technical security	Data and Information Management
Establish, implement, and maintain a document printing policy. CC ID 14384	Technical security	Establish/Maintain Documentation
Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain information flow procedures. CC ID 04542 [Control information posted or processed on publicly accessible information systems. 3.1.22 Verify and control/limit connections to and use of external information systems. 3.1.20]	Technical security	Establish/Maintain Documentation
Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242	Technical security	Data and Information Management
Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243	Technical security	Data and Information Management
Establish, implement, and maintain information exchange procedures. CC ID 11782	Technical security	Establish/Maintain Documentation
Perform content sanitization on data-in-transit. CC ID 16512	Technical security	Data and Information Management
Perform content conversion on data-in-transit. CC ID 16510	Technical security	Data and Information Management
Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499	Technical security	Data and Information Management
Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554	Technical security	Data and Information Management
Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859	Technical security	Data and Information Management
Review and approve information exchange system connections. CC ID 07143	Technical security	Technical Security
Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312	Technical security	Log Management
Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104	Technical security	Technical Security
Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107	Technical security	Technical Security
Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097	Technical security	Establish/Maintain Documentation
Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183	Technical security	Configuration
Block uncategorized sites using URL filtering. CC ID 12140	Technical security	Technical Security
Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234	Technical security	Data and Information Management
Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 [Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny- all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. 3.4.8]	Technical security	Establish/Maintain Documentation
Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094	Technical security	Behavior
Secure access to each system component operating system. CC ID 00551	Technical security	Configuration
Enforce privileged accounts and non-privileged accounts for system access. CC ID 00558 [Use non-privileged accounts or roles when accessing nonsecurity functions. 3.1.6 Prevent non-privileged users from executing privileged functions and audit the execution of such functions. 3.1.7]	Technical security	Technical Security
Separate user functionality from system management functionality. CC ID 11858 [Separate user functionality from information system management functionality. 3.13.3]	Technical security	Technical Security
Control all methods of remote access and teleworking. CC ID 00559 [Enforce safeguarding measures for CUI at alternate work sites (e.g., telework sites). 3.10.6]	Technical security	Technical Security
Assign virtual escorting to authorized personnel. CC ID 16440	Technical security	Process or Activity
Establish, implement, and maintain a remote access and teleworking program. CC ID 04545	Technical security	Establish/Maintain Documentation
Include information security requirements in the remote access and teleworking program. CC ID 15704	Technical security	Establish/Maintain Documentation
Refrain from allowing remote users to copy files to remote devices. CC ID 06792	Technical security	Technical Security
Control remote administration in accordance with organizational standards. CC ID 04459 [Authorize remote execution of privileged commands and remote access to security-relevant information. 3.1.15]	Technical security	Configuration
Control remote access through a network access control. CC ID 01421 [Authorize remote execution of privileged commands and remote access to security-relevant information. 3.1.15 Route remote access via managed access control points. 3.1.14]	Technical security	Technical Security
Install and maintain remote control software and other remote control mechanisms on critical systems. CC ID 06371	Technical security	Configuration
Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324	Technical security	Technical Security
Employ multifactor authentication for remote access to the organization's network. CC ID 12505	Technical security	Technical Security
Implement multifactor authentication techniques. CC ID 00561 [Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. 3.5.3 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. 3.7.5]	Technical security	Configuration
Implement phishing-resistant multifactor authentication techniques. CC ID 16541	Technical security	Technical Security
Document and approve requests to bypass multifactor authentication. CC ID 15464	Technical security	Establish/Maintain Documentation
Limit the source addresses from which remote administration is performed. CC ID 16393	Technical security	Technical Security
Protect remote access accounts with encryption. CC ID 00562 [Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. 3.1.13]	Technical security	Configuration
Manage the use of encryption controls and cryptographic controls. CC ID 00570	Technical security	Technical Security
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [Establish and manage cryptographic keys for cryptography employed in the information system. 3.13.10]	Technical security	Establish/Maintain Documentation
Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164	Technical security	Communicate
Bind keys to each identity. CC ID 12337	Technical security	Technical Security
Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152	Technical security	Establish/Maintain Documentation
Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151	Technical security	Establish/Maintain Documentation
Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301	Technical security	Data and Information Management
Generate strong cryptographic keys. CC ID 01299	Technical security	Data and Information Management
Generate unique cryptographic keys for each user. CC ID 12169	Technical security	Technical Security
Use approved random number generators for creating cryptographic keys. CC ID 06574	Technical security	Data and Information Management
Implement decryption keys so that they are not linked to user accounts. CC ID 06851	Technical security	Technical Security
Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540	Technical security	Establish/Maintain Documentation
Disseminate and communicate cryptographic keys securely. CC ID 01300	Technical security	Data and Information Management
Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541	Technical security	Data and Information Management
Store cryptographic keys securely. CC ID 01298	Technical security	Data and Information Management
Restrict access to cryptographic keys. CC ID 01297	Technical security	Data and Information Management
Store cryptographic keys in encrypted format. CC ID 06084	Technical security	Data and Information Management
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085	Technical security	Technical Security
Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127	Technical security	Establish/Maintain Documentation
Change cryptographic keys in accordance with organizational standards. CC ID 01302	Technical security	Data and Information Management
Destroy cryptographic keys promptly after the retention period. CC ID 01303	Technical security	Data and Information Management
Control cryptographic keys with split knowledge and dual control. CC ID 01304	Technical security	Data and Information Management
Prevent the unauthorized substitution of cryptographic keys. CC ID 01305	Technical security	Data and Information Management
Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852	Technical security	Technical Security
Archive outdated cryptographic keys. CC ID 06884	Technical security	Data and Information Management
Archive revoked cryptographic keys. CC ID 11819	Technical security	Data and Information Management
Require key custodians to sign the cryptographic key management policy. CC ID 01308	Technical security	Establish/Maintain Documentation
Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820	Technical security	Human Resources Management
Manage the digital signature cryptographic key pair. CC ID 06576	Technical security	Data and Information Management
Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079	Technical security	Establish/Maintain Documentation
Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725	Technical security	Establish Roles
Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080	Technical security	Establish/Maintain Documentation
Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081	Technical security	Establish/Maintain Documentation
Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082	Technical security	Establish/Maintain Documentation
Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083	Technical security	Establish/Maintain Documentation
Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816	Technical security	Establish/Maintain Documentation
Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092	Technical security	Technical Security
Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084	Technical security	Technical Security
Establish, implement, and maintain Public Key certificate procedures. CC ID 07085	Technical security	Establish/Maintain Documentation
Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817	Technical security	Establish/Maintain Documentation
Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087	Technical security	Establish/Maintain Documentation
Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086	Technical security	Establish/Maintain Documentation
Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091	Technical security	Technical Security
Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090	Technical security	Records Management
Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. 3.13.8 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. 3.13.11]	Technical security	Technical Security
Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749	Technical security	Configuration
Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492	Technical security	Technical Security
Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490	Technical security	Technical Security
Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566	Technical security	Establish/Maintain Documentation
Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416	Technical security	Technical Security
Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568	Technical security	Technical Security
Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021	Technical security	Technical Security
Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020	Technical security	Technical Security
Protect application services information transmitted over a public network from contract disputes. CC ID 12019	Technical security	Technical Security
Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018	Technical security	Technical Security
Establish, implement, and maintain a malicious code protection program. CC ID 00574 [Provide protection from malicious code at appropriate locations within organizational information systems. 3.14.2]	Technical security	Establish/Maintain Documentation
Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485	Technical security	Communicate
Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484	Technical security	Communicate
Establish, implement, and maintain malicious code protection procedures. CC ID 15483	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain a malicious code protection policy. CC ID 15478	Technical security	Establish/Maintain Documentation
Restrict downloading to reduce malicious code attacks. CC ID 04576	Technical security	Behavior
Install security and protection software, as necessary. CC ID 00575	Technical security	Configuration
Install and maintain container security solutions. CC ID 16178	Technical security	Technical Security
Protect the system against replay attacks. CC ID 04552 [{privileged accounts} Employ replay-resistant authentication mechanisms for network access to privileged and non- privileged accounts. 3.5.4]	Technical security	Technical Security
Define and assign roles and responsibilities for malicious code protection. CC ID 15474	Technical security	Establish Roles
Lock antivirus configurations. CC ID 10047	Technical security	Configuration
Establish, implement, and maintain a virtual environment and shared resources security program. CC ID 06551	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain a shared resources management program. CC ID 07096 [Prevent unauthorized and unintended information transfer via shared system resources. 3.13.4]	Technical security	Establish/Maintain Documentation
Maintain ownership of all shared resources. CC ID 12180	Technical security	Business Processes
Employ resource-isolation mechanisms in virtual environments. CC ID 12178	Technical security	Configuration
Establish, implement, and maintain a physical security program. CC ID 11757	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain a facility physical security program. CC ID 00711 [Protect and monitor the physical facility and support infrastructure for those information systems. 3.10.2]	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain opening procedures for businesses. CC ID 16671	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain closing procedures for businesses. CC ID 16670	Physical and environmental protection	Establish/Maintain Documentation
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050	Physical and environmental protection	Establish/Maintain Documentation
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311	Physical and environmental protection	Behavior
Protect the facility from crime. CC ID 06347	Physical and environmental protection	Physical and Environmental Protection
Define communication methods for reporting crimes. CC ID 06349	Physical and environmental protection	Establish/Maintain Documentation
Include identification cards or badges in the physical security program. CC ID 14818	Physical and environmental protection	Establish/Maintain Documentation
Protect facilities from eavesdropping. CC ID 02222	Physical and environmental protection	Physical and Environmental Protection
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455	Physical and environmental protection	Technical Security
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581	Physical and environmental protection	Establish/Maintain Documentation
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440	Physical and environmental protection	Physical and Environmental Protection
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441	Physical and environmental protection	Physical and Environmental Protection
Create security zones in facilities, as necessary. CC ID 16295	Physical and environmental protection	Physical and Environmental Protection
Establish clear zones around any sensitive facilities. CC ID 02214	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain floor plans. CC ID 16419	Physical and environmental protection	Establish/Maintain Documentation
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420	Physical and environmental protection	Establish/Maintain Documentation
Post floor plans of critical facilities in secure locations. CC ID 16138	Physical and environmental protection	Communicate
Post and maintain security signage for all facilities. CC ID 02201	Physical and environmental protection	Establish/Maintain Documentation
Inspect items brought into the facility. CC ID 06341	Physical and environmental protection	Physical and Environmental Protection
Maintain all physical security systems. CC ID 02206	Physical and environmental protection	Physical and Environmental Protection
Maintain all security alarm systems. CC ID 11669	Physical and environmental protection	Physical and Environmental Protection
Identify and document physical access controls for all physical entry points. CC ID 01637	Physical and environmental protection	Establish/Maintain Documentation
Control physical access to (and within) the facility. CC ID 01329	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain physical access procedures. CC ID 13629	Physical and environmental protection	Establish/Maintain Documentation
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419	Physical and environmental protection	Physical and Environmental Protection
Configure the access control system to grant access only during authorized working hours. CC ID 12325	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a visitor access permission policy. CC ID 06699	Physical and environmental protection	Establish/Maintain Documentation
Escort visitors within the facility, as necessary. CC ID 06417 [Escort visitors and monitor visitor activity. 3.10.3]	Physical and environmental protection	Establish/Maintain Documentation
Check the visitor's stated identity against a provided government issued identification. CC ID 06701	Physical and environmental protection	Physical and Environmental Protection
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330	Physical and environmental protection	Testing
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702	Physical and environmental protection	Behavior
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048	Physical and environmental protection	Establish/Maintain Documentation
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436	Physical and environmental protection	Establish/Maintain Documentation
Authorize physical access to sensitive areas based on job functions. CC ID 12462	Physical and environmental protection	Establish/Maintain Documentation
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 [Supervise the maintenance activities of maintenance personnel without required access authorization. 3.7.6]	Physical and environmental protection	Monitor and Evaluate Occurrences
Establish, implement, and maintain physical identification procedures. CC ID 00713	Physical and environmental protection	Establish/Maintain Documentation
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030	Physical and environmental protection	Human Resources Management
Implement physical identification processes. CC ID 13715	Physical and environmental protection	Process or Activity
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717	Physical and environmental protection	Process or Activity
Issue photo identification badges to all employees. CC ID 12326	Physical and environmental protection	Physical and Environmental Protection
Implement operational requirements for card readers. CC ID 02225	Physical and environmental protection	Testing
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819	Physical and environmental protection	Establish/Maintain Documentation
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334	Physical and environmental protection	Physical and Environmental Protection
Manage constituent identification inside the facility. CC ID 02215	Physical and environmental protection	Behavior
Direct each employee to be responsible for their identification card or badge. CC ID 12332	Physical and environmental protection	Human Resources Management
Manage visitor identification inside the facility. CC ID 11670	Physical and environmental protection	Physical and Environmental Protection
Issue visitor identification badges to all non-employees. CC ID 00543	Physical and environmental protection	Behavior
Secure unissued visitor identification badges. CC ID 06712	Physical and environmental protection	Physical and Environmental Protection
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331	Physical and environmental protection	Behavior
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598	Physical and environmental protection	Establish/Maintain Documentation
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714	Physical and environmental protection	Process or Activity
Include error handling controls in identification issuance procedures. CC ID 13709	Physical and environmental protection	Establish/Maintain Documentation
Include an appeal process in the identification issuance procedures. CC ID 15428	Physical and environmental protection	Business Processes
Include information security in the identification issuance procedures. CC ID 15425	Physical and environmental protection	Establish/Maintain Documentation
Include identity proofing processes in the identification issuance procedures. CC ID 06597	Physical and environmental protection	Process or Activity
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426	Physical and environmental protection	Establish/Maintain Documentation
Include an identity registration process in the identification issuance procedures. CC ID 11671	Physical and environmental protection	Establish/Maintain Documentation
Restrict access to the badge system to authorized personnel. CC ID 12043	Physical and environmental protection	Physical and Environmental Protection
Enforce dual control for badge assignments. CC ID 12328	Physical and environmental protection	Physical and Environmental Protection
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327	Physical and environmental protection	Physical and Environmental Protection
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599	Physical and environmental protection	Establish/Maintain Documentation
Assign employees the responsibility for controlling their identification badges. CC ID 12333	Physical and environmental protection	Human Resources Management
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306	Physical and environmental protection	Establish/Maintain Documentation
Prevent tailgating through physical entry points. CC ID 06685	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a door security standard. CC ID 06686	Physical and environmental protection	Establish/Maintain Documentation
Install doors so that exposed hinges are on the secured side. CC ID 06687	Physical and environmental protection	Configuration
Install emergency doors to permit egress only. CC ID 06688	Physical and environmental protection	Configuration
Install contact alarms on doors, as necessary. CC ID 06710	Physical and environmental protection	Configuration
Use locks to protect against unauthorized physical access. CC ID 06342	Physical and environmental protection	Physical and Environmental Protection
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650	Physical and environmental protection	Configuration
Secure unissued access mechanisms. CC ID 06713	Physical and environmental protection	Technical Security
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 [Control and manage physical access devices. 3.10.5]	Physical and environmental protection	Establish/Maintain Documentation
Change cipher lock codes, as necessary. CC ID 06651	Physical and environmental protection	Technical Security
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain a window security standard. CC ID 06689	Physical and environmental protection	Establish/Maintain Documentation
Install contact alarms on openable windows, as necessary. CC ID 06690	Physical and environmental protection	Configuration
Install glass break alarms on windows, as necessary. CC ID 06691	Physical and environmental protection	Configuration
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204	Physical and environmental protection	Establish/Maintain Documentation
Install and maintain security lighting at all physical entry points. CC ID 02205	Physical and environmental protection	Physical and Environmental Protection
Use vandal resistant light fixtures for all security lighting. CC ID 16130	Physical and environmental protection	Physical and Environmental Protection
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210	Physical and environmental protection	Physical and Environmental Protection
Secure the loading dock with physical access controls or security guards. CC ID 06703	Physical and environmental protection	Physical and Environmental Protection
Isolate loading areas from information processing facilities, if possible. CC ID 12028	Physical and environmental protection	Physical and Environmental Protection
Screen incoming mail and deliveries. CC ID 06719	Physical and environmental protection	Physical and Environmental Protection
Protect access to the facility's mechanical systems area. CC ID 02212	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain elevator security guidelines. CC ID 02232	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain stairwell security guidelines. CC ID 02233	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain glass opening security guidelines. CC ID 02234	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain after hours facility access procedures. CC ID 06340	Physical and environmental protection	Establish/Maintain Documentation
Establish a security room, if necessary. CC ID 00738	Physical and environmental protection	Physical and Environmental Protection
Implement physical security standards for mainframe rooms or data centers. CC ID 00749	Physical and environmental protection	Physical and Environmental Protection
Establish and maintain equipment security cages in a shared space environment. CC ID 06711	Physical and environmental protection	Physical and Environmental Protection
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain vault physical security standards. CC ID 02203	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain emergency exit procedures. CC ID 01252	Physical and environmental protection	Establish/Maintain Documentation
Establish, Implement, and maintain a camera operating policy. CC ID 15456	Physical and environmental protection	Establish/Maintain Documentation
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461	Physical and environmental protection	Communicate
Establish and maintain a visitor log. CC ID 00715	Physical and environmental protection	Log Management
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700	Physical and environmental protection	Establish/Maintain Documentation
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649	Physical and environmental protection	Behavior
Record the visitor's name in the visitor log. CC ID 00557	Physical and environmental protection	Log Management
Record the visitor's organization in the visitor log. CC ID 12121	Physical and environmental protection	Log Management
Record the visitor's acceptable access areas in the visitor log. CC ID 12237	Physical and environmental protection	Log Management
Record the date and time of entry in the visitor log. CC ID 13255	Physical and environmental protection	Establish/Maintain Documentation
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466	Physical and environmental protection	Establish/Maintain Documentation
Retain all records in the visitor log as prescribed by law. CC ID 00572	Physical and environmental protection	Log Management
Establish, implement, and maintain a physical access log. CC ID 12080 [Maintain audit logs of physical access. 3.10.4]	Physical and environmental protection	Establish/Maintain Documentation
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641	Physical and environmental protection	Log Management
Store facility access logs in off-site storage. CC ID 06958	Physical and environmental protection	Log Management
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675	Physical and environmental protection	Monitor and Evaluate Occurrences
Configure video cameras to cover all physical entry points. CC ID 06302	Physical and environmental protection	Configuration
Configure video cameras to prevent physical tampering or disablement. CC ID 06303	Physical and environmental protection	Configuration
Retain video events according to Records Management procedures. CC ID 06304	Physical and environmental protection	Records Management
Establish, implement, and maintain physical security threat reports. CC ID 02207	Physical and environmental protection	Establish/Maintain Documentation
Build and maintain fencing, as necessary. CC ID 02235	Physical and environmental protection	Physical and Environmental Protection
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352	Physical and environmental protection	Physical and Environmental Protection
Physically segregate business areas in accordance with organizational standards. CC ID 16718	Physical and environmental protection	Physical and Environmental Protection
Employ security guards to provide physical security, as necessary. CC ID 06653	Physical and environmental protection	Establish Roles
Establish, implement, and maintain a facility wall standard. CC ID 06692	Physical and environmental protection	Establish/Maintain Documentation
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372	Physical and environmental protection	Physical and Environmental Protection
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693	Physical and environmental protection	Configuration
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980	Physical and environmental protection	Behavior
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981	Physical and environmental protection	Behavior
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982	Physical and environmental protection	Business Processes
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983	Physical and environmental protection	Behavior
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984	Physical and environmental protection	Behavior
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718	Physical and environmental protection	Physical and Environmental Protection
Control the transiting and internal distribution or external distribution of assets. CC ID 00963	Physical and environmental protection	Records Management
Transport restricted media using a delivery method that can be tracked. CC ID 11777 [Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. 3.8.5]	Physical and environmental protection	Business Processes
Restrict physical access to distributed assets. CC ID 11865 [Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. 3.10.1]	Physical and environmental protection	Physical and Environmental Protection
House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873	Physical and environmental protection	Physical and Environmental Protection
Protect electronic storage media with physical access controls. CC ID 00720	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain removable storage media controls. CC ID 06680 [Limit use of organizational portable storage devices on external information systems. 3.1.21 Control the use of removable media on information system components. 3.8.7]	Physical and environmental protection	Data and Information Management
Control access to restricted storage media. CC ID 04889 [Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. 3.8.5]	Physical and environmental protection	Data and Information Management
Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664	Physical and environmental protection	Physical and Environmental Protection
Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961	Physical and environmental protection	Records Management
Treat archive media as evidence. CC ID 00960	Physical and environmental protection	Records Management
Log the transfer of removable storage media. CC ID 12322	Physical and environmental protection	Log Management
Establish, implement, and maintain storage media access control procedures. CC ID 00959 [Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital. 3.8.1 Limit access to CUI on information system media to authorized users. 3.8.2]	Physical and environmental protection	Establish/Maintain Documentation
Require removable storage media be in the custody of an authorized individual. CC ID 12319	Physical and environmental protection	Behavior
Control the storage of restricted storage media. CC ID 00965	Physical and environmental protection	Records Management
Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717	Physical and environmental protection	Physical and Environmental Protection
Protect the combinations for all combination locks. CC ID 02199	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200	Physical and environmental protection	Establish/Maintain Documentation
Establish and maintain eavesdropping protection for vaults. CC ID 02231	Physical and environmental protection	Physical and Environmental Protection
Serialize all removable storage media. CC ID 00949	Physical and environmental protection	Configuration
Establish, implement, and maintain mobile device security guidelines. CC ID 04723 [Control connection of mobile devices. 3.1.18]	Physical and environmental protection	Establish/Maintain Documentation
Require users to refrain from leaving mobile devices unattended. CC ID 16446	Physical and environmental protection	Business Processes
Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242	Physical and environmental protection	Data and Information Management
Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292	Physical and environmental protection	Establish/Maintain Documentation
Include legal requirements in the mobile device security guidelines. CC ID 12291	Physical and environmental protection	Establish/Maintain Documentation
Include the use of privacy filters in the mobile device security guidelines. CC ID 16452	Physical and environmental protection	Physical and Environmental Protection
Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290	Physical and environmental protection	Establish/Maintain Documentation
Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289	Physical and environmental protection	Establish/Maintain Documentation
Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288	Physical and environmental protection	Establish/Maintain Documentation
Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430	Physical and environmental protection	Physical and Environmental Protection
Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429	Physical and environmental protection	Physical and Environmental Protection
Encrypt information stored on mobile devices. CC ID 01422 [Encrypt CUI on mobile devices. 3.1.19]	Physical and environmental protection	Data and Information Management
Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 [Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. 3.13.12]	Physical and environmental protection	Technical Security
Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 [Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. 3.13.12]	Physical and environmental protection	Technical Security
Prepare the alternate facility for an emergency offsite relocation. CC ID 00744	Operational and Systems Continuity	Systems Continuity
Protect backup systems and restoration systems at the alternate facility. CC ID 04883 [Protect the confidentiality of backup CUI at storage locations. 3.8.9]	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain a personnel management program. CC ID 14018	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a personnel security program. CC ID 10628	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain security clearance procedures. CC ID 00783	Human Resources management	Establish/Maintain Documentation
Perform security clearance procedures, as necessary. CC ID 06644 [Screen individuals prior to authorizing access to information systems containing CUI. 3.9.1]	Human Resources management	Human Resources Management
Establish and maintain security clearances. CC ID 01634	Human Resources management	Human Resources Management
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 [Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers. 3.9.2]	Human Resources management	Establish/Maintain Documentation
Assign an owner of the personnel status change and termination procedures. CC ID 11805	Human Resources management	Human Resources Management
Notify the security manager, in writing, prior to an employee's job change. CC ID 12283	Human Resources management	Human Resources Management
Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677	Human Resources management	Behavior
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630	Human Resources management	Communicate
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992	Human Resources management	Human Resources Management
Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676	Human Resources management	Behavior
Conduct exit interviews upon termination of employment. CC ID 14290	Human Resources management	Human Resources Management
Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631	Human Resources management	Establish/Maintain Documentation
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764	Human Resources management	Establish Roles
Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960	Human Resources management	Technical Security
Train all personnel and third parties, as necessary. CC ID 00785	Human Resources management	Behavior
Establish, implement, and maintain an education methodology. CC ID 06671	Human Resources management	Business Processes
Tailor training to be taught at each person's level of responsibility. CC ID 06674 [Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. 3.2.2]	Human Resources management	Behavior
Establish, implement, and maintain training plans. CC ID 00828	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a security awareness program. CC ID 11746	Human Resources management	Establish/Maintain Documentation
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 [Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems. 3.2.1]	Human Resources management	Behavior
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [Provide security awareness training on recognizing and reporting potential indicators of insider threat. 3.2.3]	Human Resources management	Behavior
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Human Resources management	Training
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Establish/Maintain Documentation
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems. 3.2.1]	Operational management	Communicate
Establish, implement, and maintain operational control procedures. CC ID 00831	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 [Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. 3.13.14]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350	Operational management	Establish/Maintain Documentation
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 [Control and monitor user-installed software. 3.4.9]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Asset Management program. CC ID 06630	Operational management	Business Processes
Establish, implement, and maintain an asset inventory. CC ID 06631 [Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. 3.4.1]	Operational management	Business Processes
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689	Operational management	Establish/Maintain Documentation
Include all account types in the Information Technology inventory. CC ID 13311	Operational management	Establish/Maintain Documentation
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695	Operational management	Systems Design, Build, and Implementation
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289	Operational management	Data and Information Management
Include each Information System's major applications in the Information Technology inventory. CC ID 01407	Operational management	Establish/Maintain Documentation
Categorize all major applications according to the business information they process. CC ID 07182	Operational management	Establish/Maintain Documentation
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164	Operational management	Establish/Maintain Documentation
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408	Operational management	Establish/Maintain Documentation
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409	Operational management	Establish/Maintain Documentation
Conduct environmental surveys. CC ID 00690	Operational management	Physical and Environmental Protection
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a hardware asset inventory. CC ID 00691	Operational management	Establish/Maintain Documentation
Include network equipment in the Information Technology inventory. CC ID 00693	Operational management	Establish/Maintain Documentation
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719	Operational management	Establish/Maintain Documentation
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885	Operational management	Process or Activity
Include software in the Information Technology inventory. CC ID 00692	Operational management	Establish/Maintain Documentation
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a storage media inventory. CC ID 00694	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260	Operational management	Establish/Maintain Documentation
Add inventoried assets to the asset register database, as necessary. CC ID 07051	Operational management	Establish/Maintain Documentation
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181	Operational management	Establish/Maintain Documentation
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054	Operational management	Technical Security
Link the authentication system to the asset inventory. CC ID 13718	Operational management	Technical Security
Record a unique name for each asset in the asset inventory. CC ID 16305	Operational management	Data and Information Management
Record the decommission date for applicable assets in the asset inventory. CC ID 14920	Operational management	Establish/Maintain Documentation
Record the status of information systems in the asset inventory. CC ID 16304	Operational management	Data and Information Management
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301	Operational management	Data and Information Management
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918	Operational management	Establish/Maintain Documentation
Include source code in the asset inventory. CC ID 14858	Operational management	Records Management
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344	Operational management	Human Resources Management
Record the review date for applicable assets in the asset inventory. CC ID 14919	Operational management	Establish/Maintain Documentation
Record software license information for each asset in the asset inventory. CC ID 11736	Operational management	Data and Information Management
Record services for applicable assets in the asset inventory. CC ID 13733	Operational management	Establish/Maintain Documentation
Record protocols for applicable assets in the asset inventory. CC ID 13734	Operational management	Establish/Maintain Documentation
Record the software version in the asset inventory. CC ID 12196	Operational management	Establish/Maintain Documentation
Record the publisher for applicable assets in the asset inventory. CC ID 13725	Operational management	Establish/Maintain Documentation
Record the authentication system in the asset inventory. CC ID 13724	Operational management	Establish/Maintain Documentation
Tag unsupported assets in the asset inventory. CC ID 13723	Operational management	Establish/Maintain Documentation
Record the install date for applicable assets in the asset inventory. CC ID 13720	Operational management	Establish/Maintain Documentation
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465	Operational management	Establish/Maintain Documentation
Record the asset tag for physical assets in the asset inventory. CC ID 06632	Operational management	Establish/Maintain Documentation
Record the host name of applicable assets in the asset inventory. CC ID 13722	Operational management	Establish/Maintain Documentation
Record network ports for applicable assets in the asset inventory. CC ID 13730	Operational management	Establish/Maintain Documentation
Record the MAC address for applicable assets in the asset inventory. CC ID 13721	Operational management	Establish/Maintain Documentation
Record the operating system version for applicable assets in the asset inventory. CC ID 11748	Operational management	Data and Information Management
Record the operating system type for applicable assets in the asset inventory. CC ID 06633	Operational management	Establish/Maintain Documentation
Record rooms at external locations in the asset inventory. CC ID 16302	Operational management	Data and Information Management
Record the department associated with the asset in the asset inventory. CC ID 12084	Operational management	Establish/Maintain Documentation
Record the physical location for applicable assets in the asset inventory. CC ID 06634	Operational management	Establish/Maintain Documentation
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635	Operational management	Establish/Maintain Documentation
Record the firmware version for applicable assets in the asset inventory. CC ID 12195	Operational management	Establish/Maintain Documentation
Record the related business function for applicable assets in the asset inventory. CC ID 06636	Operational management	Establish/Maintain Documentation
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637	Operational management	Establish/Maintain Documentation
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638	Operational management	Establish/Maintain Documentation
Record trusted keys and certificates in the asset inventory. CC ID 15486	Operational management	Data and Information Management
Record cipher suites and protocols in the asset inventory. CC ID 15489	Operational management	Data and Information Management
Link the software asset inventory to the hardware asset inventory. CC ID 12085	Operational management	Establish/Maintain Documentation
Record the owner for applicable assets in the asset inventory. CC ID 06640	Operational management	Establish/Maintain Documentation
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696	Operational management	Establish/Maintain Documentation
Record all changes to assets in the asset inventory. CC ID 12190	Operational management	Establish/Maintain Documentation
Record cloud service derived data in the asset inventory. CC ID 13007	Operational management	Establish/Maintain Documentation
Include cloud service customer data in the asset inventory. CC ID 13006	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885	Operational management	Establish/Maintain Documentation
Obtain approval before removing maintenance tools from the facility. CC ID 14298	Operational management	Business Processes
Control remote maintenance according to the system's asset classification. CC ID 01433	Operational management	Technical Security
Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 [Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. 3.7.5]	Operational management	Technical Security
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295	Operational management	Maintenance
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291	Operational management	Maintenance
Perform periodic maintenance according to organizational standards. CC ID 01435 [Perform maintenance on organizational information systems. 3.7.1]	Operational management	Behavior
Restart systems on a periodic basis. CC ID 16498	Operational management	Maintenance
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251	Operational management	Maintenance
Employ dedicated systems during system maintenance. CC ID 12108	Operational management	Technical Security
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114	Operational management	Technical Security
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873	Operational management	Human Resources Management
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874	Operational management	Physical and Environmental Protection
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Incident Management program. CC ID 00853 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Operational management	Business Processes
Establish, implement, and maintain an incident management policy. CC ID 16414	Operational management	Establish/Maintain Documentation
Define and assign the roles and responsibilities for Incident Management program. CC ID 13055	Operational management	Human Resources Management
Define the uses and capabilities of the Incident Management program. CC ID 00854	Operational management	Establish/Maintain Documentation
Include incident escalation procedures in the Incident Management program. CC ID 00856 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Operational management	Establish/Maintain Documentation
Define the characteristics of the Incident Management program. CC ID 00855	Operational management	Establish/Maintain Documentation
Include the criteria for a data loss event in the Incident Management program. CC ID 12179	Operational management	Establish/Maintain Documentation
Include the criteria for an incident in the Incident Management program. CC ID 12173	Operational management	Establish/Maintain Documentation
Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504	Operational management	Establish/Maintain Documentation
Include detection procedures in the Incident Management program. CC ID 00588	Operational management	Establish/Maintain Documentation
Categorize the incident following an incident response. CC ID 13208	Operational management	Technical Security
Define and document impact thresholds to be used in categorizing incidents. CC ID 10033	Operational management	Establish/Maintain Documentation
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095	Operational management	Establish/Maintain Documentation
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Data and Information Management
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Communicate
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Communicate
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Establish/Maintain Documentation
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Communicate
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Communicate
Remediate security violations according to organizational standards. CC ID 12338	Operational management	Business Processes
Include data loss event notifications in the Incident Response program. CC ID 00364	Operational management	Establish/Maintain Documentation
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954	Operational management	Establish/Maintain Documentation
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Operational management	Establish/Maintain Documentation
Submit written requests to delay the notification of affected parties. CC ID 16783	Operational management	Communicate
Revoke the written request to delay the notification. CC ID 16843	Operational management	Process or Activity
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Operational management	Establish/Maintain Documentation
Refrain from charging for providing incident response notifications. CC ID 13876	Operational management	Business Processes
Title breach notifications "Notice of Data Breach". CC ID 12977	Operational management	Establish/Maintain Documentation
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Operational management	Establish/Maintain Documentation
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Operational management	Establish/Maintain Documentation
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Operational management	Establish/Maintain Documentation
Use plain language to write incident response notifications. CC ID 12976	Operational management	Establish/Maintain Documentation
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Operational management	Establish/Maintain Documentation
Refrain from including restricted information in the incident response notification. CC ID 16806	Operational management	Actionable Reports or Measurements
Include the affected parties rights in the incident response notification. CC ID 16811	Operational management	Establish/Maintain Documentation
Include details of the investigation in incident response notifications. CC ID 12296	Operational management	Establish/Maintain Documentation
Include the issuer's name in incident response notifications. CC ID 12062	Operational management	Establish/Maintain Documentation
Include a "What Happened" heading in breach notifications. CC ID 12978	Operational management	Establish/Maintain Documentation
Include a general description of the data loss event in incident response notifications. CC ID 04734	Operational management	Establish/Maintain Documentation
Include time information in incident response notifications. CC ID 04745	Operational management	Establish/Maintain Documentation
Include the identification of the data source in incident response notifications. CC ID 12305	Operational management	Establish/Maintain Documentation
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Operational management	Establish/Maintain Documentation
Include the type of information that was lost in incident response notifications. CC ID 04735	Operational management	Establish/Maintain Documentation
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Operational management	Establish/Maintain Documentation
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Operational management	Establish/Maintain Documentation
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Operational management	Establish/Maintain Documentation
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Operational management	Establish/Maintain Documentation
Include a "For More Information" heading in breach notifications. CC ID 12981	Operational management	Establish/Maintain Documentation
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Operational management	Establish/Maintain Documentation
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Operational management	Establish/Maintain Documentation
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Operational management	Establish/Maintain Documentation
Include any consequences in the incident response notifications. CC ID 12604	Operational management	Establish/Maintain Documentation
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Operational management	Establish/Maintain Documentation
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Operational management	Establish/Maintain Documentation
Include contact information in incident response notifications. CC ID 04739	Operational management	Establish/Maintain Documentation
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Operational management	Communicate
Post the incident response notification on the organization's website. CC ID 16809	Operational management	Process or Activity
Document the determination for providing a substitute incident response notification. CC ID 16841	Operational management	Process or Activity
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Operational management	Behavior
Include contact information in the substitute incident response notification. CC ID 16776	Operational management	Establish/Maintain Documentation
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Operational management	Establish/Maintain Documentation
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Operational management	Behavior
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Operational management	Behavior
Establish, implement, and maintain a containment strategy. CC ID 13480	Operational management	Establish/Maintain Documentation
Include the containment approach in the containment strategy. CC ID 13486	Operational management	Establish/Maintain Documentation
Include response times in the containment strategy. CC ID 13485	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a restoration log. CC ID 12745	Operational management	Establish/Maintain Documentation
Include a description of the restored data that was restored manually in the restoration log. CC ID 15463	Operational management	Data and Information Management
Include a description of the restored data in the restoration log. CC ID 15462	Operational management	Data and Information Management
Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592	Operational management	Establish/Maintain Documentation
Analyze security violations in Suspicious Activity Reports. CC ID 00591	Operational management	Establish/Maintain Documentation
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234	Operational management	Monitor and Evaluate Occurrences
Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298	Operational management	Investigate
Update the incident response procedures using the lessons learned. CC ID 01233	Operational management	Establish/Maintain Documentation
Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Operational management	Establish/Maintain Documentation
Include incident response procedures in the Incident Management program. CC ID 01218	Operational management	Establish/Maintain Documentation
Integrate configuration management procedures into the incident management program. CC ID 13647	Operational management	Technical Security
Include incident management procedures in the Incident Management program. CC ID 12689	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Operational management	Establish/Maintain Documentation
Include after-action analysis procedures in the Incident Management program. CC ID 01219 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain security and breach investigation procedures. CC ID 16844	Operational management	Establish/Maintain Documentation
Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain incident management audit logs. CC ID 13514	Operational management	Records Management
Log incidents in the Incident Management audit log. CC ID 00857 [Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization. 3.6.2]	Operational management	Establish/Maintain Documentation
Include who the incident was reported to in the incident management audit log. CC ID 16487	Operational management	Log Management
Include corrective actions in the incident management audit log. CC ID 16466	Operational management	Establish/Maintain Documentation
Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234	Operational management	Log Management
Include emergency processing priorities in the Incident Management program. CC ID 00859	Operational management	Establish/Maintain Documentation
Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387	Operational management	Establish/Maintain Documentation
Include incident record closure procedures in the Incident Management program. CC ID 01620	Operational management	Establish/Maintain Documentation
Include incident reporting procedures in the Incident Management program. CC ID 11772 [Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization. 3.6.2]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142	Operational management	Communicate
Establish, implement, and maintain an Incident Response program. CC ID 00579	Operational management	Establish/Maintain Documentation
Include incident response team structures in the Incident Response program. CC ID 01237	Operational management	Establish/Maintain Documentation
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Operational management	Establish Roles
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Operational management	Establish Roles
Include references to industry best practices in the incident response procedures. CC ID 11956	Operational management	Establish/Maintain Documentation
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949	Operational management	Establish/Maintain Documentation
Include business recovery procedures in the Incident Response program. CC ID 11774 [Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.1]	Operational management	Establish/Maintain Documentation
Document the results of incident response tests and provide them to senior management. CC ID 14857	Operational management	Actionable Reports or Measurements
Establish, implement, and maintain a change control program. CC ID 00886 [Track, review, approve/disapprove, and audit changes to information systems. 3.4.3]	Operational management	Establish/Maintain Documentation
Include potential consequences of unintended changes in the change control program. CC ID 12243	Operational management	Establish/Maintain Documentation
Include version control in the change control program. CC ID 13119	Operational management	Establish/Maintain Documentation
Include service design and transition in the change control program. CC ID 13920	Operational management	Establish/Maintain Documentation
Separate the production environment from development environment or test environment for the change control process. CC ID 11864	Operational management	Maintenance
Integrate configuration management procedures into the change control program. CC ID 13646	Operational management	Technical Security
Establish, implement, and maintain a back-out plan. CC ID 13623	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373	Operational management	Establish/Maintain Documentation
Manage change requests. CC ID 00887	Operational management	Business Processes
Include documentation of the impact level of proposed changes in the change request. CC ID 11942	Operational management	Establish/Maintain Documentation
Establish and maintain a change request approver list. CC ID 06795	Operational management	Establish/Maintain Documentation
Document all change requests in change request forms. CC ID 06794 [Track, review, approve/disapprove, and audit changes to information systems. 3.4.3]	Operational management	Establish/Maintain Documentation
Approve tested change requests. CC ID 11783 [Track, review, approve/disapprove, and audit changes to information systems. 3.4.3]	Operational management	Data and Information Management
Validate the system before implementing approved changes. CC ID 01510 [Track, review, approve/disapprove, and audit changes to information systems. 3.4.3]	Operational management	Systems Design, Build, and Implementation
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807	Operational management	Behavior
Establish, implement, and maintain emergency change procedures. CC ID 00890	Operational management	Establish/Maintain Documentation
Perform emergency changes, as necessary. CC ID 12707	Operational management	Process or Activity
Back up emergency changes after the change has been performed. CC ID 12734	Operational management	Process or Activity
Log emergency changes after they have been performed. CC ID 12733	Operational management	Establish/Maintain Documentation
Perform risk assessments prior to approving change requests. CC ID 00888 [Analyze the security impact of changes prior to implementation. 3.4.4]	Operational management	Testing
Implement changes according to the change control program. CC ID 11776	Operational management	Business Processes
Provide audit trails for all approved changes. CC ID 13120	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a patch management program. CC ID 00896 [Identify, report, and correct information and information system flaws in a timely manner. 3.14.1]	Operational management	Process or Activity
Document the sources of all software updates. CC ID 13316	Operational management	Establish/Maintain Documentation
Implement patch management software, as necessary. CC ID 12094	Operational management	Technical Security
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087	Operational management	Technical Security
Establish, implement, and maintain a patch management policy. CC ID 16432	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain patch management procedures. CC ID 15224	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a patch log. CC ID 01642	Operational management	Establish/Maintain Documentation
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796	Operational management	Business Processes
Establish, implement, and maintain a software release policy. CC ID 00893	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain traceability documentation. CC ID 16388	Operational management	Systems Design, Build, and Implementation
Disseminate and communicate software update information to users and regulators. CC ID 06602	Operational management	Behavior
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809	Operational management	Data and Information Management
Update associated documentation after the system configuration has been changed. CC ID 00891	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a Configuration Management program. CC ID 00867	System hardening through configuration management	Establish/Maintain Documentation
Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Establish and enforce security configuration settings for information technology products employed in organizational information systems. 3.4.2 Employ the principle of least functionality by configuring the information system to provide only essential capabilities. 3.4.6 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. 3.4.1]	System hardening through configuration management	Establish/Maintain Documentation
Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285	System hardening through configuration management	Establish/Maintain Documentation
Include the differences between test environments and production environments in the baseline configuration. CC ID 13284	System hardening through configuration management	Establish/Maintain Documentation
Include the applied security patches in the baseline configuration. CC ID 13271	System hardening through configuration management	Establish/Maintain Documentation
Include the installed application software and version numbers in the baseline configuration. CC ID 13270	System hardening through configuration management	Establish/Maintain Documentation
Include installed custom software in the baseline configuration. CC ID 13274	System hardening through configuration management	Establish/Maintain Documentation
Include network ports in the baseline configuration. CC ID 13273	System hardening through configuration management	Establish/Maintain Documentation
Include the operating systems and version numbers in the baseline configuration. CC ID 13269	System hardening through configuration management	Establish/Maintain Documentation
Establish, implement, and maintain system hardening procedures. CC ID 12001	System hardening through configuration management	Establish/Maintain Documentation
Establish, implement, and maintain idle session termination and logout capabilities. CC ID 01418 [Terminate (automatically) a user session after a defined condition. 3.1.11 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. 3.13.9]	System hardening through configuration management	Configuration
Refrain from using assertion lifetimes to limit each session. CC ID 13871	System hardening through configuration management	Technical Security
Configure Session Configuration settings in accordance with organizational standards. CC ID 07698	System hardening through configuration management	Configuration
Invalidate unexpected session identifiers. CC ID 15307	System hardening through configuration management	Configuration
Configure the "MaxStartups" settings to organizational standards. CC ID 15329	System hardening through configuration management	Configuration
Reject session identifiers that are not valid. CC ID 15306	System hardening through configuration management	Configuration
Configure the "MaxSessions" settings to organizational standards. CC ID 15330	System hardening through configuration management	Configuration
Configure the "Interactive logon: Message title for users attempting to log on" to organizational standards. CC ID 07699	System hardening through configuration management	Configuration
Configure the "LoginGraceTime" settings to organizational standards. CC ID 15328	System hardening through configuration management	Configuration
Configure the "Network security: Force logoff when logon hours expire" to organizational standards. CC ID 07738	System hardening through configuration management	Configuration
Configure the "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" to organizational standards. CC ID 07758	System hardening through configuration management	Configuration
Configure the "Microsoft network server: Disconnect clients when logon hours expire" to organizational standards. CC ID 07824	System hardening through configuration management	Configuration
Configure the "Microsoft network server: Amount of idle time required before suspending session" to organizational standards. CC ID 07826	System hardening through configuration management	Configuration
Configure the "Interactive logon: Do not display last user name" to organizational standards. CC ID 07832	System hardening through configuration management	Configuration
Configure the "Interactive logon: Display user information when the session is locked" to organizational standards. CC ID 07848	System hardening through configuration management	Configuration
Configure the "Interactive logon: Message text for users attempting to log on" to organizational standards. CC ID 07870	System hardening through configuration management	Configuration
Configure the "Always prompt for password upon connection" to organizational standards. CC ID 08229	System hardening through configuration management	Configuration
Configure the "Interactive logon: Machine inactivity limit" to organizational standards. CC ID 08350	System hardening through configuration management	Configuration
Remove all unnecessary functionality. CC ID 00882	System hardening through configuration management	Configuration
Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827	System hardening through configuration management	Configuration
Disable the use of removable storage media for systems that process restricted data or restricted information, as necessary. CC ID 06681 [Prohibit the use of portable storage devices when such devices have no identifiable owner. 3.8.8]	System hardening through configuration management	Data and Information Management
Disable removable storage media daemon unless the removable storage media daemon is absolutely necessary. CC ID 01477	System hardening through configuration management	Configuration
Disable all unnecessary services unless otherwise noted in a policy exception. CC ID 00880 [Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services. 3.4.7]	System hardening through configuration management	Configuration
Disable rquotad unless rquotad is absolutely necessary. CC ID 01473	System hardening through configuration management	Configuration
Configure the rquotad service to use a static port or a dynamic portmapper port as appropriate. CC ID 05983	System hardening through configuration management	Configuration
Disable telnet unless telnet use is absolutely necessary. CC ID 01478	System hardening through configuration management	Configuration
Disable File Transfer Protocol unless File Transfer Protocol use is absolutely necessary. CC ID 01479	System hardening through configuration management	Configuration
Configure anonymous FTP to restrict the use of restricted data. CC ID 16314	System hardening through configuration management	Configuration
Disable anonymous access to File Transfer Protocol. CC ID 06739	System hardening through configuration management	Configuration
Disable Internet Message Access Protocol unless Internet Message Access Protocol use is absolutely necessary. CC ID 01485	System hardening through configuration management	Configuration
Disable Post Office Protocol unless its use is absolutely necessary. CC ID 01486	System hardening through configuration management	Configuration
Disable SQLServer processes unless SQLServer processes use is absolutely necessary. CC ID 01500	System hardening through configuration management	Configuration
Disable alerter unless alerter use is absolutely necessary. CC ID 01810	System hardening through configuration management	Configuration
Disable Background Intelligent Transfer Service unless Background Intelligent Transfer Service use is absolutely necessary. CC ID 01812	System hardening through configuration management	Configuration
Disable ClipBook unless ClipBook use is absolutely necessary. CC ID 01813	System hardening through configuration management	Configuration
Disable Fax Service unless Fax Service use is absolutely necessary. CC ID 01815	System hardening through configuration management	Configuration
Disable IIS admin service unless IIS admin service use is absolutely necessary. CC ID 01817	System hardening through configuration management	Configuration
Disable indexing service unless indexing service use is absolutely necessary. CC ID 01818	System hardening through configuration management	Configuration
Disable net logon unless net logon use is absolutely necessary. CC ID 01820	System hardening through configuration management	Configuration
Disable Remote Desktop Help Session Manager unless Remote Desktop Help Session Manager use is absolutely necessary. CC ID 01822	System hardening through configuration management	Configuration
Disable the "Offer Remote Assistance" setting. CC ID 04325	System hardening through configuration management	Configuration
Disable the "Solicited Remote Assistance" setting. CC ID 04326	System hardening through configuration management	Configuration
Disable Remote Registry Service unless Remote Registry Service use is absolutely necessary. CC ID 01823	System hardening through configuration management	Configuration
Disable Routing and Remote Access unless Routing and Remote Access use is necessary. CC ID 01824	System hardening through configuration management	Configuration
Disable task scheduler unless task scheduler use is absolutely necessary. CC ID 01829	System hardening through configuration management	Configuration
Disable Terminal Services unless Terminal Services use is absolutely necessary. CC ID 01831	System hardening through configuration management	Configuration
Disable Universal Plug and Play device host unless Universal Plug and Play device host use is absolutely necessary. CC ID 01832	System hardening through configuration management	Configuration
Disable File Service Protocol. CC ID 02167	System hardening through configuration management	Configuration
Disable the License Logging Service unless unless it is absolutely necessary. CC ID 04282	System hardening through configuration management	Configuration
Disable Remote Access Auto Connection Manager unless Remote Access Auto Connection Manager use is absolutely necessary. CC ID 04285	System hardening through configuration management	Configuration
Disable Remote Access Connection Manager unless Remote Access Connection Manager use is absolutely necessary. CC ID 04286	System hardening through configuration management	Configuration
Disable Remote Administration Service unless remote administration management is absolutely necessary. CC ID 04287	System hardening through configuration management	Configuration
Disable remote installation unless remote installation is absolutely necessary. CC ID 04288	System hardening through configuration management	Configuration
Disable Remote Server Manager unless Remote Server Manager is absolutely necessary. CC ID 04289	System hardening through configuration management	Configuration
Disable Remote Server Monitor unless Remote Server Monitor use is absolutely necessary. CC ID 04290	System hardening through configuration management	Configuration
Disable Remote Storage Notification unless Remote Storage Notification use is absolutely necessary. CC ID 04291	System hardening through configuration management	Configuration
Disable Remote Storage Server unless Remote Storage Server use is absolutely necessary. CC ID 04292	System hardening through configuration management	Configuration
Disable telephony services unless telephony services use is absolutely necessary. CC ID 04293	System hardening through configuration management	Configuration
Disable Wireless Zero Configuration service unless Wireless Zero Configuration service use is absolutely necessary. CC ID 04294	System hardening through configuration management	Configuration
Disable SSDP/UPnp unless SSDP/UPnP is absolutely necessary. CC ID 04315	System hardening through configuration management	Configuration
Configure the "ntpd service" setting to organizational standards. CC ID 04911	System hardening through configuration management	Configuration
Configure the "echo service" setting to organizational standards. CC ID 04912	System hardening through configuration management	Configuration
Configure the "echo-dgram service" setting to organizational standards. CC ID 09927	System hardening through configuration management	Configuration
Configure the "echo-stream service" setting to organizational standards. CC ID 09928	System hardening through configuration management	Configuration
Configure the "AllowTcpForwarding" to organizational standards. CC ID 15327	System hardening through configuration management	Configuration
Configure the "tcpmux-server" setting to organizational standards. CC ID 09929	System hardening through configuration management	Configuration
Configure the "netstat service" setting to organizational standards. CC ID 04913	System hardening through configuration management	Configuration
Configure the "character generator protocol (chargen)" setting to organizational standards. CC ID 04914	System hardening through configuration management	Configuration
Configure the "tftpd service" setting to organizational standards. CC ID 04915	System hardening through configuration management	Configuration
Configure the "walld service" setting to organizational standards. CC ID 04916	System hardening through configuration management	Configuration
Configure the "rstatd service" setting to organizational standards. CC ID 04917	System hardening through configuration management	Configuration
Configure the "sprayd service" setting to organizational standards. CC ID 04918	System hardening through configuration management	Configuration
Configure the "rusersd service" setting to organizational standards. CC ID 04919	System hardening through configuration management	Configuration
Configure the "inn service" setting to organizational standards. CC ID 04920	System hardening through configuration management	Configuration
Configure the "font service" setting to organizational standards. CC ID 04921	System hardening through configuration management	Configuration
Configure the "ident service" setting to organizational standards. CC ID 04922	System hardening through configuration management	Configuration
Configure the "rexd service" setting to organizational standards. CC ID 04923	System hardening through configuration management	Configuration
Configure the "daytime service" setting to organizational standards. CC ID 04924	System hardening through configuration management	Configuration
Configure the "dtspc (cde-spc) service" setting to organizational standards. CC ID 04925	System hardening through configuration management	Configuration
Configure the "cmsd service" setting to organizational standards. CC ID 04926	System hardening through configuration management	Configuration
Configure the "ToolTalk service" setting to organizational standards. CC ID 04927	System hardening through configuration management	Configuration
Configure the "discard service" setting to organizational standards. CC ID 04928	System hardening through configuration management	Configuration
Configure the "vino-server service" setting to organizational standards. CC ID 04929	System hardening through configuration management	Configuration
Configure the "bind service" setting to organizational standards. CC ID 04930	System hardening through configuration management	Configuration
Configure the "nfsd service" setting to organizational standards. CC ID 04931	System hardening through configuration management	Configuration
Configure the "mountd service" setting to organizational standards. CC ID 04932	System hardening through configuration management	Configuration
Configure the "statd service" setting to organizational standards. CC ID 04933	System hardening through configuration management	Configuration
Configure the "lockd service" setting to organizational standards. CC ID 04934	System hardening through configuration management	Configuration
Configure the lockd service to use a static port or a dynamic portmapper port for User Datagram Protocol as appropriate. CC ID 05980	System hardening through configuration management	Configuration
Configure the "decode sendmail alias" setting to organizational standards. CC ID 04935	System hardening through configuration management	Configuration
Configure the sendmail vrfy command, as appropriate. CC ID 04936	System hardening through configuration management	Configuration
Configure the sendmail expn command, as appropriate. CC ID 04937	System hardening through configuration management	Configuration
Configure .netrc with an appropriate set of services. CC ID 04938	System hardening through configuration management	Configuration
Enable NFS insecure locks as necessary. CC ID 04939	System hardening through configuration management	Configuration
Configure the "X server ac" setting to organizational standards. CC ID 04940	System hardening through configuration management	Configuration
Configure the "X server core" setting to organizational standards. CC ID 04941	System hardening through configuration management	Configuration
Enable or disable the setroubleshoot service, as appropriate. CC ID 05540	System hardening through configuration management	Configuration
Configure the "X server nolock" setting to organizational standards. CC ID 04942	System hardening through configuration management	Configuration
Enable or disable the mcstrans service, as appropriate. CC ID 05541	System hardening through configuration management	Configuration
Configure the "PAM console" setting to organizational standards. CC ID 04943	System hardening through configuration management	Configuration
Enable or disable the restorecond service, as appropriate. CC ID 05542	System hardening through configuration management	Configuration
Enable the rhnsd service as necessary. CC ID 04944	System hardening through configuration management	Configuration
Enable the yum-updatesd service as necessary. CC ID 04945	System hardening through configuration management	Configuration
Enable the autofs service as necessary. CC ID 04946	System hardening through configuration management	Configuration
Enable the ip6tables service as necessary. CC ID 04947	System hardening through configuration management	Configuration
Configure syslog to organizational standards. CC ID 04949	System hardening through configuration management	Configuration
Enable the auditd service as necessary. CC ID 04950	System hardening through configuration management	Configuration
Enable the logwatch service as necessary. CC ID 04951	System hardening through configuration management	Configuration
Enable the logrotate (syslog rotator) service as necessary. CC ID 04952	System hardening through configuration management	Configuration
Install or uninstall the telnet server package, only if absolutely necessary. CC ID 04953	System hardening through configuration management	Configuration
Enable the ypbind service as necessary. CC ID 04954	System hardening through configuration management	Configuration
Enable the ypserv service as necessary. CC ID 04955	System hardening through configuration management	Configuration
Enable the firstboot service as necessary. CC ID 04956	System hardening through configuration management	Configuration
Enable the gpm service as necessary. CC ID 04957	System hardening through configuration management	Configuration
Enable the irqbalance service as necessary. CC ID 04958	System hardening through configuration management	Configuration
Enable the isdn service as necessary. CC ID 04959	System hardening through configuration management	Configuration
Enable the kdump service as necessary. CC ID 04960	System hardening through configuration management	Configuration
Enable the mdmonitor service as necessary. CC ID 04961	System hardening through configuration management	Configuration
Enable the microcode_ctl service as necessary. CC ID 04962	System hardening through configuration management	Configuration
Enable the pcscd service as necessary. CC ID 04963	System hardening through configuration management	Configuration
Enable the smartd service as necessary. CC ID 04964	System hardening through configuration management	Configuration
Enable the readahead_early service as necessary. CC ID 04965	System hardening through configuration management	Configuration
Enable the readahead_later service as necessary. CC ID 04966	System hardening through configuration management	Configuration
Enable the messagebus service as necessary. CC ID 04967	System hardening through configuration management	Configuration
Enable the haldaemon service as necessary. CC ID 04968	System hardening through configuration management	Configuration
Enable the apmd service as necessary. CC ID 04969	System hardening through configuration management	Configuration
Enable the acpid service as necessary. CC ID 04970	System hardening through configuration management	Configuration
Enable the cpuspeed service as necessary. CC ID 04971	System hardening through configuration management	Configuration
Enable the network service as necessary. CC ID 04972	System hardening through configuration management	Configuration
Enable the hidd service as necessary. CC ID 04973	System hardening through configuration management	Configuration
Enable the crond service as necessary. CC ID 04974	System hardening through configuration management	Configuration
Install and enable the anacron service as necessary. CC ID 04975	System hardening through configuration management	Configuration
Enable the xfs service as necessary. CC ID 04976	System hardening through configuration management	Configuration
Install and enable the Avahi daemon service, as necessary. CC ID 04977	System hardening through configuration management	Configuration
Enable the CUPS service, as necessary. CC ID 04978	System hardening through configuration management	Configuration
Enable the hplip service as necessary. CC ID 04979	System hardening through configuration management	Configuration
Enable the dhcpd service as necessary. CC ID 04980	System hardening through configuration management	Configuration
Enable the nfslock service as necessary. CC ID 04981	System hardening through configuration management	Configuration
Enable the rpcgssd service as necessary. CC ID 04982	System hardening through configuration management	Configuration
Enable the rpcidmapd service as necessary. CC ID 04983	System hardening through configuration management	Configuration
Enable the rpcsvcgssd service as necessary. CC ID 04985	System hardening through configuration management	Configuration
Configure root squashing for all NFS shares, as appropriate. CC ID 04986	System hardening through configuration management	Configuration
Configure write access to NFS shares, as appropriate. CC ID 04987	System hardening through configuration management	Configuration
Configure the named service, as appropriate. CC ID 04988	System hardening through configuration management	Configuration
Configure the vsftpd service, as appropriate. CC ID 04989	System hardening through configuration management	Configuration
Configure the “dovecot” service to organizational standards. CC ID 04990	System hardening through configuration management	Configuration
Configure Server Message Block (SMB) to organizational standards. CC ID 04991	System hardening through configuration management	Configuration
Enable the snmpd service as necessary. CC ID 04992	System hardening through configuration management	Configuration
Enable the calendar manager as necessary. CC ID 04993	System hardening through configuration management	Configuration
Enable the GNOME logon service as necessary. CC ID 04994	System hardening through configuration management	Configuration
Enable the WBEM services as necessary. CC ID 04995	System hardening through configuration management	Configuration
Enable the keyserv service as necessary. CC ID 04996	System hardening through configuration management	Configuration
Enable the Generic Security Service daemon as necessary. CC ID 04997	System hardening through configuration management	Configuration
Enable the volfs service as necessary. CC ID 04998	System hardening through configuration management	Configuration
Enable the smserver service as necessary. CC ID 04999	System hardening through configuration management	Configuration
Enable the mpxio-upgrade service as necessary. CC ID 05000	System hardening through configuration management	Configuration
Enable the metainit service as necessary. CC ID 05001	System hardening through configuration management	Configuration
Enable the meta service as necessary. CC ID 05003	System hardening through configuration management	Configuration
Enable the metaed service as necessary. CC ID 05004	System hardening through configuration management	Configuration
Enable the metamh service as necessary. CC ID 05005	System hardening through configuration management	Configuration
Enable the Local RPC Port Mapping Service as necessary. CC ID 05006	System hardening through configuration management	Configuration
Enable the Kerberos kadmind service as necessary. CC ID 05007	System hardening through configuration management	Configuration
Enable the Kerberos krb5kdc service as necessary. CC ID 05008	System hardening through configuration management	Configuration
Enable the Kerberos kpropd service as necessary. CC ID 05009	System hardening through configuration management	Configuration
Enable the Kerberos ktkt_warnd service as necessary. CC ID 05010	System hardening through configuration management	Configuration
Enable the sadmin service as necessary. CC ID 05011	System hardening through configuration management	Configuration
Enable the IPP listener as necessary. CC ID 05012	System hardening through configuration management	Configuration
Enable the serial port listener as necessary. CC ID 05013	System hardening through configuration management	Configuration
Enable the Smart Card Helper service as necessary. CC ID 05014	System hardening through configuration management	Configuration
Enable the Application Management service as necessary. CC ID 05015	System hardening through configuration management	Configuration
Enable the Resultant Set of Policy (RSoP) Provider service as necessary. CC ID 05016	System hardening through configuration management	Configuration
Enable the Network News Transport Protocol service as necessary. CC ID 05017	System hardening through configuration management	Configuration
Enable the network Dynamic Data Exchange service as necessary. CC ID 05018	System hardening through configuration management	Configuration
Enable the Distributed Link Tracking Server service as necessary. CC ID 05019	System hardening through configuration management	Configuration
Enable the RARP service as necessary. CC ID 05020	System hardening through configuration management	Configuration
Configure the ".NET Framework service" setting to organizational standards. CC ID 05021	System hardening through configuration management	Configuration
Enable the Network DDE Share Database Manager service as necessary. CC ID 05022	System hardening through configuration management	Configuration
Enable the Certificate Services service as necessary. CC ID 05023	System hardening through configuration management	Configuration
Configure the ATI hotkey poller service properly. CC ID 05024	System hardening through configuration management	Configuration
Configure the Interix Subsystem Startup service properly. CC ID 05025	System hardening through configuration management	Configuration
Configure the Cluster Service service properly. CC ID 05026	System hardening through configuration management	Configuration
Configure the IAS Jet Database Access service properly. CC ID 05027	System hardening through configuration management	Configuration
Configure the IAS service properly. CC ID 05028	System hardening through configuration management	Configuration
Configure the IP Version 6 Helper service properly. CC ID 05029	System hardening through configuration management	Configuration
Configure "Message Queuing service" to organizational standards. CC ID 05030	System hardening through configuration management	Configuration
Configure the Message Queuing Down Level Clients service properly. CC ID 05031	System hardening through configuration management	Configuration
Configure the Windows Management Instrumentation Driver Extensions service properly. CC ID 05033	System hardening through configuration management	Configuration
Configure the TCP/IP NetBIOS Helper Service properly. CC ID 05034	System hardening through configuration management	Configuration
Configure the Utility Manager service properly. CC ID 05035	System hardening through configuration management	Configuration
Configure the secondary logon service properly. CC ID 05036	System hardening through configuration management	Configuration
Configure the Windows Management Instrumentation service properly. CC ID 05037	System hardening through configuration management	Configuration
Configure the Workstation service properly. CC ID 05038	System hardening through configuration management	Configuration
Configure the Windows Installer service properly. CC ID 05039	System hardening through configuration management	Configuration
Configure the Windows System Resource Manager service properly. CC ID 05040	System hardening through configuration management	Configuration
Configure the WinHTTP Web Proxy Auto-Discovery Service properly. CC ID 05041	System hardening through configuration management	Configuration
Configure the Services for Unix Client for NFS service properly. CC ID 05042	System hardening through configuration management	Configuration
Configure the Services for Unix Server for PCNFS service properly. CC ID 05043	System hardening through configuration management	Configuration
Configure the Services for Unix Perl Socket service properly. CC ID 05044	System hardening through configuration management	Configuration
Configure the Services for Unix User Name Mapping service properly. CC ID 05045	System hardening through configuration management	Configuration
Configure the Services for Unix Windows Cron service properly. CC ID 05046	System hardening through configuration management	Configuration
Configure the Windows Media Services service properly. CC ID 05047	System hardening through configuration management	Configuration
Configure the Services for Netware Service Advertising Protocol (SAP) Agent properly. CC ID 05048	System hardening through configuration management	Configuration
Configure the Web Element Manager service properly. CC ID 05049	System hardening through configuration management	Configuration
Configure the Remote Installation Services Single Instance Storage (SIS) Groveler service properly. CC ID 05050	System hardening through configuration management	Configuration
Configure the Terminal Services Licensing service properly. CC ID 05051	System hardening through configuration management	Configuration
Configure the COM+ Event System service properly. CC ID 05052	System hardening through configuration management	Configuration
Configure the Event Log service properly. CC ID 05053	System hardening through configuration management	Configuration
Configure the Infrared Monitor service properly. CC ID 05054	System hardening through configuration management	Configuration
Configure the Services for Unix Server for NFS service properly. CC ID 05055	System hardening through configuration management	Configuration
Configure the System Event Notification Service properly. CC ID 05056	System hardening through configuration management	Configuration
Configure the NTLM Security Support Provider service properly. CC ID 05057	System hardening through configuration management	Configuration
Configure the Performance Logs and Alerts service properly. CC ID 05058	System hardening through configuration management	Configuration
Configure the Protected Storage service properly. CC ID 05059	System hardening through configuration management	Configuration
Configure the QoS Admission Control (RSVP) service properly. CC ID 05060	System hardening through configuration management	Configuration
Configure the Remote Procedure Call service properly. CC ID 05061	System hardening through configuration management	Configuration
Configure the Removable Storage service properly. CC ID 05062	System hardening through configuration management	Configuration
Configure the Server service properly. CC ID 05063	System hardening through configuration management	Configuration
Configure the Security Accounts Manager service properly. CC ID 05064	System hardening through configuration management	Configuration
Configure the “Network Connections” service to organizational standards. CC ID 05065	System hardening through configuration management	Configuration
Configure the Logical Disk Manager service properly. CC ID 05066	System hardening through configuration management	Configuration
Configure the Logical Disk Manager Administrative Service properly. CC ID 05067	System hardening through configuration management	Configuration
Configure the File Replication service properly. CC ID 05068	System hardening through configuration management	Configuration
Configure the Kerberos Key Distribution Center service properly. CC ID 05069	System hardening through configuration management	Configuration
Configure the Intersite Messaging service properly. CC ID 05070	System hardening through configuration management	Configuration
Configure the Remote Procedure Call locator service properly. CC ID 05071	System hardening through configuration management	Configuration
Configure the Distributed File System service properly. CC ID 05072	System hardening through configuration management	Configuration
Configure the Windows Internet Name Service service properly. CC ID 05073	System hardening through configuration management	Configuration
Configure the FTP Publishing Service properly. CC ID 05074	System hardening through configuration management	Configuration
Configure the Windows Search service properly. CC ID 05075	System hardening through configuration management	Configuration
Configure the Microsoft Peer-to-Peer Networking Services service properly. CC ID 05076	System hardening through configuration management	Configuration
Configure the Remote Shell service properly. CC ID 05077	System hardening through configuration management	Configuration
Configure Simple TCP/IP services to organizational standards. CC ID 05078	System hardening through configuration management	Configuration
Configure the Print Services for Unix service properly. CC ID 05079	System hardening through configuration management	Configuration
Configure the File Shares service to organizational standards. CC ID 05080	System hardening through configuration management	Configuration
Configure the NetMeeting service properly. CC ID 05081	System hardening through configuration management	Configuration
Configure the Application Layer Gateway service properly. CC ID 05082	System hardening through configuration management	Configuration
Configure the Cryptographic Services service properly. CC ID 05083	System hardening through configuration management	Configuration
Configure the Help and Support Service properly. CC ID 05084	System hardening through configuration management	Configuration
Configure the Human Interface Device Access service properly. CC ID 05085	System hardening through configuration management	Configuration
Configure the IMAPI CD-Burning COM service properly. CC ID 05086	System hardening through configuration management	Configuration
Configure the MS Software Shadow Copy Provider service properly. CC ID 05087	System hardening through configuration management	Configuration
Configure the Network Location Awareness service properly. CC ID 05088	System hardening through configuration management	Configuration
Configure the Portable Media Serial Number Service service properly. CC ID 05089	System hardening through configuration management	Configuration
Configure the System Restore Service service properly. CC ID 05090	System hardening through configuration management	Configuration
Configure the Themes service properly. CC ID 05091	System hardening through configuration management	Configuration
Configure the Uninterruptible Power Supply service properly. CC ID 05092	System hardening through configuration management	Configuration
Configure the Upload Manager service properly. CC ID 05093	System hardening through configuration management	Configuration
Configure the Volume Shadow Copy Service properly. CC ID 05094	System hardening through configuration management	Configuration
Configure the WebClient service properly. CC ID 05095	System hardening through configuration management	Configuration
Configure the Windows Audio service properly. CC ID 05096	System hardening through configuration management	Configuration
Configure the Windows Image Acquisition service properly. CC ID 05097	System hardening through configuration management	Configuration
Configure the WMI Performance Adapter service properly. CC ID 05098	System hardening through configuration management	Configuration
Enable file uploads via vsftpd service, as appropriate. CC ID 05100	System hardening through configuration management	Configuration
Disable or remove sadmind unless use of sadmind is absolutely necessary. CC ID 06885	System hardening through configuration management	Configuration
Configure the "SNMP version 1" setting to organizational standards. CC ID 08976	System hardening through configuration management	Configuration
Configure the "xdmcp service" setting to organizational standards. CC ID 08985	System hardening through configuration management	Configuration
Establish, implement, and maintain authenticators. CC ID 15305	System hardening through configuration management	Technical Security
Establish, implement, and maintain an authenticator standard. CC ID 01702	System hardening through configuration management	Establish/Maintain Documentation
Establish, implement, and maintain an authenticator management system. CC ID 12031	System hardening through configuration management	Establish/Maintain Documentation
Establish, implement, and maintain authenticator procedures. CC ID 12002	System hardening through configuration management	Establish/Maintain Documentation
Configure authenticators to comply with organizational standards. CC ID 06412	System hardening through configuration management	Configuration
Configure the system to require new users to change their authenticator on first use. CC ID 05268 [Allow temporary password use for system logons with an immediate change to a permanent password. 3.5.9]	System hardening through configuration management	Configuration
Configure the system to encrypt authenticators. CC ID 06735 [Store and transmit only encrypted representation of passwords. 3.5.10]	System hardening through configuration management	Configuration
Configure the system to mask authenticators. CC ID 02037 [Obscure feedback of authentication information. 3.5.11]	System hardening through configuration management	Configuration
Configure the system security parameters to prevent system misuse or information misappropriation. CC ID 00881	System hardening through configuration management	Configuration
Configure the default locking Screen saver timeout to a predetermined time period. CC ID 01570 [Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity. 3.1.10]	System hardening through configuration management	Configuration
Configure Wireless Access Points in accordance with organizational standards. CC ID 12477	System hardening through configuration management	Configuration
Enable two-factor authentication for identifying and authenticating Wireless Local Area Network users. CC ID 04595 [Protect wireless access using authentication and encryption. 3.1.17]	System hardening through configuration management	Configuration
Configure mobile device settings in accordance with organizational standards. CC ID 04600	System hardening through configuration management	Configuration
Enable data-at-rest encryption on mobile devices. CC ID 04842 [Protect the confidentiality of CUI at rest. 3.13.16]	System hardening through configuration management	Configuration
Configure Logging settings in accordance with organizational standards. CC ID 07611 [Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. 3.3.1]	System hardening through configuration management	Configuration
Configure "CloudTrail" to organizational standards. CC ID 15443	System hardening through configuration management	Configuration
Configure "CloudTrail log file validation" to organizational standards. CC ID 15437	System hardening through configuration management	Configuration
Configure "VPC flow logging" to organizational standards. CC ID 15436	System hardening through configuration management	Configuration
Configure "object-level logging" to organizational standards. CC ID 15433	System hardening through configuration management	Configuration
Configure "Turn on PowerShell Transcription" to organizational standards. CC ID 15415	System hardening through configuration management	Configuration
Configure "Turn on PowerShell Script Block Logging" to organizational standards. CC ID 15413	System hardening through configuration management	Configuration
Configure "Audit PNP Activity" to organizational standards. CC ID 15393	System hardening through configuration management	Configuration
Configure "Include command line in process creation events" to organizational standards. CC ID 15358	System hardening through configuration management	Configuration
Configure "Audit Group Membership" to organizational standards. CC ID 15341	System hardening through configuration management	Configuration
Configure the "audit_backlog_limit" setting to organizational standards. CC ID 15324	System hardening through configuration management	Configuration
Configure the "systemd-journald" to organizational standards. CC ID 15326	System hardening through configuration management	Configuration
Provide the reference database used to verify input data in the logging capability. CC ID 15018	System hardening through configuration management	Log Management
Configure the storage parameters for all logs. CC ID 06330	System hardening through configuration management	Configuration
Configure the "Audit Policy: Object Access: SAM" to organizational standards. CC ID 07612	System hardening through configuration management	Configuration
Configure sufficient log storage capacity and prevent the capacity from being exceeded. CC ID 01425	System hardening through configuration management	Configuration
Configure the log retention method. CC ID 01715	System hardening through configuration management	Configuration
Configure the log retention size. CC ID 01716	System hardening through configuration management	Configuration
Configure syslogd to send logs to a Remote LogHost. CC ID 01526	System hardening through configuration management	Configuration
Configure the security parameters for all logs. CC ID 01712	System hardening through configuration management	Configuration
Configure the "Audit Policy: Account Management: User Account Management" to organizational standards. CC ID 07613	System hardening through configuration management	Configuration
Configure the log so that it cannot be disabled. CC ID 00595	System hardening through configuration management	Configuration
Configure the event log size capacity limits for the application log, the security log, and the system log. CC ID 01713	System hardening through configuration management	Configuration
Configure the application log, the security log, and the system log to restrict guest access. CC ID 01714	System hardening through configuration management	Configuration
Configure the "mss: (warninglevel) percentage threshold for the security event log at which the system will generate a warning" setting. CC ID 04275	System hardening through configuration management	Configuration
Configure the "Audit Policy: System: System Integrity" to organizational standards. CC ID 07652	System hardening through configuration management	Configuration
Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc. CC ID 06331 [Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. 3.3.2]	System hardening through configuration management	Configuration
Configure the log to capture the user's identification. CC ID 01334	System hardening through configuration management	Configuration
Configure the log to capture a date and time stamp. CC ID 01336 [Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. 3.3.7]	System hardening through configuration management	Configuration
Configure the log to uniquely identify each asset. CC ID 01339	System hardening through configuration management	Configuration
Configure the log to capture the type of each event. CC ID 06423	System hardening through configuration management	Configuration
Configure the log to capture each event's success or failure indication. CC ID 06424	System hardening through configuration management	Configuration
Configure all logs to capture auditable events or actionable events. CC ID 06332	System hardening through configuration management	Configuration
Configure the "Audit Policy: Object Access: File Share" to organizational standards. CC ID 07655	System hardening through configuration management	Configuration
Configure the log to capture the amount of data uploaded and downloaded. CC ID 16494	System hardening through configuration management	Log Management
Configure the log to capture startups and shutdowns. CC ID 16491	System hardening through configuration management	Log Management
Configure the log to capture user queries and searches. CC ID 16479	System hardening through configuration management	Log Management
Configure the log to capture Internet Protocol addresses. CC ID 16495	System hardening through configuration management	Log Management
Configure the log to capture error messages. CC ID 16477	System hardening through configuration management	Log Management
Configure the log to capture system failures. CC ID 16475	System hardening through configuration management	Log Management
Configure the log to capture account lockouts. CC ID 16470	System hardening through configuration management	Configuration
Configure the log to capture execution events. CC ID 16469	System hardening through configuration management	Configuration
Configure the log to capture AWS Organizations changes. CC ID 15445	System hardening through configuration management	Configuration
Configure the log to capture Identity and Access Management policy changes. CC ID 15442	System hardening through configuration management	Configuration
Configure the log to capture management console sign-in without multi-factor authentication. CC ID 15441	System hardening through configuration management	Configuration
Configure the log to capture route table changes. CC ID 15439	System hardening through configuration management	Configuration
Configure the log to capture virtual private cloud changes. CC ID 15435	System hardening through configuration management	Configuration
Configure the log to capture changes to encryption keys. CC ID 15432	System hardening through configuration management	Configuration
Configure the log to capture unauthorized API calls. CC ID 15429	System hardening through configuration management	Configuration
Configure the log to capture changes to network gateways. CC ID 15421	System hardening through configuration management	Configuration
Configure the log to capture all spoofed addresses. CC ID 01313	System hardening through configuration management	Configuration
Configure inetd tracing. CC ID 01523	System hardening through configuration management	Configuration
Configure the system to capture messages sent to the syslog AUTH facility. CC ID 01525	System hardening through configuration management	Configuration
Configure Cron logging. CC ID 01528	System hardening through configuration management	Configuration
Configure the kernel level auditing setting. CC ID 01530	System hardening through configuration management	Configuration
Configure the "audit successful file system mounts" setting to organizational standards. CC ID 09923	System hardening through configuration management	Configuration
Configure system accounting/system events. CC ID 01529	System hardening through configuration management	Configuration
Configure the privilege use auditing setting. CC ID 01699	System hardening through configuration management	Configuration
Configure the log to record the Denial of Access that results from an excessive number of unsuccessful logon attempts. CC ID 01919	System hardening through configuration management	Configuration
Configure the Audit Process Tracking setting. CC ID 01700	System hardening through configuration management	Configuration
Configure the EEPROM security-mode accesses and EEPROM log-failed accesses. CC ID 01575	System hardening through configuration management	Configuration
Configure the log to capture user identifier, address, port blocking or blacklisting. CC ID 01918	System hardening through configuration management	Configuration
Enable directory service access events, as appropriate. CC ID 05616	System hardening through configuration management	Configuration
Configure the log to capture failed transactions. CC ID 06334	System hardening through configuration management	Configuration
Configure the log to capture successful transactions. CC ID 06335	System hardening through configuration management	Configuration
Audit non attributable events (na class). CC ID 05604	System hardening through configuration management	Configuration
Configure the log to capture configuration changes. CC ID 06881	System hardening through configuration management	Configuration
Log, monitor, and review all changes to time settings on critical systems. CC ID 11608	System hardening through configuration management	Configuration
Configure the log to capture user account additions, modifications, and deletions. CC ID 16482	System hardening through configuration management	Log Management
Configure the log to capture all changes to certificates. CC ID 05595	System hardening through configuration management	Configuration
Configure the "inetd logging" setting to organizational standards. CC ID 08970	System hardening through configuration management	Configuration
Configure the "audit sudoers" setting to organizational standards. CC ID 09950	System hardening through configuration management	Configuration
Configure the event log settings for specific Operating System functions. CC ID 06337	System hardening through configuration management	Configuration
Configure the "Audit Policy: Object Access: Registry" to organizational standards. CC ID 07658	System hardening through configuration management	Configuration
Configure the "Audit: Audit the use of Backup and Restore privilege" setting. CC ID 01724	System hardening through configuration management	Configuration
Configure the "Audit: Shut down the system immediately if unable to log security audits" setting. CC ID 01725	System hardening through configuration management	Configuration
Configure "Audit account management" to organizational standards. CC ID 02039	System hardening through configuration management	Configuration
Configure the "Audit: Force audit policy subcategory settings (Windows Vista or later)" setting. CC ID 04387	System hardening through configuration management	Configuration
Configure console logging. CC ID 04454	System hardening through configuration management	Configuration
Configure boot error logging. CC ID 04455	System hardening through configuration management	Configuration
Disable the "Audit password" setting in NetWare. CC ID 04456	System hardening through configuration management	Configuration
Configure the "Disable Logging" setting. CC ID 05590	System hardening through configuration management	Configuration
Enable BIN mode auditing. CC ID 05591	System hardening through configuration management	Configuration
Enable or disable the BSM auditing setting, as appropriate. CC ID 05592	System hardening through configuration management	Configuration
Set the X server audit level appropriately. CC ID 05600	System hardening through configuration management	Configuration
Configure the "Turn on session logging" properly. CC ID 05618	System hardening through configuration management	Configuration
Configure Sendmail with the appropriate logging levels. CC ID 06028	System hardening through configuration management	Configuration
Enable or disable auditing in the runcontrol scripts, as appropriate. CC ID 06029	System hardening through configuration management	Configuration
Enable or disable auditing for user accounts, as appropriate. CC ID 06030	System hardening through configuration management	Configuration
Enable or disable auditing at boot time, as appropriate. CC ID 06031	System hardening through configuration management	Configuration
Enable or disable the auditing of chgrp usage, as appropriate. CC ID 06033	System hardening through configuration management	Configuration
Enable or disable the auditing of mkgroup usage, as appropriate. CC ID 06034	System hardening through configuration management	Configuration
Enable or disable the auditing of rmgroup usage, as appropriate. CC ID 06035	System hardening through configuration management	Configuration
Enable or disable the auditing of the exit function, as appropriate. CC ID 06036	System hardening through configuration management	Configuration
Generate an alert when an audit log failure occurs. CC ID 06737 [{generate} Alert in the event of an audit process failure. 3.3.4]	System hardening through configuration management	Configuration
Configure the "Audit Policy: Logon-Logoff: Logoff" to organizational standards. CC ID 07662	System hardening through configuration management	Configuration
Configure additional log settings. CC ID 06333	System hardening through configuration management	Configuration
Configure additional logging for the FTP daemon. CC ID 01524	System hardening through configuration management	Configuration
Configure the log to send alerts for each auditable events success or failure. CC ID 01337	System hardening through configuration management	Log Management
Configure additional log file parameters appropriately. CC ID 06338	System hardening through configuration management	Configuration
Configure the "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to organizational standards. CC ID 07664	System hardening through configuration management	Configuration
Create the /var/adm/loginlog file. CC ID 01527	System hardening through configuration management	Configuration
Verify the audit config file contains only accounts that should be present. CC ID 05594	System hardening through configuration management	Configuration
Specify the PRI audit file properly. CC ID 05597	System hardening through configuration management	Configuration
Specify the SEC audit file properly. CC ID 05598	System hardening through configuration management	Configuration
Verify the user audit file contains the appropriate never-audit flags. CC ID 05605	System hardening through configuration management	Configuration
Configure the "Background upload of a roaming user profile's registry file while user is logged on" setting to organizational standards. CC ID 10761	System hardening through configuration management	Configuration
Configure the "Audit Policy: Object Access: File System" to organizational standards. CC ID 07666	System hardening through configuration management	Configuration
Configure the "Backup log automatically when full" setting for the "setup log" to organizational standards. CC ID 10762	System hardening through configuration management	Configuration
Configure the "Audit Policy: Logon-Logoff: Logon" to organizational standards. CC ID 07669	System hardening through configuration management	Configuration
Configure the "Applications preference logging and tracing" setting to organizational standards. CC ID 10774	System hardening through configuration management	Configuration
Configure the "Audit Policy: Account Logon: Kerberos Authentication Service" to organizational standards. CC ID 07679	System hardening through configuration management	Configuration
Configure the "Data Sources preference logging and tracing" setting to organizational standards. CC ID 10779	System hardening through configuration management	Configuration
Configure the "Audit Policy: Logon-Logoff: IPsec Extended Mode" to organizational standards. CC ID 07683	System hardening through configuration management	Configuration
Configure the "Devices preference logging and tracing" setting to organizational standards. CC ID 10782	System hardening through configuration management	Configuration
Configure the "Audit Policy: Object Access: Handle Manipulation" to organizational standards. CC ID 07684	System hardening through configuration management	Configuration
Configure the "Audit Policy: Object Access: Detailed File Share" to organizational standards. CC ID 07687	System hardening through configuration management	Configuration
Configure the "Drive Maps preference logging and tracing" setting to organizational standards. CC ID 10783	System hardening through configuration management	Configuration
Configure the "Environment preference logging and tracing" setting to organizational standards. CC ID 10784	System hardening through configuration management	Configuration
Configure the "Audit Policy: Logon-Logoff: Network Policy Server" to organizational standards. CC ID 07701	System hardening through configuration management	Configuration
Configure the "Files preference logging and tracing" setting to organizational standards. CC ID 10785	System hardening through configuration management	Configuration
Configure the "Audit Policy: Detailed Tracking: Process Creation" to organizational standards. CC ID 07707	System hardening through configuration management	Configuration
Configure the "Audit Policy: System: IPsec Driver" to organizational standards. CC ID 07708	System hardening through configuration management	Configuration
Configure the "Folder Options preference logging and tracing" setting to organizational standards. CC ID 10786	System hardening through configuration management	Configuration
Configure the "Audit Policy: Logon-Logoff: Account Lockout" to organizational standards. CC ID 07713	System hardening through configuration management	Configuration
Configure the "Folders preference logging and tracing" setting to organizational standards. CC ID 10787	System hardening through configuration management	Configuration
Configure the "Audit Policy: Object Access: Kernel Object" to organizational standards. CC ID 07720	System hardening through configuration management	Configuration
Configure the "Ini Files preference logging and tracing" setting to organizational standards. CC ID 10788	System hardening through configuration management	Configuration
Configure the "Audit Policy: Object Access: Other Object Access Events" to organizational standards. CC ID 07724	System hardening through configuration management	Configuration
Configure the "Internet Settings preference logging and tracing" setting to organizational standards. CC ID 10789	System hardening through configuration management	Configuration
Configure the "Local Users and Groups preference logging and tracing" setting to organizational standards. CC ID 10793	System hardening through configuration management	Configuration
Configure the "Audit Policy: DS Access: Directory Service Replication" to organizational standards. CC ID 07734	System hardening through configuration management	Configuration
Configure the "Audit Policy: Policy Change: Audit Policy Change" to organizational standards. CC ID 07735	System hardening through configuration management	Configuration
Configure the "Regional Options preference logging and tracing" setting to organizational standards. CC ID 10802	System hardening through configuration management	Configuration
Configure the "Audit Policy: DS Access: Directory Service Changes" to organizational standards. CC ID 07736	System hardening through configuration management	Configuration
Configure the "Registry preference logging and tracing" setting to organizational standards. CC ID 10803	System hardening through configuration management	Configuration
Configure the "Scheduled Tasks preference logging and tracing" setting to organizational standards. CC ID 10815	System hardening through configuration management	Configuration
Configure the "Audit Policy: Object Access: Certification Services" to organizational standards. CC ID 07742	System hardening through configuration management	Configuration
Configure the "Maximum Log Size (KB)" to organizational standards. CC ID 07744	System hardening through configuration management	Configuration
Configure the "Services preference logging and tracing" setting to organizational standards. CC ID 10818	System hardening through configuration management	Configuration
Configure the "Audit Policy: Detailed Tracking: DPAPI Activity" to organizational standards. CC ID 07746	System hardening through configuration management	Configuration
Configure the "Shortcuts preference logging and tracing" setting to organizational standards. CC ID 10819	System hardening through configuration management	Configuration
Configure the "Start Menu preference logging and tracing" setting to organizational standards. CC ID 10821	System hardening through configuration management	Configuration
Configure the "Audit Policy: Account Management: Other Account Management Events" to organizational standards. CC ID 07751	System hardening through configuration management	Configuration
Configure the "Delete data from devices running Microsoft firmware when a user logs off from the computer." setting to organizational standards. CC ID 10846	System hardening through configuration management	Configuration
Configure the "Audit Policy: Account Management: Computer Account Management" to organizational standards. CC ID 07752	System hardening through configuration management	Configuration
Configure the "Disable logging via package settings" setting to organizational standards. CC ID 10864	System hardening through configuration management	Configuration
Configure the "Audit Policy: Privilege Use: Non Sensitive Privilege Use" to organizational standards. CC ID 07756	System hardening through configuration management	Configuration
Configure the "Audit Policy: Object Access: Application Generated" to organizational standards. CC ID 07757	System hardening through configuration management	Configuration
Configure the "Do not forcefully unload the users registry at user logoff" setting to organizational standards. CC ID 10930	System hardening through configuration management	Configuration
Configure the "Audit Policy: DS Access: Detailed Directory Service Replication" to organizational standards. CC ID 07764	System hardening through configuration management	Configuration
Configure the "Do not log users on with temporary profiles" setting to organizational standards. CC ID 10931	System hardening through configuration management	Configuration
Configure the "Audit Policy: Privilege Use: Other Privilege Use Events" to organizational standards. CC ID 07776	System hardening through configuration management	Configuration
Configure the "Log Access" setting for the "application log" to organizational standards. CC ID 11026	System hardening through configuration management	Configuration
Configure the "Log Access" setting for the "setup log" to organizational standards. CC ID 11027	System hardening through configuration management	Configuration
Configure the "Audit Policy: Account Logon: Kerberos Service Ticket Operations" to organizational standards. CC ID 07786	System hardening through configuration management	Configuration
Configure the "Audit Policy: DS Access: Directory Service Access" to organizational standards. CC ID 07790	System hardening through configuration management	Configuration
Configure the "Log Access" setting for the "system log" to organizational standards. CC ID 11028	System hardening through configuration management	Configuration
Configure the "Log directory pruning retry events" setting to organizational standards. CC ID 11029	System hardening through configuration management	Configuration
Configure the "Retain old events" to organizational standards. CC ID 07791	System hardening through configuration management	Configuration
Configure the "Audit: Audit the use of Backup and Restore privilege" to organizational standards. CC ID 07792	System hardening through configuration management	Configuration
Configure the "Log event when quota limit exceeded" setting to organizational standards. CC ID 11030	System hardening through configuration management	Configuration
Configure the "Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change" to organizational standards. CC ID 07793	System hardening through configuration management	Configuration
Configure the "Log File Path" setting for the "application log" to organizational standards. CC ID 11033	System hardening through configuration management	Configuration
Configure the "Audit Policy: Policy Change: Other Policy Change Events" to organizational standards. CC ID 07810	System hardening through configuration management	Configuration
Configure the "Log File Path" setting for the "setup log" to organizational standards. CC ID 11034	System hardening through configuration management	Configuration
Configure the "Log File Path" setting for the "system log" to organizational standards. CC ID 11035	System hardening through configuration management	Configuration
Configure the "Audit: Shut down system immediately if unable to log security audits" to organizational standards. CC ID 07812	System hardening through configuration management	Configuration
Configure the "Audit Policy: System: Other System Events" to organizational standards. CC ID 07817	System hardening through configuration management	Configuration
Configure the "Logging" setting to organizational standards. CC ID 11036	System hardening through configuration management	Configuration
Configure the "Audit Policy: Account Management: Application Group Management" to organizational standards. CC ID 07819	System hardening through configuration management	Configuration
Configure the "Remove "Disconnect" option from Shut Down dialog" setting to organizational standards. CC ID 11126	System hardening through configuration management	Configuration
Configure the "Remove browse dialog box for new source" setting to organizational standards. CC ID 11127	System hardening through configuration management	Configuration
Configure the "MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" to organizational standards. CC ID 07820	System hardening through configuration management	Configuration
Configure the "Restricts the UI language Windows uses for all logged users" setting to organizational standards. CC ID 11147	System hardening through configuration management	Configuration
Configure the "Audit Policy: Account Logon: Other Account Logon Events" to organizational standards. CC ID 07825	System hardening through configuration management	Configuration
Configure the "Set roaming profile path for all users logging onto this computer" setting to organizational standards. CC ID 11182	System hardening through configuration management	Configuration
Configure the "Audit Policy: Account Management: Distribution Group Management" to organizational standards. CC ID 07828	System hardening through configuration management	Configuration
Configure the "Audit: Audit the access of global system objects" to organizational standards. CC ID 07831	System hardening through configuration management	Configuration
Configure the "Set the Time interval in minutes for logging accounting data" setting to organizational standards. CC ID 11193	System hardening through configuration management	Configuration
Configure the "Turn off Resultant Set of Policy logging" setting to organizational standards. CC ID 11307	System hardening through configuration management	Configuration
Configure the "Audit Policy: Logon-Logoff: Special Logon" to organizational standards. CC ID 07835	System hardening through configuration management	Configuration
Configure the "Turn on extensive logging for Active Directory Domain Services domain controllers that are running Server for NIS" setting to organizational standards. CC ID 11343	System hardening through configuration management	Configuration
Configure the "Audit Policy: Detailed Tracking: RPC Events" to organizational standards. CC ID 07840	System hardening through configuration management	Configuration
Configure the "Turn on extensive logging for Password Synchronization" setting to organizational standards. CC ID 11344	System hardening through configuration management	Configuration
Configure the "Audit Policy: Policy Change: Authentication Policy Change" to organizational standards. CC ID 07846	System hardening through configuration management	Configuration
Configure the "Turn on logging" setting to organizational standards. CC ID 11345	System hardening through configuration management	Configuration
Configure the "Audit Policy: Detailed Tracking: Process Termination" to organizational standards. CC ID 07849	System hardening through configuration management	Configuration
Configure the "Turn on session logging" setting to organizational standards. CC ID 11350	System hardening through configuration management	Configuration
Configure the "Audit Policy: Logon-Logoff: IPsec Quick Mode" to organizational standards. CC ID 07852	System hardening through configuration management	Configuration
Configure the "Audit Policy: Object Access: Filtering Platform Packet Drop" to organizational standards. CC ID 07856	System hardening through configuration management	Configuration
Configure the "Audit Policy: Object Access: Filtering Platform Connection" to organizational standards. CC ID 07864	System hardening through configuration management	Configuration
Configure the "Audit Policy: Policy Change: Authorization Policy Change" to organizational standards. CC ID 07875	System hardening through configuration management	Configuration
Configure the "Audit Policy: Account Management: Security Group Management" to organizational standards. CC ID 07880	System hardening through configuration management	Configuration
Configure the "Audit Policy: Privilege Use: Sensitive Privilege Use" to organizational standards. CC ID 07887	System hardening through configuration management	Configuration
Configure the "Audit Policy: Logon-Logoff: IPsec Main Mode" to organizational standards. CC ID 07888	System hardening through configuration management	Configuration
Configure the "Audit Policy: Account Logon: Credential Validation" to organizational standards. CC ID 07892	System hardening through configuration management	Configuration
Configure the "Audit Policy: Policy Change: Filtering Platform Policy Change" to organizational standards. CC ID 07895	System hardening through configuration management	Configuration
Configure the "Audit Policy: Logon-Logoff: Other Logon/Logoff Events" to organizational standards. CC ID 07899	System hardening through configuration management	Configuration
Configure the "Audit Policy: System: Security State Change" to organizational standards. CC ID 07903	System hardening through configuration management	Configuration
Configure the "Audit Policy: System: Security System Extension" to organizational standards. CC ID 07904	System hardening through configuration management	Configuration
Configure the "Audit account logon events" to organizational standards. CC ID 08188	System hardening through configuration management	Configuration
Configure the "Retention method for security log" to organizational standards. CC ID 08197	System hardening through configuration management	Configuration
Configure the "Retention method for system log" to organizational standards. CC ID 08211	System hardening through configuration management	Configuration
Configure the "Audit logon events" to organizational standards. CC ID 08221	System hardening through configuration management	Configuration
Configure the "Retention method for application log" to organizational standards. CC ID 08226	System hardening through configuration management	Configuration
Configure the "Retain security log" to organizational standards. CC ID 08241	System hardening through configuration management	Configuration
Configure the "Audit system events" to organizational standards. CC ID 08244	System hardening through configuration management	Configuration
Configure the "Retain application log" to organizational standards. CC ID 08246	System hardening through configuration management	Configuration
Configure the "Prevent local guests group from accessing application log" to organizational standards. CC ID 08248	System hardening through configuration management	Configuration
Configure the "Maximum security log size" to organizational standards. CC ID 08251	System hardening through configuration management	Configuration
Configure the "Retain system log" to organizational standards. CC ID 08258	System hardening through configuration management	Configuration
Configure the "Audit privilege use" to organizational standards. CC ID 08266	System hardening through configuration management	Configuration
Configure the "Audit policy change" to organizational standards. CC ID 08272	System hardening through configuration management	Configuration
Configure the "Audit object access" to organizational standards. CC ID 08278	System hardening through configuration management	Configuration
Configure the "Audit process tracking" to organizational standards. CC ID 08283	System hardening through configuration management	Configuration
Configure the "Maximum system log size" to organizational standards. CC ID 08286	System hardening through configuration management	Configuration
Configure the "Maximum application log size" to organizational standards. CC ID 08296	System hardening through configuration management	Configuration
Configure the "Prevent local guests group from accessing security log" to organizational standards. CC ID 08297	System hardening through configuration management	Configuration
Configure the "Audit directory service access" to organizational standards. CC ID 08304	System hardening through configuration management	Configuration
Configure the "Audit account management" to organizational standards. CC ID 08316	System hardening through configuration management	Configuration
Configure the "Prevent local guests group from accessing system log" to organizational standards. CC ID 08336	System hardening through configuration management	Configuration
Configure the "Specify the maximum log file size (KB)" to organizational standards. CC ID 08352	System hardening through configuration management	Configuration
Configure the "Message tracking logging - Mailbox" to organizational standards. CC ID 08360	System hardening through configuration management	Configuration
Configure the "Turn on Connectivity logging" to organizational standards. CC ID 08398	System hardening through configuration management	Configuration
Configure the "Windows Firewall: Domain: Logging: Size limit (KB)" to organizational standards. CC ID 08405	System hardening through configuration management	Configuration
Configure the "Control Event Log behavior when the log file reaches its maximum size" to organizational standards. CC ID 08444	System hardening through configuration management	Configuration
Configure the "Windows Firewall: Private: Logging: Log dropped packets" to organizational standards. CC ID 08445	System hardening through configuration management	Configuration
Configure the "Windows Firewall: Public: Logging: Log dropped packets" to organizational standards. CC ID 08454	System hardening through configuration management	Configuration
Configure the "Configure Protocol logging" to organizational standards. CC ID 08463	System hardening through configuration management	Configuration
Configure the "Message tracking logging - Transport" to organizational standards. CC ID 08477	System hardening through configuration management	Configuration
Configure the "Windows Firewall: Domain: Logging: Log dropped packets" to organizational standards. CC ID 08501	System hardening through configuration management	Configuration
Configure the "Audit Policy: Object Access: Removable Storage" to organizational standards. CC ID 08504	System hardening through configuration management	Configuration
Configure the "Windows Firewall: Domain: Logging: Name" to organizational standards. CC ID 08543	System hardening through configuration management	Configuration
Configure the "Windows Firewall: Public: Logging: Log successful connections" to organizational standards. CC ID 08545	System hardening through configuration management	Configuration
Configure the "Audit Policy: Object Access: Central Access Policy Staging" to organizational standards. CC ID 08558	System hardening through configuration management	Configuration
Configure the "Windows Firewall: Public: Logging: Name" to organizational standards. CC ID 08565	System hardening through configuration management	Configuration
Configure the "Windows Firewall: Private: Logging: Size limit (KB)" to organizational standards. CC ID 08606	System hardening through configuration management	Configuration
Configure the "kernel arguments" setting for "auditing early in the boot process" to organizational standards. CC ID 08749	System hardening through configuration management	Establish/Maintain Documentation
Configure the "record date and time modification events" setting for "auditing" to organizational standards. CC ID 08750	System hardening through configuration management	Establish/Maintain Documentation
Configure the "record user/group information modification events" setting for "auditing" to organizational standards. CC ID 08751	System hardening through configuration management	Establish/Maintain Documentation
Configure the "record changes to the system network environment" setting for "auditing" to organizational standards. CC ID 08752	System hardening through configuration management	Establish/Maintain Documentation
Configure the "record changes to the system's mandatory access controls" setting for "auditing" to organizational standards. CC ID 08753	System hardening through configuration management	Establish/Maintain Documentation
Configure the "record logon and logout events" setting for "auditing" to organizational standards. CC ID 08754	System hardening through configuration management	Establish/Maintain Documentation
Configure the "record process and session initiation events" setting for "auditing" to organizational standards. CC ID 08755	System hardening through configuration management	Establish/Maintain Documentation
Configure the "record changes to discretionary access control permissions" setting for "auditing" to organizational standards. CC ID 08756	System hardening through configuration management	Establish/Maintain Documentation
Configure the "record unauthorized attempts to access files" setting for "auditing" to organizational standards. CC ID 08757	System hardening through configuration management	Establish/Maintain Documentation
Configure the "record use of privileged commands" setting for "auditing" to organizational standards. CC ID 08758	System hardening through configuration management	Establish/Maintain Documentation
Configure the "record data export to media events" setting for "auditing" to organizational standards. CC ID 08759	System hardening through configuration management	Establish/Maintain Documentation
Configure the "record file and program deletion events" setting for "auditing" to organizational standards. CC ID 08760	System hardening through configuration management	Establish/Maintain Documentation
Configure the "record administrator and security personnel action events" setting for "auditing" to organizational standards. CC ID 08761	System hardening through configuration management	Establish/Maintain Documentation
Configure the "record kernel module loading and unloading events" setting for "auditing" to organizational standards. CC ID 08762	System hardening through configuration management	Establish/Maintain Documentation
Configure the "Ensure auditd configuration is immutable" setting for "auditing" to organizational standards. CC ID 08763	System hardening through configuration management	Establish/Maintain Documentation
Configure the "audit file ownership changes" setting to organizational standards. CC ID 08966	System hardening through configuration management	Audits and Risk Management
Configure the "audit change user functions" setting to organizational standards. CC ID 08982	System hardening through configuration management	Configuration
Configure the "audit the use of chmod command" setting to organizational standards. CC ID 08983	System hardening through configuration management	Configuration
Configure the "audit the chown command" setting to organizational standards. CC ID 08984	System hardening through configuration management	Configuration
Configure the "Collect Session Initiation Information" setting to organizational standards. CC ID 09948	System hardening through configuration management	Configuration
Configure the "Collect Discretionary Access Control Permission Modification Events" setting to organizational standards. CC ID 09949	System hardening through configuration management	Configuration
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Fault Tolerant Heap" to organizational standards. CC ID 10808	System hardening through configuration management	Configuration
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Boot Performance Diagnostics" to organizational standards. CC ID 10809	System hardening through configuration management	Configuration
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Memory Leak Diagnosis" to organizational standards. CC ID 10810	System hardening through configuration management	Configuration
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Resource Exhaustion Detection and Resolution" to organizational standards. CC ID 10811	System hardening through configuration management	Configuration
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Shutdown Performance Diagnostics" to organizational standards. CC ID 10812	System hardening through configuration management	Configuration
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows Standby/Resume Performance Diagnostics" to organizational standards. CC ID 10813	System hardening through configuration management	Configuration
Configure the "Scenario Execution Level" setting for "Diagnostic Policy Service (DPS)" for "Windows System Responsiveness Diagnostics" to organizational standards. CC ID 10814	System hardening through configuration management	Configuration
Configure the "Default quota limit and warning level" setting to organizational standards. CC ID 10840	System hardening through configuration management	Configuration
Configure the "Detect application failures caused by deprecated COM objects" setting to organizational standards. CC ID 10851	System hardening through configuration management	Configuration
Configure the "Detect application failures caused by deprecated Windows DLLs" setting to organizational standards. CC ID 10852	System hardening through configuration management	Configuration
Configure the "Detect application install failures" setting to organizational standards. CC ID 10853	System hardening through configuration management	Configuration
Configure the "Detect application installers that need to be run as administrator" setting to organizational standards. CC ID 10854	System hardening through configuration management	Configuration
Configure the "Detect applications unable to launch installers under UAC" setting to organizational standards. CC ID 10855	System hardening through configuration management	Configuration
Configure the "Diagnostics: Configure scenario execution level" setting to organizational standards. CC ID 10856	System hardening through configuration management	Configuration
Configure the "Disk Diagnostic: Configure execution level" setting to organizational standards. CC ID 10883	System hardening through configuration management	Configuration
Configure the "Log event when quota warning level exceeded" setting to organizational standards. CC ID 11031	System hardening through configuration management	Configuration
Configure the "Log File Debug Output Level" setting to organizational standards. CC ID 11032	System hardening through configuration management	Configuration
Configure the "Microsoft Support Diagnostic Tool: Configure execution level" setting to organizational standards. CC ID 11043	System hardening through configuration management	Configuration
Configure the "Primary DNS Suffix Devolution Level" setting to organizational standards. CC ID 11096	System hardening through configuration management	Configuration
Configure the "Require user authentication for remote connections by using Network Level Authentication" setting to organizational standards. CC ID 11138	System hardening through configuration management	Configuration
Configure the "Specify channel binding token hardening level" setting to organizational standards. CC ID 11209	System hardening through configuration management	Configuration
Configure the "Update Security Level" setting to organizational standards. CC ID 11357	System hardening through configuration management	Configuration
Configure the "Update Top Level Domain Zones" setting to organizational standards. CC ID 11358	System hardening through configuration management	Configuration
Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards. CC ID 07621	System hardening through configuration management	Configuration
Configure the "Password must meet complexity requirements" to organizational standards. CC ID 07743 [Enforce a minimum password complexity and change of characters when new passwords are created. 3.5.7]	System hardening through configuration management	Configuration
Configure the "Enforce password history" to organizational standards. CC ID 07877 [Prevent reuse of identifiers for a defined period. 3.5.5 Prohibit password reuse for a specified number of generations. 3.5.8]	System hardening through configuration management	Configuration
Configure security and protection software according to Organizational Standards. CC ID 11917	System hardening through configuration management	Configuration
Establish, implement, and maintain records management policies. CC ID 00903	Records management	Establish/Maintain Documentation
Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657	Records management	Establish/Maintain Documentation
Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 [Ensure equipment removed for off-site maintenance is sanitized of any CUI. 3.7.3]	Records management	Data and Information Management
Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 [Sanitize or destroy information system media containing CUI before disposal or release for reuse. 3.8.3]	Records management	Data and Information Management
Establish, implement, and maintain records management procedures. CC ID 11619	Records management	Establish/Maintain Documentation
Establish, implement, and maintain document security requirements for the output of records. CC ID 11656	Records management	Establish/Maintain Documentation
Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 [Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital. 3.8.1]	Records management	Establish/Maintain Documentation
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931	Records management	Establish/Maintain Documentation
Establish, implement, and maintain security label procedures. CC ID 06747 [Mark media with necessary CUI markings and distribution limitations. 3.8.4]	Records management	Establish/Maintain Documentation
Label restricted storage media appropriately. CC ID 00966	Records management	Data and Information Management
Establish, implement, and maintain restricted material identification procedures. CC ID 01889	Records management	Establish/Maintain Documentation
Conspicuously locate the restricted record's overall classification. CC ID 01890	Records management	Establish/Maintain Documentation
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891	Records management	Establish/Maintain Documentation
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892	Records management	Establish/Maintain Documentation
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893	Records management	Establish/Maintain Documentation
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894	Records management	Establish/Maintain Documentation
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896	Records management	Data and Information Management
Establish, implement, and maintain online storage controls. CC ID 00942	Records management	Technical Security
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943	Records management	Records Management
Provide encryption for different types of electronic storage media. CC ID 00945 [Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. 3.8.6]	Records management	Technical Security
Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include information security throughout the system development life cycle. CC ID 12042 [Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems. 3.13.2]	Systems design, build, and implementation	Systems Design, Build, and Implementation
Protect confidential information during the system development life cycle program. CC ID 13479	Systems design, build, and implementation	Data and Information Management