Back

North America > US General Services Administration

FedRAMP Baseline Security Controls, 8/28/2018



AD ID

0003017

AD STATUS

FedRAMP Baseline Security Controls, 8/28/2018

ORIGINATOR

US General Services Administration

TYPE

Audit Guideline

AVAILABILITY

Free

SYNONYMS

FedRAMP Security Controls Baseline, 2018

FedRAMP Baseline Security Controls

EFFECTIVE

2018-08-28

ADDED

The document as a whole was last reviewed and released on 2020-03-02T00:00:00-0800.

AD ID

0003017

AD STATUS

Free

ORIGINATOR

US General Services Administration

TYPE

Audit Guideline

AVAILABILITY

SYNONYMS

FedRAMP Security Controls Baseline, 2018

FedRAMP Baseline Security Controls

EFFECTIVE

2018-08-28

ADDED

The document as a whole was last reviewed and released on 2020-03-02T00:00:00-0800.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within FedRAMP Baseline Security Controls, 8/28/2018 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for FedRAMP Baseline Security Controls, 8/28/2018 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
764 Mandated Controls - bold    
208 Implied Controls - italic     7976 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
8948 Total
  • Acquisition or sale of facilities, technology, and services
    45
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Plan for acquiring facilities, technology, or services. CC ID 06892 Acquisition/Sale of Assets or Services Preventive
    Allocate sufficient resources to protect Information Systems during capital planning. CC ID 01444
    [The organization: Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and SA-2b. High Baseline Controls
    The organization: Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and SA-2b. Moderate Baseline Controls
    The organization: Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and SA-2b. Low Baseline Controls]
    Acquisition/Sale of Assets or Services Preventive
    Establish, implement, and maintain system acquisition contracts. CC ID 14758 Establish/Maintain Documentation Preventive
    Include security requirements in system acquisition contracts. CC ID 01124
    [The organization: Determines information security requirements for the information system or information system service in mission/business process planning; SA-2a. High Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security assurance requirements; SA-4c. High Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Requirements for protecting security-related documentation; SA-4e. High Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security strength requirements; SA-4b. High Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security-related documentation requirements; SA-4d. High Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security functional requirements; SA-4a. High Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security strength requirements; SA-4b. Moderate Baseline Controls
    The organization: Determines information security requirements for the information system or information system service in nd-color:#F0BBBC;" class="term_primary-noun">mission/business process planning; SA-2a. Moderate Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security-related documentation requirements; SA-4d. Moderate Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security assurance requirements; SA-4c. Moderate Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Requirements for protecting security-related documentation; SA-4e. Moderate Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security functional requirements; SA-4a. Moderate Baseline Controls
    The organization: Determines information security requirements for the information system or information system service in nd-color:#F0BBBC;" class="term_primary-noun">mission/business process planning; SA-2a. Low Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Requirements for protecting security-related documentation; SA-4e. Low Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security assurance requirements; SA-4c. Low Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security-related documentation requirements; SA-4d. Low Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security strength requirements; SA-4b. Low Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Security functional requirements; SA-4a. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include operational requirements in system acquisition contracts. CC ID 00825 Establish/Maintain Documentation Preventive
    Provide suppliers with operational requirement information needed to define required service levels in system acquisition contracts. CC ID 06890 Establish/Maintain Documentation Preventive
    Include required service levels in system acquisition contracts. CC ID 11652 Establish/Maintain Documentation Preventive
    Include security controls in system acquisition contracts. CC ID 01125 Establish/Maintain Documentation Preventive
    Include the cost effectiveness of security controls in system acquisition contracts. CC ID 11653 Technical Security Detective
    Obtain system documentation before acquiring products and services. CC ID 01445
    [The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. SA-4(1) High Baseline Controls
    The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: SA-5a. High Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. SA-4(1) Moderate Baseline Controls
    The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: SA-5a. Moderate Baseline Controls
    The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: SA-5a. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309
    [{security mechanisms} The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: Effective use and maintenance of security functions/mechanisms; and SA-5a.2. High Baseline Controls
    {security mechanisms} The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: Effective use and yle="background-color:#F0BBBC;" class="term_primary-noun">maintenance of security functions/mechanisms; and SA-5a.2. Moderate Baseline Controls
    {security mechanisms} The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: Effective use and yle="background-color:#F0BBBC;" class="term_primary-noun">maintenance of security functions/mechanisms; and SA-5a.2. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302
    [{administrative functions} The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; SA-5a.3. High Baseline Controls
    {administrative functions} The organization: Obtains administrator documentation for the information system, system component, or information system service that verb">describes: r:#F0BBBC;" class="term_primary-noun">Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; SA-5a.3. Moderate Baseline Controls
    {administrative functions} The organization: Obtains administrator documentation for the information system, system component, or information system service that verb">describes: r:#F0BBBC;" class="term_primary-noun">Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; SA-5a.3. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285
    [The organization: Distributes documentation to [FedRAMP Assignment: at a minimum, the ISSO (or similar role within the organization)]. SA-5e. High Baseline Controls
    The organization: Distributes documentation to [Assignment: organization-defined personnel or roles]. SA-5e. Moderate Baseline Controls
    The organization: Distributes documentation to [Assignment: organization-defined personnel or roles]. SA-5e. Low Baseline Controls]
    Communicate Preventive
    Document attempts to obtain system documentation. CC ID 14284
    [The organization: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response; SA-5c. High Baseline Controls
    The organization: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response; SA-5c. Moderate Baseline Controls
    The organization: Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response; SA-5c. Low Baseline Controls]
    Process or Activity Corrective
    Obtain user documentation before acquiring products and services. CC ID 14283
    [The organization: Obtains user documentation for the information system, system component, or information system service that describes: SA-5b. High Baseline Controls
    The organization: Obtains user documentation for the information system, system component, or information system service that describes: SA-5b. Moderate Baseline Controls
    The organization: Obtains user documentation for the information system, system component, or information system service that describes: SA-5b. Low Baseline Controls]
    Acquisition/Sale of Assets or Services Preventive
    Include instructions on how to use the security functions in the user documentation. CC ID 14314
    [The organization: Obtains user documentation for the information system, system component, or information system service that describes: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; SA-5b.1. High Baseline Controls
    The organization: Obtains user documentation for the information system, system component, or information system service that describes: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; SA-5b.1. Moderate Baseline Controls
    The organization: Obtains user documentation for the information system, system component, or information system service that describes: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; SA-5b.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include security functions in the user documentation. CC ID 14313
    [The organization: Obtains user documentation for the information system, system component, or information system service that describes: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; SA-5b.1. High Baseline Controls
    The organization: Obtains user documentation for the information system, system component, or information system service that "term_primary-verb">describes: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; SA-5b.1. Moderate Baseline Controls
    The organization: Obtains user documentation for the information system, system component, or information system service that "term_primary-verb">describes: User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; SA-5b.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include user responsibilities for maintaining system security in the user documentation. CC ID 14312
    [The organization: Obtains user documentation for the information system, system component, or information system service that describes: User responsibilities in maintaining the security of the system, component, or service; SA-5b.3. High Baseline Controls
    The organization: Obtains user documentation for the information system, system component, or information system service that describes: User 0BBBC;" class="term_primary-noun">responsibilities in maintaining the security of the system, component, or service; SA-5b.3. Moderate Baseline Controls
    The organization: Obtains user documentation for the information system, system component, or information system service that describes: User 0BBBC;" class="term_primary-noun">responsibilities in maintaining the security of the system, component, or service; SA-5b.3. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include a description of user interactions in the user documentation. CC ID 14311
    [The organization: Obtains user documentation for the information system, system component, or information system service that describes: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and SA-5b.2. High Baseline Controls
    The organization: Obtains user documentation for the information system, system component, or information system service that describes: BC;" class="term_primary-noun">Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and SA-5b.2. Moderate Baseline Controls
    The organization: Obtains user documentation for the information system, system component, or information system service that describes: BC;" class="term_primary-noun">Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and SA-5b.2. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Require the information system developer to create a continuous monitoring plan. CC ID 14307
    [The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [FedRAMP Assignment: at least the minimum requirement as defined in control CA-7]. SA-4(8) High Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [FedRAMP Assignment: at least the minimum requirement as defined in control CA-7]. SA-4(8) Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Provide a Configuration Management plan by the Information System developer for all newly acquired assets. CC ID 01446
    [The organization requires the developer of the information system, system component, or information system service to: Perform configuration management during system, component, or service [FedRAMP Selection: development, implementation, AND operation]; SA-10a. High Baseline Controls
    {external system service providers} The organization requires providers of [FedRAMP Assignment: all external systems where Federal information is processed or stored] to identify the functions, ports, protocols, and other services required for the use of such services. SA-9(2) High Baseline Controls
    The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: Secure configuration, installation, and operation of the system, component, or service; SA-5a.1. High Baseline Controls
    The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: Secure configuration, n style="background-color:#F0BBBC;" class="term_primary-noun">installation, and operation of the system, component, or service; SA-5a.1. Moderate Baseline Controls
    {external system service providers} The organization requires providers of [FedRAMP Assignment: all external systems where Federal information is processed or stored] to -color:#CBD0E5;" class="term_secondary-verb">:#B7D8ED;" class="term_primary-verb">identify the functions, ports, protocols, and other services required for the use of such services. SA-9(2) Moderate Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to: Perform configuration management during system, component, or service [FedRAMP Selection: development, implementation, AND operation]; SA-10a. Moderate Baseline Controls
    The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: Secure configuration, n style="background-color:#F0BBBC;" class="term_primary-noun">installation, and operation of the system, component, or service; SA-5a.1. Low Baseline Controls]
    Testing Detective
    Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired assets. CC ID 01447
    [The organization requires the developer of the information system, system component, or information system service to: Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; SA-11b. High Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to: Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; SA-11c. High Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to: Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; SA-11c. High Baseline Controls
    {threat analysis} The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service. SA-11(2) High Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to: Create and implement a security assessment plan; SA-11a. High Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to: Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; SA-11b. Moderate Baseline Controls
    {threat analysis} The organization requires the developer of the information system, system component, or information system service to ="term_primary-verb">perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service. SA-11(2) Moderate Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to: s="term_primary-verb">Create and implement a security assessment plan; SA-11a. Moderate Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to: Produce evidence of the und-color:#F0BBBC;" class="term_primary-noun">execution of the security assessment plan and the results of the security testing/evaluation; SA-11c. Moderate Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to: Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; SA-11c. Moderate Baseline Controls]
    Testing Detective
    Include the acceptance criteria in system acquisition contracts. CC ID 14288
    [The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Acceptance criteria. SA-4g. High Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Acceptance criteria. SA-4g. Moderate Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Acceptance criteria. SA-4g. Low Baseline Controls]
    Acquisition/Sale of Assets or Services Preventive
    Include a description of the development environment and operational environment in system acquisition contracts. CC ID 14256
    [The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Description of the information system development environment and environment in which the system is intended to operate; and SA-4f. High Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Description of the information system development environment and environment in which the system is intended to operate; and SA-4f. Moderate Baseline Controls
    The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: Description of the information system development environment and environment in which the system is intended to operate; and SA-4f. Low Baseline Controls]
    Acquisition/Sale of Assets or Services Preventive
    Conduct an acquisition feasibility study prior to acquiring assets. CC ID 01129 Acquisition/Sale of Assets or Services Detective
    Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. CC ID 01135
    [The organization: Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and SA-9(1)(a) High Baseline Controls
    The organization: Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and SA-9(1)(a) Moderate Baseline Controls]
    Testing Detective
    Refrain from implementing systems that are beyond the organization's risk acceptance level. CC ID 13054 Acquisition/Sale of Assets or Services Preventive
    Establish, implement, and maintain a product and services acquisition program. CC ID 01136 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a product and services acquisition policy. CC ID 14028
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. High Baseline Controls
    The organization: Reviews and updates the current: System and services acquisition policy [FedRAMP Assignment: at least annually]; and SA-1b.1. High Baseline Controls
    Reviews and updates the current: System and services acquisition policy [FedRAMP Assignment: at least every 3 years]; and SA-1b.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. Low Baseline Controls
    Reviews and updates the current: System and services acquisition policy [FedRAMP Assignment: at least every 3 years]; and SA-1b.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Obtain authorization for marketing new products. CC ID 16805 Business Processes Preventive
    Include compliance requirements in the product and services acquisition policy. CC ID 14163
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the product and services acquisition policy. CC ID 14162
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, r:#F0BBBC;" class="term_primary-noun">coordination among organizational entities, and compliance; and SA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, r:#F0BBBC;" class="term_primary-noun">coordination among organizational entities, and compliance; and SA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include management commitment in the product and services acquisition policy. CC ID 14161
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the product and services acquisition policy. CC ID 14160
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, an style="background-color:#F0BBBC;" class="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, an style="background-color:#F0BBBC;" class="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the scope in the product and services acquisition policy. CC ID 14159
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, e="background-color:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, e="background-color:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the purpose in the product and services acquisition policy. CC ID 14158
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses ound-color:#F0BBBC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses ound-color:#F0BBBC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1. Moderate Baseline Controls]
    Communicate Preventive
    Establish, implement, and maintain product and services acquisition procedures. CC ID 14065
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and SA-1a.2. High Baseline Controls
    The organization: Reviews and updates the current: System and services acquisition procedures [FedRAMP Assignment: at least annually or whenever a significant change occurs]. SA-1b.2. High Baseline Controls
    Reviews and updates the current: System and services acquisition procedures [FedRAMP Assignment: at least annually]. SA-1b.2. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and SA-1a.2. Low Baseline Controls
    Reviews and updates the current: System and services acquisition procedures [FedRAMP Assignment: at least annually]. SA-1b.2. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and SA-1a.2. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and SA-1a.2. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and SA-1a.2. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and SA-1a.2. Moderate Baseline Controls]
    Communicate Preventive
    Review and update the acquisition contracts, as necessary. CC ID 14279
    [The organization: Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions. PL-8c. High Baseline Controls
    The organization: Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions. PL-8c. Moderate Baseline Controls]
    Acquisition/Sale of Assets or Services Corrective
    Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836
    [{approved product list} The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. SA-4(10) High Baseline Controls
    The organization protects against supply chain threats to the information system, system component, or information system service by employing [FedRAMP Assignment: organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures] as part of a comprehensive, defense-in-breadth information security strategy. SA-12 High Baseline Controls
    {approved product list} The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. SA-4(10) Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Install software that originates from approved third parties. CC ID 12184 Technical Security Preventive
    Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 Establish/Maintain Documentation Preventive
    Authorize new assets prior to putting them into the production environment. CC ID 13530
    [The organization: Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. SA-9(1)(b) High Baseline Controls
    The organization: Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. SA-9(1)(b) Moderate Baseline Controls]
    Process or Activity Preventive
  • Audits and risk management
    84
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain an audit program. CC ID 00684 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain audit policies. CC ID 13166
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. High Baseline Controls]
    Establish/Maintain Documentation Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Business Processes Preventive
    Audit in scope audit items and compliance documents. CC ID 06730 Audits and Risk Management Preventive
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 Testing Detective
    Document test plans for auditing in scope controls. CC ID 06985 Testing Detective
    Determine the effectiveness of in scope controls. CC ID 06984
    [The organization: Develops a security assessment plan that describes the scope of the assessment including: Assessment procedures to be used to determine security control effectiveness; and CA-2a.2. High Baseline Controls
    The organization: Develops a security assessment plan that describes the scope of the assessment including: Assessment procedures to be used to B7D8ED;" class="term_primary-verb">determine security control effectiveness; and CA-2a.2. Low Baseline Controls
    The organization: Develops a security assessment plan that describes the scope of the assessment including: Assessment procedures to be used to B7D8ED;" class="term_primary-verb">determine security control effectiveness; and CA-2a.2. Moderate Baseline Controls]
    Testing Detective
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and Risk Management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and Risk Management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and Risk Management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and Risk Management Detective
    Review documentation to determine the effectiveness of in scope controls. CC ID 16522 Process or Activity Preventive
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and Risk Management Detective
    Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 Audits and Risk Management Detective
    Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 Audits and Risk Management Detective
    Establish and maintain organizational audit reports. CC ID 06731 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 Establish/Maintain Documentation Preventive
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653
    [{audit record review} The organization: Reports findings to [Assignment: organization-defined personnel or roles]. AU-6b. High Baseline Controls
    {audit record review} The organization: Reports findings to [Assignment: organization-defined personnel or roles]. AU-6b. Moderate Baseline Controls
    {audit record review} The organization: Reports findings to [Assignment: organization-defined personnel or roles]. AU-6b. Low Baseline Controls]
    Log Management Detective
    Establish, implement, and maintain a risk management program. CC ID 12051 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a risk assessment policy. CC ID 14026
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. High Baseline Controls
    The organization: Reviews and updates the current: Risk assessment policy [FedRAMP Assignment: at least annually]; and RA-1b.1. High Baseline Controls
    Reviews and updates the current: Risk assessment policy [FedRAMP Assignment: at least every 3 years]; RA-1b.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. Moderate Baseline Controls
    Reviews and updates the current: Risk assessment policy [FedRAMP Assignment: at least every 3 years]; RA-1b.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the risk assessment policy. CC ID 14121
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the risk assessment policy. CC ID 14120
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, s="term_primary-noun">coordination among organizational entities, and compliance; and RA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, s="term_primary-noun">coordination among organizational entities, and compliance; and RA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include management commitment in the risk assessment policy. CC ID 14119
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the risk assessment policy. CC ID 14118
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, ound-color:#F0BBBC;" class="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, ound-color:#F0BBBC;" class="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the scope in the risk assessment policy. CC ID 14117
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, lor:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, lor:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the purpose in the risk assessment policy. CC ID 14116
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses BC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses BC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1. Moderate Baseline Controls]
    Communicate Preventive
    Establish, implement, and maintain risk assessment procedures. CC ID 06446
    [The organization: Reviews and updates the current: Risk assessment procedures [FedRAMP Assignment: at least annually or whenever a significant change occurs]. RA-1b.2. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and RA-1a.2. High Baseline Controls
    Reviews and updates the current: Risk assessment procedures [FedRAMP Assignment: at least annually]. RA-1b.2. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and RA-1a.2. Low Baseline Controls
    Reviews and updates the current: Risk assessment procedures [FedRAMP Assignment: at least annually]. RA-1b.2. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and RA-1a.2. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Analyze the organization's information security environment. CC ID 13122 Technical Security Preventive
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 Establish/Maintain Documentation Preventive
    Document cybersecurity risks. CC ID 12281 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account information classification. CC ID 06477 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474 Establish/Maintain Documentation Preventive
    Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 Human Resources Management Preventive
    Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account the target environment. CC ID 06479 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account risk factors. CC ID 16560 Audits and Risk Management Preventive
    Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 Establish/Maintain Documentation Preventive
    Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 Establish/Maintain Documentation Preventive
    Document organizational risk criteria. CC ID 12277 Establish/Maintain Documentation Preventive
    Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 Technical Security Preventive
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Investigate Detective
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443
    [{external requirements} The organization: Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; RA-2a. High Baseline Controls
    {external requirements} The organization: Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; RA-2a. High Baseline Controls
    {external requirements} The organization: Categorizes information and the information system n style="background-color:#CBD0E5;" class="term_secondary-verb">in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; RA-2a. Moderate Baseline Controls
    {external requirements} The organization: Categorizes information and the information system n style="background-color:#CBD0E5;" class="term_secondary-verb">in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; RA-2a. Moderate Baseline Controls
    {external requirements} The organization: Categorizes information and the information system n style="background-color:#CBD0E5;" class="term_secondary-verb">in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; RA-2a. Low Baseline Controls
    {external requirements} The organization: Categorizes information and the information system n style="background-color:#CBD0E5;" class="term_secondary-verb">in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; RA-2a. Low Baseline Controls]
    Audits and Risk Management Preventive
    Review the risk profiles, as necessary. CC ID 16561 Audits and Risk Management Detective
    Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 Audits and Risk Management Preventive
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Establish/Maintain Documentation Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 Audits and Risk Management Preventive
    Approve the threat and risk classification scheme. CC ID 15693 Business Processes Preventive
    Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 Audits and Risk Management Preventive
    Include language that is easy to understand in the risk assessment report. CC ID 06461 Establish/Maintain Documentation Preventive
    Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 Establish/Maintain Documentation Preventive
    Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 Establish/Maintain Documentation Preventive
    Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 Establish/Maintain Documentation Preventive
    Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 Establish/Maintain Documentation Preventive
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and Risk Management Preventive
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and RA-1a.2. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and RA-1a.2. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and RA-1a.2. Moderate Baseline Controls]
    Communicate Preventive
    Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 Establish/Maintain Documentation Preventive
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [The organization: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; RA-3a. High Baseline Controls
    The organization: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; RA-3a. Moderate Baseline Controls
    The organization: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; RA-3a. Low Baseline Controls]
    Testing Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Establish/Maintain Documentation Preventive
    Include physical assets in the scope of the risk assessment. CC ID 13075 Establish/Maintain Documentation Preventive
    Include the results of the risk assessment in the risk assessment report. CC ID 06481
    [The organization: Produces a security assessment report that documents the results of the assessment; and CA-2c. High Baseline Controls
    The organization: Documents risk assessment results in [FedRAMP Assignment: security assessment report]; RA-3b. High Baseline Controls
    The organization: Produces a security assessment report that documents the results of the assessment; and CA-2c. Low Baseline Controls
    The organization: Produces a security assessment report that documents the results of the assessment; and CA-2c. Moderate Baseline Controls
    The organization: Documents risk assessment results in [FedRAMP Assignment: security assessment report]; RA-3b. Moderate Baseline Controls
    The organization: Documents risk assessment results in [FedRAMP Assignment: security assessment report]; RA-3b. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109
    [{security control assessment} The organization accepts the results of an assessment of [FedRAMP Assignment: any FedRAMP Accredited 3PAO] performed by [FedRAMP Assignment: any FedRAMP Accredited 3PAO] when the assessment meets [FedRAMP Assignment: the conditions of the JAB/AO in the FedRAMP Repository]. CA-2(3) High Baseline Controls
    {security control assessment} The organization accepts the results of an assessment of [FedRAMP Assignment: any FedRAMP Accredited 3PAO] performed by [FedRAMP Assignment: any FedRAMP Accredited 3PAO] when the assessment meets [FedRAMP Assignment: the conditions of the JAB/AO in the FedRAMP Repository]. CA-2(3) Moderate Baseline Controls]
    Audits and Risk Management Preventive
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Establish/Maintain Documentation Detective
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and Risk Management Preventive
    Update the risk assessment upon changes to the risk profile. CC ID 11627
    [The organization: Updates the risk assessment [FedRAMP Assignment: annually] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. RA-3e. High Baseline Controls
    The organization: Updates the risk assessment [FedRAMP Assignment: at least every three (3) years or when a significant change occurs] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. RA-3e. Moderate Baseline Controls
    The organization: Updates the risk assessment [FedRAMP Assignment: at least every three (3) years or when a significant change occurs] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. RA-3e. Low Baseline Controls]
    Establish/Maintain Documentation Detective
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and Risk Management Preventive
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Establish/Maintain Documentation Preventive
    Create a risk assessment report based on the risk assessment results. CC ID 15695 Establish/Maintain Documentation Preventive
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633
    [The organization: Provides the results of the security control assessment to [FedRAMP Assignment: individuals or roles to include FedRAMP PMO]. CA-2d. High Baseline Controls
    The organization: Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and RA-3d. High Baseline Controls
    The organization: Provides the results of the security control assessment to [FedRAMP Assignment: individuals or roles to include FedRAMP PMO]. CA-2d. Low Baseline Controls
    The organization: Provides the results of the security control assessment to [FedRAMP Assignment: individuals or roles to include FedRAMP PMO]. CA-2d. Moderate Baseline Controls
    The organization: Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and RA-3d. Moderate Baseline Controls
    The organization: Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and RA-3d. Low Baseline Controls]
    Communicate Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and Risk Management Detective
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Communicate Preventive
    Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 Business Processes Preventive
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718
    [The organization determines what information about the information system is discoverable by adversaries and subsequently takes [FedRAMP Assignment: notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions]. RA-5(4) High Baseline Controls]
    Behavior Preventive
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705
    [The organization: Develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and CA-5a. High Baseline Controls
    The organization: Develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and CA-5a. Low Baseline Controls
    The organization: Develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and CA-5a. Moderate Baseline Controls]
    Establish/Maintain Documentation Corrective
    Review and approve the risk assessment findings. CC ID 06485
    [The organization: Reviews risk assessment results [FedRAMP Assignment: at least annually or whenever a significant change occurs]; RA-3c. High Baseline Controls
    The organization: Reviews risk assessment results [FedRAMP Assignment: at least every three (3) years or when a significant change occurs]; RA-3c. Moderate Baseline Controls
    The organization: Reviews risk assessment results [FedRAMP Assignment: at least every three (3) years or when a significant change occurs]; RA-3c. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
  • Human Resources management
    179
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 Establish Roles Preventive
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 Establish Roles Preventive
    Assign senior management to the role of authorizing official. CC ID 14238
    [Assigns a senior-level executive or manager as the authorizing official for the information system; CA-6a. High Baseline Controls
    Assigns a senior-level executive or manager as the authorizing official for the information system; CA-6a. Moderate Baseline Controls
    Assigns a senior-level executive or manager as the authorizing official for the information system; CA-6a. Low Baseline Controls]
    Establish Roles Preventive
    Define and assign the security staff roles and responsibilities. CC ID 11750
    [The organization: Defines and documents information security roles and responsibilities throughout the system development life cycle; SA-3b. High Baseline Controls
    The organization: Defines and documents information security roles and responsibilities throughout the system development life cycle; SA-3b. Moderate Baseline Controls
    The organization: Defines and documents information security roles and responsibilities throughout the system development life cycle; SA-3b. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Define and assign workforce roles and responsibilities. CC ID 13267
    [The organization: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and SA-9b. High Baseline Controls
    The organization: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and SA-9b. Moderate Baseline Controls
    The organization: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and SA-9b. Low Baseline Controls]
    Human Resources Management Preventive
    Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 Human Resources Management Preventive
    Assign roles and responsibilities for physical security, as necessary. CC ID 13113 Establish Roles Preventive
    Document the use of external experts. CC ID 16263 Human Resources Management Preventive
    Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 Human Resources Management Preventive
    Include the management structure in the duties and responsibilities for risk management. CC ID 13665 Human Resources Management Preventive
    Assign the roles and responsibilities for the change control program. CC ID 13118 Human Resources Management Preventive
    Identify and define all critical roles. CC ID 00777
    [The organization: Designates individuals authorized to post information onto a publicly accessible information system; AC-22a. High Baseline Controls
    The organization: Designates individuals authorized to post information onto a publicly accessible information system; AC-22a. Moderate Baseline Controls
    The organization: Designates individuals authorized to post information onto a publicly accessible information system; AC-22a. Low Baseline Controls]
    Establish Roles Preventive
    Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 Establish Roles Preventive
    Assign responsibility for cyber threat intelligence. CC ID 12746 Human Resources Management Preventive
    Assign the role of security management to applicable controls. CC ID 06444 Establish Roles Preventive
    Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 Human Resources Management Preventive
    Define and assign the data processor's roles and responsibilities. CC ID 12607 Human Resources Management Preventive
    Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 Human Resources Management Preventive
    Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 Communicate Preventive
    Define and assign the data controller's roles and responsibilities. CC ID 00471 Establish Roles Preventive
    Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 Human Resources Management Preventive
    Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 Human Resources Management Preventive
    Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 Human Resources Management Preventive
    Assign the role of data controller to applicable controls. CC ID 00354 Establish Roles Preventive
    Assign the role of data controller to provide advice, when requested. CC ID 12611 Human Resources Management Preventive
    Assign the role of data controller to additional personnel, as necessary. CC ID 00473 Establish Roles Preventive
    Assign the role of Information Technology operations to applicable controls. CC ID 00682 Establish Roles Preventive
    Assign the role of logical access control to applicable controls. CC ID 00772 Establish Roles Preventive
    Assign the role of asset physical security to applicable controls. CC ID 00770 Establish Roles Preventive
    Assign the role of data custodian to applicable controls. CC ID 04789 Establish Roles Preventive
    Assign the role of the Quality Management committee to applicable controls. CC ID 00769 Establish Roles Preventive
    Assign interested personnel to the Quality Management committee. CC ID 07193 Establish Roles Preventive
    Assign the roles and responsibilities for the asset management system. CC ID 14368 Establish/Maintain Documentation Preventive
    Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 Establish Roles Preventive
    Assign the role of fire protection management to applicable controls. CC ID 04891 Establish Roles Preventive
    Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 Establish Roles Preventive
    Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 Establish Roles Preventive
    Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 Establish Roles Preventive
    Define and assign the roles and responsibilities of security guards. CC ID 12543 Human Resources Management Preventive
    Define and assign roles and responsibilities for dispute resolution. CC ID 13626 Human Resources Management Preventive
    Define and assign the roles for Legal Support Workers. CC ID 13711 Human Resources Management Preventive
    Establish, implement, and maintain a personnel management program. CC ID 14018 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personnel security policy. CC ID 14025
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. High Baseline Controls
    The organization: Reviews and updates the current: Personnel security policy [FedRAMP Assignment: at least annually]; and PS-1b.1. High Baseline Controls
    Reviews and updates the current: Personnel security policy [FedRAMP Assignment: at least every 3 years]; and PS-1b.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. Low Baseline Controls
    Reviews and updates the current: Personnel security policy [FedRAMP Assignment: at least every 3 years]; and PS-1b.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the personnel security policy. CC ID 14154
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the personnel security policy. CC ID 14114
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, lass="term_primary-noun">coordination among organizational entities, and compliance; and PS-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, lass="term_primary-noun">coordination among organizational entities, and compliance; and PS-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include management commitment in the personnel security policy. CC ID 14113
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the personnel security policy. CC ID 14112
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, kground-color:#F0BBBC;" class="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, kground-color:#F0BBBC;" class="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the scope in the personnel security policy. CC ID 14111
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, -color:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, -color:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the purpose in the personnel security policy. CC ID 14110
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses 0BBBC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses 0BBBC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain personnel security procedures. CC ID 14058
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and PS-1a.2. High Baseline Controls
    The organization: Reviews and updates the current: Personnel security procedures [FedRAMP Assignment: at least annually or whenever a significant change occurs]. PS-1b.2. High Baseline Controls
    Reviews and updates the current: Personnel security procedures [FedRAMP Assignment: at least annually]. PS-1b.2. Moderate Baseline Controls
    Reviews and updates the current: Personnel security procedures [FedRAMP Assignment: at least annually]. PS-1b.2. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and PS-1a.2. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and PS-1a.2. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and PS-1a.2. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and PS-1a.2. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and PS-1a.2. Moderate Baseline Controls]
    Communicate Preventive
    Establish, implement, and maintain security clearance level criteria. CC ID 00780 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain staff position risk designations. CC ID 14280
    [The organization: Reviews and updates position risk designations [FrdRAMP Assignment: at least annually]. PS-2c. High Baseline Controls
    The organization: Reviews and updates position risk designations [FedRAMP Assignment: at least every three years]. PS-2c. Moderate Baseline Controls
    The organization: Assigns a risk designation to all organizational positions; PS-2a. High Baseline Controls
    The organization: Reviews and updates position risk designations [FedRAMP Assignment: at least every three years]. PS-2c. Low Baseline Controls
    The organization: Assigns a risk designation to all organizational positions; PS-2a. Moderate Baseline Controls
    The organization: Assigns a risk designation to all organizational positions; PS-2a. Low Baseline Controls]
    Human Resources Management Preventive
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 Testing Detective
    Establish, implement, and maintain personnel screening procedures. CC ID 11700
    [The organization: Establishes screening criteria for individuals filling those positions; and PS-2b. High Baseline Controls
    The organization: Establishes screening criteria for individuals filling those positions; and PS-2b. Moderate Baseline Controls
    The organization: Establishes screening criteria for individuals filling those positions; and PS-2b. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Perform a background check during personnel screening. CC ID 11758 Human Resources Management Detective
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources Management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Establish/Maintain Documentation Preventive
    Include all residences in the criminal records check. CC ID 13306 Process or Activity Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Establish/Maintain Documentation Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources Management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources Management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Establish/Maintain Documentation Preventive
    Perform a drug test during personnel screening. CC ID 06648 Testing Preventive
    Perform a resume check during personnel screening. CC ID 06659 Human Resources Management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources Management Preventive
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources Management Preventive
    Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 Communicate Preventive
    Perform personnel screening procedures, as necessary. CC ID 11763
    [The organization: Screens individuals prior to authorizing access to the information system; and PS-3a. High Baseline Controls
    The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection: Satisfy [FedRAMP Assignment: personnel screening criteria – as required by specific information]. PS-3(3)(b) High Baseline Controls
    The organization: Rescreens individuals according to [FedRAMP Assignment: for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions]. PS-3b. High Baseline Controls
    The organization: Screens individuals prior to authorizing access to the information system; and PS-3a. Moderate Baseline Controls
    The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection: Satisfy [FedRAMP Assignment: personnel screening criteria – as required by specific information]. PS-3(3)(b) Moderate Baseline Controls
    The organization: Screens individuals prior to authorizing access to the information system; and PS-3a. Low Baseline Controls
    The organization: Rescreens individuals according to [FedRAMP Assignment: for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions]. PS-3b. Low Baseline Controls
    The organization: Rescreens individuals according to [FedRAMP Assignment: for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions]. PS-3b. Moderate Baseline Controls]
    Human Resources Management Preventive
    Identify and watch individuals that pose a risk to the organization. CC ID 10674
    [The organization implements [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk. SI-4(19) High Baseline Controls]
    Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549
    [The organization: Initiates [Assignment: organization-defined transfer or reassignment actions] within [FedRAMP Assignment: twenty-four (24) hours]; PS-5b. High Baseline Controls
    The organization: Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; PS-5b. Moderate Baseline Controls
    The organization: Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; PS-5b. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Terminate user accounts when notified that an individual is terminated. CC ID 11614 Technical Security Corrective
    Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826
    [The information system terminates shared/group account credentials when members leave the group. AC-2(10) High Baseline Controls
    The organization, upon termination of individual employment: Terminates/revokes any authenticators/credentials associated with the individual; PS-4b. High Baseline Controls
    The information system terminates shared/group account credentials when members >leave</span> the group. AC-2(10) Moderate Baseline Controls
    The organization, upon termination of individual employment: Terminates/revokes any authenticatorsn>/yle="background-color:#F0BBBC;" class="term_primary-noun">credentials associated with the individual; PS-4b. Moderate Baseline Controls
    The organization, upon termination of individual employment: Terminates/revokes any authenticatorsn>/yle="background-color:#F0BBBC;" class="term_primary-noun">credentials associated with the individual; PS-4b. Low Baseline Controls]
    Technical Security Corrective
    Assign an owner of the personnel status change and termination procedures. CC ID 11805 Human Resources Management Preventive
    Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309
    [The organization, upon termination of individual employment: Disables information system access within [FedRAMP Assignment: eight (8) hours]; PS-4a. High Baseline Controls
    The organization, upon termination of individual employment: Disables information system access within [FedRAMP Assignment: same day]; PS-4a. Moderate Baseline Controls
    The organization, upon termination of individual employment: Disables lor:#F0BBBC;" class="term_primary-noun">information system access within [FedRAMP Assignment: same day]; PS-4a. Low Baseline Controls]
    Data and Information Management Corrective
    Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 Human Resources Management Preventive
    Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677
    [The organization notifies account managers: When accounts are no longer required; AC-2h.1. High Baseline Controls
    The organization notifies account managers: When users are terminated or transferred; and AC-2h.2. High Baseline Controls
    The organization, upon termination of individual employment: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. PS-4f. High Baseline Controls
    The organization employs automated mechanisms to notify [FedRAMP Assignment: access control personnel responsible for disabling access to the system] upon termination of an individual. PS-4(2) High Baseline Controls
    The organization: Notifies [Assignment: organization-defined personnel or roles] within [FedRAMP Assignment: twenty-four (24) hours]. PS-5d. High Baseline Controls
    The organization notifies account managers: When individual information system usage or need-to-know changes; AC-2h.3. High Baseline Controls
    The organization notifies account managers: When accounts are verb">no longer required; AC-2h.1. Moderate Baseline Controls
    The organization notifies account managers: When users are terminated or _secondary-verb">transferred; and AC-2h.2. Moderate Baseline Controls
    The organization notifies account managers: When individual information system usage or need-to-know econdary-verb">changes; AC-2h.3. Moderate Baseline Controls
    The organization: Notifies [Assignment: organization-defined personnel or roles] within [FedRAMP Assignment: five days of the time period following the formal transfer action (DoD 24 hours)]. PS-5d. Moderate Baseline Controls
    The organization notifies account managers: When accounts are verb">no longer required; AC-2h.1. Low Baseline Controls
    The organization notifies account managers: When users are terminated or _secondary-verb">transferred; and AC-2h.2. Low Baseline Controls
    The organization notifies account managers: When individual information system usage or need-to-know econdary-verb">changes; AC-2h.3. Low Baseline Controls
    The organization, upon termination of individual employment: Notifies [Assignment: organization-defined an style="background-color:#F0BBBC;" class="term_primary-noun">personnel or roles] within [Assignment: organization-defined time period]. PS-4f. Low Baseline Controls
    The organization: Notifies [Assignment: organization-defined personnel or roles] within [FedRAMP Assignment: five days of the time period following the formal transfer action (DoD 24 hours)]. PS-5d. Low Baseline Controls
    The organization, upon termination of individual employment: Notifies [Assignment: organization-defined an style="background-color:#F0BBBC;" class="term_primary-noun">personnel or roles] within [Assignment: organization-defined time period]. PS-4f. Moderate Baseline Controls]
    Behavior Preventive
    Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 Communicate Preventive
    Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 Human Resources Management Preventive
    Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 Human Resources Management Corrective
    Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 Behavior Preventive
    Conduct exit interviews upon termination of employment. CC ID 14290
    [The organization, upon termination of individual employment: Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics]; PS-4c. High Baseline Controls
    The organization, upon termination of individual employment: Conducts lor:#F0BBBC;" class="term_primary-noun">exit interviews that include a discussion of [Assignment: organization-defined information security topics]; PS-4c. Moderate Baseline Controls
    The organization, upon termination of individual employment: Conducts lor:#F0BBBC;" class="term_primary-noun">exit interviews that include a discussion of [Assignment: organization-defined information security topics]; PS-4c. Low Baseline Controls]
    Human Resources Management Preventive
    Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 Establish/Maintain Documentation Preventive
    Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 Human Resources Management Detective
    Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 Establish Roles Preventive
    Assign and staff all roles appropriately. CC ID 00784
    [The organization requires an information security representative to be a member of the [FedRAMP Assignment: Configuration control board (CCB) or similar (as defined in CM-3)]. CM-3(4) High Baseline Controls]
    Testing Detective
    Delegate authority for specific processes, as necessary. CC ID 06780 Behavior Preventive
    Implement segregation of duties in roles and responsibilities. CC ID 00774
    [The organization: Separates [Assignment: organization-defined duties of individuals]; AC-5a. High Baseline Controls
    The organization: Documents separation of duties of individuals; and AC-5b. High Baseline Controls
    The organization: Separates [Assignment: organization-defined duties of individuals]; AC-5a. Moderate Baseline Controls
    The organization: Documents separation of duties of individuals; and AC-5b. Moderate Baseline Controls]
    Testing Detective
    Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 Technical Security Preventive
    Train all personnel and third parties, as necessary. CC ID 00785
    [The organization: Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; AC-22b. High Baseline Controls
    The organization: Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; AC-22b. Moderate Baseline Controls
    The organization: Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; AC-22b. Low Baseline Controls]
    Behavior Preventive
    Establish, implement, and maintain an education methodology. CC ID 06671 Business Processes Preventive
    Support certification programs as viable training programs. CC ID 13268 Human Resources Management Preventive
    Include evidence of experience in applications for professional certification. CC ID 16193 Establish/Maintain Documentation Preventive
    Include supporting documentation in applications for professional certification. CC ID 16195 Establish/Maintain Documentation Preventive
    Submit applications for professional certification. CC ID 16192 Training Preventive
    Retrain all personnel, as necessary. CC ID 01362
    [The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): When required by information system changes; and AT-2b. High Baseline Controls
    {at least once each year} The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): [FedRAMP Assignment: at least annually] thereafter. AT-2c. High Baseline Controls
    The organization provides role-based security training to personnel with assigned security roles and responsibilities: When required by information system changes; and AT-3b. High Baseline Controls
    The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): When required by information rm_primary-noun">system changes; and AT-2b. Moderate Baseline Controls
    {at least once each year} The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): [FedRAMP Assignment: at least annually] thereafter. AT-2c. Moderate Baseline Controls
    The organization provides role-based security training to personnel with assigned security roles and responsibilities: When le="background-color:#CBD0E5;" class="term_secondary-verb">required by information system changes; and AT-3b. Moderate Baseline Controls
    The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): When required by information rm_primary-noun">system changes; and AT-2b. Low Baseline Controls
    {at least once each year} The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): [FedRAMP Assignment: at least annually] thereafter. AT-2c. Low Baseline Controls
    The organization provides role-based security training to personnel with assigned security roles and responsibilities: When le="background-color:#CBD0E5;" class="term_secondary-verb">required by information system changes; and AT-3b. Low Baseline Controls]
    Behavior Preventive
    Tailor training to meet published guidance on the subject being taught. CC ID 02217 Behavior Preventive
    Tailor training to be taught at each person's level of responsibility. CC ID 06674
    [The organization provides role-based security training to personnel with assigned security roles and responsibilities: AT-3 High Baseline Controls
    The organization provides role-based security training to personnel with assigned security roles and responsibilities: Before authorizing access to the information system or performing assigned duties; AT-3a. High Baseline Controls
    {at least once each year} The organization provides role-based security training to personnel with assigned security roles and responsibilities: [FedRAMP Assignment: at least annually] thereafter. AT-3c. High Baseline Controls
    The organization provides role-based security training to personnel with assigned security roles and responsibilities: AT-3 Moderate Baseline Controls
    The organization provides role-based security training to personnel with assigned security roles and responsibilities: Before authorizingpan> access to the information system or class="term_secondary-verb">performing assigned duties; AT-3a. Moderate Baseline Controls
    {at least once each year} The organization provides role-based ="background-color:#F0BBBC;" class="term_primary-noun">security training to personnel with assigned security roles and responsibilities: [FedRAMP Assignment: at least annually] thereafter. AT-3c. Moderate Baseline Controls
    The organization provides role-based security training to personnel with assigned security roles and responsibilities: AT-3 Low Baseline Controls
    The organization provides role-based security training to personnel with assigned security roles and responsibilities: Before authorizingpan> access to the information system or class="term_secondary-verb">performing assigned duties; AT-3a. Low Baseline Controls
    {at least once each year} The organization provides role-based ="background-color:#F0BBBC;" class="term_primary-noun">security training to personnel with assigned security roles and responsibilities: [FedRAMP Assignment: at least annually] thereafter. AT-3c. Low Baseline Controls]
    Behavior Preventive
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 Behavior Preventive
    Document all training in a training record. CC ID 01423
    [The organization: Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and AT-4a. High Baseline Controls
    The organization: Obtains evidence of contingency testing/training by providers [FedRAMP Assignment: annually]. CP-8(4)(c) High Baseline Controls
    The organization: Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and AT-4a. Moderate Baseline Controls
    The organization: Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and AT-4a. Low Baseline Controls]
    Establish/Maintain Documentation Detective
    Use automated mechanisms in the training environment, where appropriate. CC ID 06752
    [The organization includes practical exercises in security training that reinforce training objectives. AT-3(3) High Baseline Controls
    The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment. IR-2(2) High Baseline Controls]
    Behavior Preventive
    Conduct tests and evaluate training. CC ID 06672 Testing Detective
    Hire third parties to conduct training, as necessary. CC ID 13167 Human Resources Management Preventive
    Review the current published guidance and awareness and training programs. CC ID 01245
    [The organization: Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and AT-4a. High Baseline Controls
    The organization: Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and AT-4a. Moderate Baseline Controls
    The organization: Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and AT-4a. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain training plans. CC ID 00828 Establish/Maintain Documentation Preventive
    Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 Training Detective
    Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 Training Preventive
    Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 Training Preventive
    Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 Training Detective
    Develop or acquire content to update the training plans. CC ID 12867 Training Preventive
    Designate training facilities in the training plan. CC ID 16200 Training Preventive
    Include portions of the visitor control program in the training plan. CC ID 13287 Establish/Maintain Documentation Preventive
    Include ethical culture in the training plan, as necessary. CC ID 12801 Human Resources Management Preventive
    Include in scope external requirements in the training plan, as necessary. CC ID 13041 Training Preventive
    Include duties and responsibilities in the training plan, as necessary. CC ID 12800 Human Resources Management Preventive
    Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 Training Preventive
    Include risk management in the training plan, as necessary. CC ID 13040 Training Preventive
    Conduct Archives and Records Management training. CC ID 00975 Behavior Preventive
    Conduct personal data processing training. CC ID 13757 Training Preventive
    Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 Training Preventive
    Include the cloud service usage standard in the training plan. CC ID 13039 Training Preventive
    Establish, implement, and maintain a security awareness program. CC ID 11746 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. High Baseline Controls
    The organization: Reviews and updates the current: Security awareness and training policy [FedRAMP Assignment: at least annually or whenever a significant change occurs]; and AT-1b.1. High Baseline Controls
    Reviews and updates the current: Security awareness and training policy [FedRAMP Assignment: at least every 3 years]; and AT-1b.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. Low Baseline Controls
    Reviews and updates the current: Security awareness and training policy [FedRAMP Assignment: at least every 3 years]; and AT-1b.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the security awareness and training policy. CC ID 14092
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, r:#F0BBBC;" class="term_primary-noun">coordination among organizational entities, and compliance; and AT-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, r:#F0BBBC;" class="term_primary-noun">coordination among organizational entities, and compliance; and AT-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and AT-1a.2. High Baseline Controls
    The organization: Reviews and updates the current: Security awareness and training procedures [FedRAMP Assignment: at least annually or whenever a significant change occurs]. AT-1b.2. High Baseline Controls
    Reviews and updates the current: Security awareness and training procedures [FedRAMP Assignment: at least annually]. AT-1b.2. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and AT-1a.2. Low Baseline Controls
    Reviews and updates the current: Security awareness and training procedures [FedRAMP Assignment: at least annually]. AT-1b.2. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and AT-1a.2. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and AT-1a.2. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and AT-1a.2. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and AT-1a.2. Moderate Baseline Controls]
    Communicate Preventive
    Include management commitment in the security awareness and training policy. CC ID 14049
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, an style="background-color:#F0BBBC;" class="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, an style="background-color:#F0BBBC;" class="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the scope in the security awareness and training policy. CC ID 14047
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, e="background-color:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, e="background-color:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the purpose in the security awareness and training policy. CC ID 14045
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses ound-color:#F0BBBC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses ound-color:#F0BBBC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include configuration management procedures in the security awareness program. CC ID 13967 Establish/Maintain Documentation Preventive
    Include media protection in the security awareness program. CC ID 16368 Training Preventive
    Document security awareness requirements. CC ID 12146 Establish/Maintain Documentation Preventive
    Include safeguards for information systems in the security awareness program. CC ID 13046 Establish/Maintain Documentation Preventive
    Include security policies and security standards in the security awareness program. CC ID 13045 Establish/Maintain Documentation Preventive
    Include physical security in the security awareness program. CC ID 16369 Training Preventive
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Establish/Maintain Documentation Preventive
    Include updates on emerging issues in the security awareness program. CC ID 13184 Training Preventive
    Include cybersecurity in the security awareness program. CC ID 13183 Training Preventive
    Include implications of non-compliance in the security awareness program. CC ID 16425 Training Preventive
    Include the acceptable use policy in the security awareness program. CC ID 15487 Training Preventive
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Establish/Maintain Documentation Preventive
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800
    [The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): As part of initial training for new users; AT-2a. High Baseline Controls
    The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): As part of initial training for new users; AT-2a. Moderate Baseline Controls
    The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): As part of initial training for new users; AT-2a. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include remote access in the security awareness program. CC ID 13892 Establish/Maintain Documentation Preventive
    Document the goals of the security awareness program. CC ID 12145 Establish/Maintain Documentation Preventive
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Establish/Maintain Documentation Preventive
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources Management Preventive
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources Management Preventive
    Document the scope of the security awareness program. CC ID 12148 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security awareness baseline. CC ID 12147 Establish/Maintain Documentation Preventive
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources Management Preventive
    Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823
    [The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): AT-2 High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. High Baseline Controls
    {make available} The organization employs automated mechanisms to make security alert and advisory information available throughout the organization. SI-5(1) High Baseline Controls
    The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): AT-2 Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. Low Baseline Controls
    The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): AT-2 Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1. Moderate Baseline Controls]
    Behavior Preventive
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211
    [The organization includes security awareness training on recognizing and reporting potential indicators of insider threat. AT-2(2) High Baseline Controls
    The organization provides training to its personnel on [FedRAMP Assignment: malicious code indicators as defined by organization incident policy/capability] to recognize suspicious communications and anomalous behavior in organizational information systems. AT-3(4) High Baseline Controls
    The organization: Requires personnel to report suspected security incidents to the organizational incident response capability within [FedRAMP Assignment: US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)]; and IR-6a. High Baseline Controls
    The organization includes security awareness training on recognizing and reporting potential indicators of insider threat. AT-2(2) Moderate Baseline Controls
    The organization: Requires personnel to report suspected security incidents to the organizational incident response capability within [FedRAMP Assignment: US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)]; and IR-6a. Moderate Baseline Controls
    The organization: Requires personnel to report suspected security incidents to the organizational incident response capability within [FedRAMP Assignment: US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)]; and IR-6a. Low Baseline Controls]
    Behavior Preventive
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Training Preventive
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 Establish/Maintain Documentation Preventive
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 Establish/Maintain Documentation Preventive
    Conduct secure coding and development training for developers. CC ID 06822 Behavior Corrective
    Conduct tampering prevention training. CC ID 11875 Training Preventive
    Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 Training Preventive
    Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 Training Preventive
    Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 Training Preventive
    Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 Training Preventive
    Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 Training Preventive
    Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 Training Preventive
    Conduct crime prevention training. CC ID 06350 Behavior Preventive
    Analyze and evaluate training records to improve the training program. CC ID 06380 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain an occupational health and safety management system. CC ID 16201 Business Processes Preventive
    Establish, implement, and maintain an occupational health and safety policy. CC ID 00716 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a travel program for all personnel. CC ID 10597 Human Resources Management Preventive
    Issue devices with secure configurations to individuals traveling to locations deemed to be of risk. CC ID 10598
    [The organization: Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and CM-2(7)(a) High Baseline Controls
    The organization: Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization ss="term_secondary-verb">deems to be of significant risk; and CM-2(7)(a) Moderate Baseline Controls]
    Configuration Preventive
    Scan devices for malicious code when an individual returns from locations deemed to be of risk. CC ID 10599
    [The organization: Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return. CM-2(7)(b) High Baseline Controls
    The organization: Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return. CM-2(7)(b) Moderate Baseline Controls]
    Process or Activity Detective
    Establish, implement, and maintain a Code of Conduct. CC ID 04897 Establish/Maintain Documentation Preventive
    Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442
    [{information security procedures} The organization: Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and PS-8a. High Baseline Controls
    {information security procedures} The organization: Employs a formal sanctions process for individuals n style="background-color:#CBD0E5;" class="term_secondary-verb">failing to comply with established information security policies and procedures; and PS-8a. Moderate Baseline Controls
    {information security procedures} The organization: Employs a formal sanctions process for individuals n style="background-color:#CBD0E5;" class="term_secondary-verb">failing to comply with established information security policies and procedures; and PS-8a. Low Baseline Controls]
    Behavior Corrective
    Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632
    [The organization: Notifies [FedRAMP Assignment: at a minimum, the ISSO and/or similar role within the organization] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. PS-8b. High Baseline Controls
    The organization: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. PS-8b. Moderate Baseline Controls
    The organization: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is condary-verb">initiated, identifying the individual sanctioned and the reason for the sanction. PS-8b. Low Baseline Controls]
    Communicate Preventive
  • Leadership and high level objectives
    69
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a reporting methodology program. CC ID 02072 Business Processes Preventive
    Establish, implement, and maintain communication protocols. CC ID 12245 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406
    [The organization: Generates internal security alerts, advisories, and directives as deemed necessary; SI-5b. High Baseline Controls
    The organization: Generates internal security alerts, advisories, and directives as deemed necessary; SI-5b. Moderate Baseline Controls
    The organization: Generates internal security alerts, advisories, and directives as deemed necessary; SI-5b. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of performance variances in the notification system. CC ID 12929 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of account activity in the notification system. CC ID 15314 Monitor and Evaluate Occurrences Preventive
    Analyze organizational objectives, functions, and activities. CC ID 00598 Monitor and Evaluate Occurrences Preventive
    Monitor regulatory trends to maintain compliance. CC ID 00604 Monitor and Evaluate Occurrences Detective
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135
    [The organization: Receives information system security alerts, advisories, and directives from [FedRAMP Assignment: to include US-CERT] on an ongoing basis; SI-5a. High Baseline Controls
    The organization: Receives information system security alerts, advisories, and directives from [FedRAMP Assignment: organization-defined external organizations, to include US-CERT] on an ongoing basis; SI-5a. Moderate Baseline Controls
    The organization: Receives information system security alerts, advisories, and directives from [FedRAMP Assignment: to include US-CERT] on an ongoing basis; SI-5a. Low Baseline Controls]
    Technical Security Detective
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185
    [The organization: Disseminates security alerts, advisories, and directives to: [FedRAMP Assignment: to include system security personnel and administrators with configuration/patch-management responsibilities]; and SI-5c. High Baseline Controls
    The organization: Disseminates security alerts, advisories, and directives to: [FedRAMP Assignment: to include system security personnel and administrators with configuration/patch-management responsibilities]; and SI-5c. Moderate Baseline Controls
    The organization: Disseminates security alerts, advisories, and directives to: [FedRAMP Assignment: to include system security personnel and administrators with configuration/patch-management responsibilities]; and SI-5c. Low Baseline Controls]
    Communicate Preventive
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Communicate Corrective
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Quality Management program. CC ID 07201 Establish/Maintain Documentation Preventive
    Correct errors and deficiencies in a timely manner. CC ID 13501
    [The organization: Identifies, reports, and corrects information system flaws; SI-2a. High Baseline Controls
    The organization: Identifies, reports, and corrects information system flaws; SI-2a. Moderate Baseline Controls
    The organization: Identifies, reports, and corrects information system flaws; SI-2a. Low Baseline Controls]
    Business Processes Corrective
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203
    [The organization requires the developer of the information system, system component, or information system service to: Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. SA-10e. High Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to: Track security flaws and flaw resolution within the system, component, or service and B7D8ED;" class="term_primary-verb">report -noun">findingsan> to [Assignment: organization-defined personnel]. SA-10e. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include an issue tracking system in the Quality Management program. CC ID 06824
    [The organization requires the developer of the information system, system component, or information system service to: Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. SA-10e. High Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to: Implement a verifiable flaw remediation process; and SA-11d. High Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to: s="term_primary-verb">Implement a verifiable flaw remediation process; and SA-11d. Moderate Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to: Track " class="term_primary-noun">security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. SA-10e. Moderate Baseline Controls]
    Systems Design, Build, and Implementation Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285
    [The organization: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and SA-9b. High Baseline Controls
    The organization: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. SI-5d. High Baseline Controls
    The organization: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and SA-9b. Moderate Baseline Controls
    The organization: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. SI-5d. Moderate Baseline Controls
    The organization: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and SA-9b. Low Baseline Controls
    The organization: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. SI-5d. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the effective date on all organizational policies. CC ID 06820 Establish/Maintain Documentation Preventive
    Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 Establish/Maintain Documentation Preventive
    Include threats in the organization’s policies, standards, and procedures. CC ID 12953 Establish/Maintain Documentation Preventive
    Analyze organizational policies, as necessary. CC ID 14037 Establish/Maintain Documentation Detective
    Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 Business Processes Preventive
    Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 Establish/Maintain Documentation Preventive
    Establish and maintain an Authority Document list. CC ID 07113 Establish/Maintain Documentation Preventive
    Map in scope assets and in scope records to external requirements. CC ID 12189 Establish/Maintain Documentation Detective
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 Establish/Maintain Documentation Preventive
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 Communicate Preventive
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Establish/Maintain Documentation Preventive
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Establish/Maintain Documentation Preventive
    Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 Establish/Maintain Documentation Preventive
    Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 Establish/Maintain Documentation Preventive
    Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 Establish/Maintain Documentation Corrective
    Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 Establish/Maintain Documentation Preventive
    Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 Establish/Maintain Documentation Preventive
    Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 Establish/Maintain Documentation Preventive
    Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 Establish/Maintain Documentation Preventive
    Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 Establish/Maintain Documentation Detective
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Establish Roles Preventive
    Approve all compliance documents. CC ID 06286 Establish/Maintain Documentation Preventive
    Align the Authority Document list with external requirements. CC ID 06288 Establish/Maintain Documentation Preventive
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284 Establish Roles Preventive
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a compliance exception standard. CC ID 01628 Establish/Maintain Documentation Preventive
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Establish/Maintain Documentation Preventive
    Include all compliance exceptions in the compliance exception standard. CC ID 01630 Establish/Maintain Documentation Detective
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631
    [The organization: Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and SC-7(4)(d) High Baseline Controls
    The organization: Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and SC-7(4)(d) Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632
    [The organization: Reviews exceptions to the traffic flow policy [FrdRAMP Assignment: at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions] and removes exceptions that are no longer supported by an explicit mission/business need. SC-7(4)(e) High Baseline Controls
    The organization: Reviews exceptions to the traffic flow policy [FedRAMP Assignment: at least annually] and removes exceptions that are no longer supported by an explicit mission/business need. SC-7(4)(e) Moderate Baseline Controls]
    Business Processes Preventive
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Establish/Maintain Documentation Preventive
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Establish Roles Preventive
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Establish/Maintain Documentation Preventive
    Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 Behavior Preventive
    Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 Behavior Preventive
    Establish, implement, and maintain a strategic plan. CC ID 12784 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security planning policy. CC ID 14027
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. High Baseline Controls
    The organization: Reviews and updates the current: Security planning policy [FedRAMP Assignment: at least annually]; and PL-1b.1. High Baseline Controls
    Reviews and updates the current: Security planning policy [FedRAMP Assignment: at least every 3 years]; and PL-1b.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. Low Baseline Controls
    Reviews and updates the current: Security planning policy [FedRAMP Assignment: at least every 3 years]; and PL-1b.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the security planning policy. CC ID 14131
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security planning policy. CC ID 14130
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, ass="term_primary-noun">coordination among organizational entities, and compliance; and PL-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, ass="term_primary-noun">coordination among organizational entities, and compliance; and PL-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include management commitment in the security planning policy. CC ID 14129
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security planning policy. CC ID 14128
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, ground-color:#F0BBBC;" class="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, ground-color:#F0BBBC;" class="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the scope in the security planning policy. CC ID 14127
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, color:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, color:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the purpose in the security planning policy. CC ID 14126
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses BBBC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses BBBC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1. Moderate Baseline Controls]
    Communicate Preventive
    Establish, implement, and maintain security planning procedures. CC ID 14060
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and PL-1a.2. High Baseline Controls
    The organization: Reviews and updates the current: Security planning procedures [FedRAMP Assignment: at least annually or whenever a significant change occurs]. PL-1b.2. High Baseline Controls
    Reviews and updates the current: Security planning procedures [FedRAMP Assignment: at least annually]. PL-1b.2. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and PL-1a.2. Low Baseline Controls
    Reviews and updates the current: Security planning procedures [FedRAMP Assignment: at least annually]. PL-1b.2. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and PL-1a.2. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and PL-1a.2. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and PL-1a.2. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and PL-1a.2. Moderate Baseline Controls]
    Communicate Preventive
  • Monitoring and measurement
    361
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Monitor the usage and capacity of critical assets. CC ID 14825 Monitor and Evaluate Occurrences Detective
    Monitor the usage and capacity of Information Technology assets. CC ID 00668 Monitor and Evaluate Occurrences Detective
    Monitor all outbound traffic from all systems. CC ID 12970
    [The organization analyzes outbound communications traffic at the external boundary of the information system and selected [Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems)] to discover anomalies. SI-4(11) High Baseline Controls]
    Monitor and Evaluate Occurrences Preventive
    Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773
    [The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity. AU-5(1) High Baseline Controls]
    Behavior Detective
    Monitor systems for errors and faults. CC ID 04544
    [The organization: Identifies, reports, and corrects information system flaws; SI-2a. High Baseline Controls
    The organization: Identifies, reports, and corrects information system flaws; SI-2a. Moderate Baseline Controls
    The organization: Identifies, reports, and corrects information system flaws; SI-2a. Low Baseline Controls]
    Monitor and Evaluate Occurrences Detective
    Report errors and faults to the appropriate personnel, as necessary. CC ID 14296
    [The organization: Identifies, reports, and corrects information system flaws; SI-2a. High Baseline Controls
    The organization: Identifies, reports, and corrects information system flaws; SI-2a. Moderate Baseline Controls
    The organization: Identifies, reports, and corrects information system flaws; SI-2a. Low Baseline Controls]
    Communicate Corrective
    Compare system performance metrics to organizational standards and industry benchmarks. CC ID 00667
    [The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data. CA-7(3) High Baseline Controls
    The organization: Establishes [Assignment: organization-defined benchmarks] for taking corrective actions. SI-2(3)(b) High Baseline Controls
    The organization: Establishes [Assignment: organization-defined benchmarks] for taking corrective actions. SI-2(3)(b) Moderate Baseline Controls]
    Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain Security Control System monitoring and reporting procedures. CC ID 12506
    [The information system provides an audit reduction and report generation capability that: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and AU-7a. High Baseline Controls
    The information system provides an audit reduction and report generation capability that: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and AU-7a. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include detecting and reporting the failure of a change detection mechanism in the Security Control System monitoring and reporting procedures. CC ID 12525 Establish/Maintain Documentation Preventive
    Include detecting and reporting the failure of audit logging in the Security Control System monitoring and reporting procedures. CC ID 12513 Establish/Maintain Documentation Preventive
    Include detecting and reporting the failure of an anti-malware solution in the Security Control System monitoring and reporting procedures. CC ID 12512 Establish/Maintain Documentation Preventive
    Include detecting and reporting the failure of a segmentation control in the Security Control System monitoring and reporting procedures. CC ID 12511 Establish/Maintain Documentation Preventive
    Include detecting and reporting the failure of a physical access control in the Security Control System monitoring and reporting procedures. CC ID 12510 Establish/Maintain Documentation Preventive
    Include detecting and reporting the failure of a logical access control in the Security Control System monitoring and reporting procedures. CC ID 12509 Establish/Maintain Documentation Preventive
    Include detecting and reporting the failure of an Intrusion Detection and Prevention System in the Security Control System monitoring and reporting procedures. CC ID 12508 Establish/Maintain Documentation Preventive
    Include detecting and reporting the failure of a security testing tool in the Security Control System monitoring and reporting procedures. CC ID 15488 Establish/Maintain Documentation Preventive
    Include detecting and reporting the failure of a firewall in the Security Control System monitoring and reporting procedures. CC ID 12507 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637
    [The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; CA-7b. High Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; CA-7b. High Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined m_primary-noun">frequenciesspan>] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; CA-7b. Low Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined -noun">frequencies] fo
    r assessments supporting such monitoring; CA-7b. Low Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined m_primary-noun">frequenciesspan>] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; CA-7b. Moderate Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined -noun">frequencies] fo
    r assessments supporting such monitoring; CA-7b. Moderate Baseline Controls]
    Log Management Detective
    Establish, implement, and maintain an audit and accountability policy. CC ID 14035
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. High Baseline Controls
    The organization: Reviews and updates the current: Audit and accountability policy [FedRAMP Assignment: at least annually]; and AU-1b.1. High Baseline Controls
    Reviews and updates the current: Audit and accountability policy [FedRAMP Assignment: at least every 3 years]; and AU-1b.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. Low Baseline Controls
    Reviews and updates the current: Audit and accountability policy [FedRAMP Assignment: at least every 3 years]; and AU-1b.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the audit and accountability policy. CC ID 14103
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the audit and accountability policy. CC ID 14102
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, BC;" class="term_primary-noun">coordination among organizational entities, and compliance; and AU-1a.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, BC;" class="term_primary-noun">coordination among organizational entities, and compliance; and AU-1a.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the purpose in the audit and accountability policy. CC ID 14100
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses lor:#F0BBBC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses lor:#F0BBBC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the audit and accountability policy. CC ID 14098
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, e="background-color:#F0BBBC;" class="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, e="background-color:#F0BBBC;" class="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include management commitment in the audit and accountability policy. CC ID 14097
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the scope in the audit and accountability policy. CC ID 14096
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, ground-color:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, ground-color:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1. Low Baseline Controls]
    Communicate Preventive
    Establish, implement, and maintain audit and accountability procedures. CC ID 14057
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and AU-1a.2. High Baseline Controls
    The organization: Reviews and updates the current: Audit and accountability procedures [FedRAMP Assignment: at least annually or whenever a significant change occurs]. AU-1b.2. High Baseline Controls
    Reviews and updates the current: Audit and accountability procedures [FedRAMP Assignment: at least annually]. AU-1b.2. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and AU-1a.2. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and AU-1a.2. Low Baseline Controls
    Reviews and updates the current: Audit and accountability procedures [FedRAMP Assignment: at least annually]. AU-1b.2. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and AU-1a.2. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and AU-1a.2. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and AU-1a.2. Low Baseline Controls]
    Communicate Preventive
    Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 Log Management Preventive
    Review and approve the use of continuous security management systems. CC ID 13181 Process or Activity Preventive
    Protect continuous security management systems from unauthorized use. CC ID 13097 Configuration Preventive
    Monitor and evaluate system telemetry data. CC ID 14929 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain intrusion management operations. CC ID 00580
    [The information system discovers, collects, distributes, and uses indicators of compromise. SI-4(24) High Baseline Controls]
    Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 Establish/Maintain Documentation Preventive
    Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581
    [The organization implements [FedRAMP Assignment: Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall] at [Assignment: organization-defined information system components]. SC-7(12) High Baseline Controls
    The organization employs automated tools to support near real-time analysis of events. SI-4(2) High Baseline Controls
    The organization: Deploys monitoring devices: SI-4c. High Baseline Controls
    The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. SI-4(1) High Baseline Controls
    The organization implements [Assignment: organization-defined host-based monitoring mechanisms] at [Assignment: organization-defined information system components]. SI-4(23) High Baseline Controls
    The organization employs automated tools to support near real-time analysis of events. SI-4(2) Moderate Baseline Controls
    The organization: Deploys monitoring devices: SI-4c. Moderate Baseline Controls
    The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. SI-4(1) Moderate Baseline Controls
    The organization implements [Assignment: organization-defined host-based monitoring mechanisms] at [Assignment: organization-defined information system components]. SI-4(23) Moderate Baseline Controls
    The organization: Deploys monitoring devices: SI-4c. Low Baseline Controls]
    Configuration Preventive
    Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035
    [The organization: Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and SI-4f. High Baseline Controls
    The organization: Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and SI-4f. Moderate Baseline Controls
    The organization: Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and SI-4f. Low Baseline Controls]
    Behavior Preventive
    Do not intercept communications of any kind when providing a service to clients. CC ID 09985 Behavior Preventive
    Determine if honeypots should be installed, and if so, where the honeypots should be placed. CC ID 00582 Technical Security Detective
    Monitor systems for inappropriate usage and other security violations. CC ID 00585
    [The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system]. PE-6(4) High Baseline Controls
    {inbound communications traffic} The information system monitors inbound and outbound communications traffic [FedRAMP Assignment: continuously] for unusual or unauthorized activities or conditions. SI-4(4) High Baseline Controls
    {inbound communications traffic} The information system monitors inbound and outbound communications traffic [FedRAMP Assignment: continuously] for unusual or unauthorized activities or conditions. SI-4(4) High Baseline Controls
    {inbound communications traffic} The information system monitors inbound and outbound communications traffic [FedRAMP Assignment: continuously] for unusual or unauthorized activities or conditions. SI-4(4) Moderate Baseline Controls
    {inbound communications traffic} The information system monitors inbound and outbound communications traffic [FedRAMP Assignment: continuously] for unusual or unauthorized activities or conditions. SI-4(4) Moderate Baseline Controls]
    Monitor and Evaluate Occurrences Detective
    Monitor systems for blended attacks and multiple component incidents. CC ID 01225
    [The organization: Monitors the information system to detect: Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and SI-4a.1. High Baseline Controls
    The organization: Monitors the information system to detect: Attacks and indicators of n style="background-color:#F0BBBC;" class="term_primary-noun">potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and SI-4a.1. Moderate Baseline Controls
    The organization: Monitors the information system to detect: Attacks and indicators of n style="background-color:#F0BBBC;" class="term_primary-noun">potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and SI-4a.1. Low Baseline Controls]
    Monitor and Evaluate Occurrences Detective
    Monitor systems for Denial of Service attacks. CC ID 01222
    [The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]. SC-5 High Baseline Controls
    The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]. SC-5 Moderate Baseline Controls
    The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]. SC-5 Low Baseline Controls]
    Monitor and Evaluate Occurrences Detective
    Monitor systems for unauthorized data transfers. CC ID 12971 Monitor and Evaluate Occurrences Preventive
    Address operational anomalies within the incident management system. CC ID 11633 Audits and Risk Management Preventive
    Monitor systems for access to restricted data or restricted information. CC ID 04721 Monitor and Evaluate Occurrences Detective
    Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 Human Resources Management Detective
    Detect unauthorized access to systems. CC ID 06798
    [The organization: Monitors the information system to detect: Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and SI-4a.1. High Baseline Controls
    The organization: Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; SI-4b. High Baseline Controls
    The organization: Monitors the information system to detect: Unauthorized local, network, and remote connections; SI-4a.2. High Baseline Controls
    The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system. SI-4(14) High Baseline Controls
    The organization: Monitors the information system to detect: #F0BBBC;" class="term_primary-noun">Unauthorized local, network, and remote connections; SI-4a.2. Moderate Baseline Controls
    The organization: Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; SI-4b. Moderate Baseline Controls
    The organization: Monitors the information system to detect: #F0BBBC;" class="term_primary-noun">Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and SI-4a.1. Moderate Baseline Controls
    The organization employs a wireless intrusion detection system to identify rogue wireless devices and to y-verb">detect attack attempts and potential compromises/breaches to the information system. SI-4(14) Moderate Baseline Controls
    The organization: Monitors the information system to detect: #F0BBBC;" class="term_primary-noun">Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and SI-4a.1. Low Baseline Controls
    The organization: Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; SI-4b. Low Baseline Controls
    The organization: Monitors the information system to detect: #F0BBBC;" class="term_primary-noun">Unauthorized local, network, and remote connections; SI-4a.2. Low Baseline Controls]
    Monitor and Evaluate Occurrences Detective
    Incorporate potential red flags into the organization's incident management system. CC ID 04652 Monitor and Evaluate Occurrences Detective
    Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 Audits and Risk Management Preventive
    Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430
    [The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization- defined compromise indicators]. SI-4(5) High Baseline Controls
    {shut down} The information system: [Selection (one or more): shuts the information system down; restarts the information system; [FedRAMP Assignment: to include notification of system administrators and security personnel] when anomalies are discovered. SI-6d. High Baseline Controls
    The organization: Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. SI-4g. High Baseline Controls
    The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators]. SI-4(5) Moderate Baseline Controls
    The information system: [FedRAMP Assignment: to include notification of system administrators and security personnel] when anomalies are discovered. SI-6d. Moderate Baseline Controls
    The organization: Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. SI-4g. Moderate Baseline Controls
    The organization: Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. SI-4g. Low Baseline Controls]
    Monitor and Evaluate Occurrences Detective
    Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 Monitor and Evaluate Occurrences Detective
    Monitor systems for unauthorized mobile code. CC ID 10034
    [The organization: Authorizes, monitors, and controls the use of mobile code within the information system. SC-18c. High Baseline Controls
    The organization: Authorizes, monitors, and controls the use of mobile code within the information system. SC-18c. Moderate Baseline Controls]
    Monitor and Evaluate Occurrences Preventive
    Update the intrusion detection capabilities and the incident response capabilities regularly. CC ID 04653 Technical Security Preventive
    Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658 Technical Security Preventive
    Implement detonation chambers, where appropriate. CC ID 10670 Technical Security Preventive
    Define and assign log management roles and responsibilities. CC ID 06311
    [The organization specifies the permitted actions for each [FedRAMP Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information. AU-6(7) High Baseline Controls]
    Establish Roles Preventive
    Document and communicate the log locations to the owning entity. CC ID 12047 Log Management Preventive
    Make logs available for review by the owning entity. CC ID 12046 Log Management Preventive
    Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638
    [The organization: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; AU-2b. High Baseline Controls
    The organization: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help ondary-verb">guide the selection of auditable events; AU-2b. Low Baseline Controls
    The organization: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help ondary-verb">guide the selection of auditable events; AU-2b. Moderate Baseline Controls]
    Log Management Detective
    Establish, implement, and maintain an event logging policy. CC ID 15217 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain event logging procedures. CC ID 01335 Log Management Detective
    Include the system components that generate audit records in the event logging procedures. CC ID 16426 Data and Information Management Preventive
    Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643
    [The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. AU-6(1) High Baseline Controls
    The information system provides an audit reduction and report generation capability that: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and AU-7a. High Baseline Controls
    The organization integrates analysis of audit records with analysis of [FedRAMP Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; penetration test data; [Organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. AU-6(5) High Baseline Controls
    The organization correlates information from monitoring tools employed throughout the information system. SI-4(16) High Baseline Controls
    The organization: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and AU-2c. High Baseline Controls
    The organization: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and AU-2c. Moderate Baseline Controls
    The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. AU-6(1) Moderate Baseline Controls
    The organization: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and AU-2c. Low Baseline Controls
    The organization correlates information from monitoring tools employed throughout the information system. SI-4(16) Moderate Baseline Controls
    The information system provides an audit reduction and report generation capability that: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and AU-7a. Moderate Baseline Controls]
    Log Management Preventive
    Protect the event logs from failure. CC ID 06290 Log Management Preventive
    Overwrite the oldest records when audit logging fails. CC ID 14308
    [{audit processing failures} The information system: Takes the following additional actions: [FedRAMP Assignment: organization-defined actions to be taken (overwrite oldest record)]. AU-5b. High Baseline Controls
    {audit processing failures} The information system: Takes the following additional actions: [FedRAMP Assignment: organization-defined actions to be taken (overwrite oldest record)]. AU-5b. Moderate Baseline Controls
    {audit processing failures} The information system: Takes the following additional actions: [FedRAMP Assignment: organization-defined actions to be taken (overwrite oldest record)]. AU-5b. Low Baseline Controls]
    Data and Information Management Preventive
    Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427
    [The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records]. AU-7(1) High Baseline Controls
    The information system provides an audit reduction and report generation capability that: Does not alter the original content or time ordering of audit records. AU-7b. High Baseline Controls
    The information system provides an audit reduction and report generation capability that: AU-7 High Baseline Controls
    The information system provides an audit reduction and report generation capability that: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and AU-7a. High Baseline Controls
    The information system provides an audit reduction and report generation capability that: AU-7 Moderate Baseline Controls
    The information system provides an audit reduction and report generation capability that: Does not alter the original content or time ry-verb">ordering of audit records. AU-7b. Moderate Baseline Controls
    The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records]. AU-7(1) Moderate Baseline Controls
    The information system provides an audit reduction and report generation capability that: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and AU-7a. Moderate Baseline Controls]
    Testing Preventive
    Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 Establish/Maintain Documentation Corrective
    Include identity information of suspects in the suspicious activity report. CC ID 16648 Establish/Maintain Documentation Preventive
    Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424
    [The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. AU-6(3) High Baseline Controls
    The information system provides the capability to centrally review and analyze audit records from multiple components within the system. AU-6(4) High Baseline Controls
    The information system compiles audit records from [FedRAMP Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail]. AU-12(1) High Baseline Controls
    The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. AU-6(6) High Baseline Controls
    The organization analyzes and correlates audit records across different repositories to ry-verb">gain organization-wide situational awareness. AU-6(3) Moderate Baseline Controls]
    Audits and Risk Management Preventive
    Review and update event logs and audit logs, as necessary. CC ID 00596
    [The organization: Reviews and analyzes information system audit records [FedRAMP Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and AU-6a. High Baseline Controls
    The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. AU-6(10) High Baseline Controls
    The information system provides an audit reduction and report generation capability that: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and AU-7a. High Baseline Controls
    The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited. RA-5(8) High Baseline Controls
    The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information. SI-4(18) High Baseline Controls
    The organization: Reviews and analyzes information system audit records [FedRAMP Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and AU-6a. Moderate Baseline Controls
    The organization: Reviews and analyzes information system audit records [FedRAMP Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and AU-6a. Low Baseline Controls
    The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously n style="background-color:#CBD0E5;" class="term_secondary-verb">exploited. RA-5(8) Moderate Baseline Controls
    The information system provides an audit reduction and report generation capability that: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and AU-7a. Moderate Baseline Controls]
    Log Management Detective
    Eliminate false positives in event logs and audit logs. CC ID 07047 Log Management Corrective
    Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207
    [The organization: Assesses the security controls in the information system and its environment of operation [FedRAMP Assignment: at least annually] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; CA-2b. High Baseline Controls
    The organization: Assesses the security controls in the information system and its environment of operation [FedRAMP Assignment: at least annually] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; CA-2b. Low Baseline Controls
    The organization: Assesses the security controls in the information system and its environment of operation [FedRAMP Assignment: at least annually] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; CA-2b. Moderate Baseline Controls]
    Log Management Detective
    Identify cybersecurity events in event logs and audit logs. CC ID 13206 Technical Security Detective
    Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 Investigate Corrective
    Reproduce the event log if a log failure is captured. CC ID 01426 Log Management Preventive
    Document the event information to be logged in the event information log specification. CC ID 00639
    [The organization: Determines that the following events are to be audited within the information system: [FedRAMP Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event]. AU-2d. High Baseline Controls
    The organization: Determines that the following events are to be audited within the information system: [FedRAMP Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event]. AU-2d. Low Baseline Controls
    The organization: Determines that the following events are to be audited within the information system: [FedRAMP Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event]. AU-2d. Moderate Baseline Controls]
    Configuration Preventive
    Enable logging for all systems that meet a traceability criteria. CC ID 00640 Log Management Detective
    Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 Configuration Preventive
    Enable and configure logging on all network access controls. CC ID 01963 Configuration Preventive
    Analyze firewall logs for the correct capturing of data. CC ID 00549 Log Management Detective
    Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340
    [The information system Uses internal system clocks to generate time stamps for audit records; and AU-8a. High Baseline Controls
    {universal time source} The information system: Compares the internal information system clocks [FedRAMP Assignment: At least hourly] with [FedRAMP Assignment: http://tf.nist.gov/tf-cgi/servers.cgi]; and AU-8(1)(a) High Baseline Controls
    {universal time source} The information system: Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. AU-8(1)(b) High Baseline Controls
    The information system Uses internal system clocks to generate time stamps for audit records; and AU-8a. Moderate Baseline Controls
    {universal time source} The information system: Compares the internal information system clocks [FedRAMP Assignment: at least hourly] with [FedRAMP Assignment: http://tf.nist.gov/tf-cgi/servers.cgi]; and AU-8(1)(a) Moderate Baseline Controls
    {universal time source} The information system: Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. AU-8(1)(b) Moderate Baseline Controls
    The information system Uses internal system clocks to generate time stamps for audit records; and AU-8a. Low Baseline Controls]
    Configuration Preventive
    Centralize network time servers to as few as practical. CC ID 06308 Configuration Preventive
    Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044 Communicate Preventive
    Define the frequency to capture and log events. CC ID 06313 Log Management Preventive
    Include logging frequencies in the event logging procedures. CC ID 00642 Log Management Preventive
    Review and update the list of auditable events in the event logging procedures. CC ID 10097
    [The information system: Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and AU-12b. High Baseline Controls
    The organization reviews and updates the audited events [FedRAMP Assignment: annually or whenever there is a change in the threat environment]. AU-2(3) High Baseline Controls
    The organization reviews and updates the audited events [FedRAMP Assignment: annually or whenever there is a change in the threat environment]. AU-2(3) Moderate Baseline Controls
    The information system: Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and AU-12b. Moderate Baseline Controls
    The information system: Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and AU-12b. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Monitor and evaluate system performance. CC ID 00651
    [{performance testing} The organization includes as part of security control assessments, [FedRAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. CA-2(2) High Baseline Controls
    {performance testing} The organization includes as part of security control assessments, [FedRAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. CA-2(2) Moderate Baseline Controls]
    Monitor and Evaluate Occurrences Detective
    Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 Communicate Preventive
    Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 Communicate Preventive
    Monitor for and react to when suspicious activities are detected. CC ID 00586 Monitor and Evaluate Occurrences Detective
    Erase payment applications when suspicious activity is confirmed. CC ID 12193 Technical Security Corrective
    Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741 Establish/Maintain Documentation Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742 Monitor and Evaluate Occurrences Corrective
    Establish, implement, and maintain network monitoring operations. CC ID 16444 Monitor and Evaluate Occurrences Preventive
    Monitor and evaluate the effectiveness of detection tools. CC ID 13505 Investigate Detective
    Monitor and review retail payment activities, as necessary. CC ID 13541 Monitor and Evaluate Occurrences Detective
    Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 Investigate Detective
    Review retail payment service reports, as necessary. CC ID 13545 Investigate Detective
    Assess customer satisfaction. CC ID 00652 Testing Detective
    Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 Establish/Maintain Documentation Detective
    Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250
    [The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Correlation and analysis of security-related information generated by assessments and monitoring; CA-7e. High Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Correlation and analysis of security-related y-noun">information pan style="background-color:#CBD0E5;" class="term_secondary-verb">generated by assessments and monitoring; CA-7e. Moderate Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Correlation and analysis of security-related y-noun">information pan style="background-color:#CBD0E5;" class="term_secondary-verb">generated by assessments and monitoring; CA-7e. Low Baseline Controls]
    Process or Activity Detective
    Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 Monitor and Evaluate Occurrences Detective
    Monitor for and report when a software configuration is updated. CC ID 06746
    [The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected. CM-11(1) High Baseline Controls]
    Monitor and Evaluate Occurrences Detective
    Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 Monitor and Evaluate Occurrences Detective
    Monitor for firmware updates absent authorization. CC ID 10675 Monitor and Evaluate Occurrences Detective
    Implement file integrity monitoring. CC ID 01205
    [The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [FedRAMP Assignment: selection to include security relevant events]; [FedRAMP Assignment: at least monthly]]. SI-7(1) High Baseline Controls
    {unauthorized changes} The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability. SI-7(7) High Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components. SA-10(1) High Baseline Controls
    The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information]. SI-7 High Baseline Controls
    {unauthorized modification} {unauthorized deletion} The organization: Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; SI-4d. High Baseline Controls
    The information system performs an integrity check of [FedRAMP Assignment: selection to include security relevant events] [FedRAMP Selection: at least monthly]. SI-7(1) Moderate Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to ="term_primary-verb">enable integrity verification of software and firmware components. SA-10(1) Moderate Baseline Controls
    {unauthorized changes} The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability. SI-7(7) Moderate Baseline Controls
    The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information]. SI-7 Moderate Baseline Controls
    {unauthorized modification} {unauthorized deletion} The organization: Protects information ary-verb">obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; SI-4d. Moderate Baseline Controls
    {unauthorized modification} {unauthorized deletion} The organization: Protects information ary-verb">obtained
    from intrusion-monitoring tools from unauthorized access, modification, and deletion; SI-4d. Low Baseline Controls]
    Monitor and Evaluate Occurrences Detective
    Identify unauthorized modifications during file integrity monitoring. CC ID 12096 Technical Security Detective
    Monitor for software configurations updates absent authorization. CC ID 10676 Monitor and Evaluate Occurrences Preventive
    Allow expected changes during file integrity monitoring. CC ID 12090 Technical Security Preventive
    Monitor for when documents are being updated absent authorization. CC ID 10677 Monitor and Evaluate Occurrences Preventive
    Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 Establish/Maintain Documentation Preventive
    Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 Process or Activity Preventive
    Monitor and evaluate user account activity. CC ID 07066
    [The organization: Monitors information system accounts for [Assignment: organization-defined atypical use]; and AC-2(12)(a) High Baseline Controls
    The organization: Monitors information system accounts for [Assignment: organization-defined atypical use]; and AC-2(12)(a) Moderate Baseline Controls]
    Monitor and Evaluate Occurrences Detective
    Develop and maintain a usage profile for each user account. CC ID 07067 Technical Security Preventive
    Log account usage to determine dormant accounts. CC ID 12118 Log Management Detective
    Log account usage times. CC ID 07099 Log Management Detective
    Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 Monitor and Evaluate Occurrences Detective
    Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 Monitor and Evaluate Occurrences Detective
    Log account usage durations. CC ID 12117 Monitor and Evaluate Occurrences Detective
    Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 Communicate Detective
    Log Internet Protocol addresses used during logon. CC ID 07100 Log Management Detective
    Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 Monitor and Evaluate Occurrences Detective
    Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243
    [The organization: Reports atypical usage of information system accounts to [FedRAMP Assignment: at a minimum, the ISSO and/or similar role within the organization]. AC-2(12)(b) High Baseline Controls
    The organization: Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles]. AC-2(12)(b) Moderate Baseline Controls]
    Communicate Detective
    Establish, implement, and maintain a risk monitoring program. CC ID 00658
    [The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: CA-7 High Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: CA-7 High Baseline Controls
    {performance testing} The organization includes as part of security control assessments, [FedRAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. CA-2(2) High Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: CA-7 Low Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: CA-7 Low Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: CA-7 Moderate Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: CA-7 Moderate Baseline Controls
    {performance testing} The organization includes as part of security control assessments, [FedRAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. CA-2(2) Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Monitor the organization's exposure to threats, as necessary. CC ID 06494 Monitor and Evaluate Occurrences Preventive
    Monitor and evaluate environmental threats. CC ID 13481 Monitor and Evaluate Occurrences Detective
    Implement a fraud detection system. CC ID 13081 Business Processes Preventive
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Process or Activity Corrective
    Monitor for new vulnerabilities. CC ID 06843 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a compliance testing strategy. CC ID 00659 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 Testing Preventive
    Test compliance controls for proper functionality. CC ID 00660
    [The organization: Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and MA-2e. High Baseline Controls
    The information system: Verifies the correct operation of [Assignment: organization-defined security functions]; SI-6a. High Baseline Controls
    {security verification test} The information system: Performs this verification [FedRAMP Assignment: to include upon system startup and/or restart and at least monthly]; SI-6b. High Baseline Controls
    The organization: Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and MA-2e. Moderate Baseline Controls
    The information system: Verifies the correct operation of [Assignment: organization-defined security functions]; SI-6a. Moderate Baseline Controls
    {security verification test} The information system: Performs this verification [FedRAMP Assignment: to include upon system startup and/or restart and at least monthly]; SI-6b. Moderate Baseline Controls
    The organization: Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and MA-2e. Low Baseline Controls]
    Testing Detective
    Establish, implement, and maintain a system security plan. CC ID 01922
    [The organization: Develops a security plan for the information system that: PL-2a. High Baseline Controls
    {information system security plan} The organization: Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and PL-2d. High Baseline Controls
    {information system security plan} The organization: Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and PL-2d. Moderate Baseline Controls
    The organization: Develops a security plan for the information system that: PL-2a. Moderate Baseline Controls
    {information system security plan} The organization: Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and PL-2d. Low Baseline Controls
    The organization: Develops a security plan for the information system that: PL-2a. Low Baseline Controls
    The organization: Reviews the security plan for the information system [FedRAMP Assignment: at least annually]; PL-2c. High Baseline Controls
    The organization: Reviews the security plan for the information system [FedRAMP Assignment: at least annually]; PL-2c. Moderate Baseline Controls
    The organization: Reviews the security plan for the information system [FedRAMP Assignment: at least annually]; PL-2c. Low Baseline Controls]
    Testing Preventive
    Include a system description in the system security plan. CC ID 16467 Establish/Maintain Documentation Preventive
    Include a description of the operational context in the system security plan. CC ID 14301
    [The organization: Develops a security plan for the information system that: Describes the operational context of the information system in terms of missions and business processes; PL-2a.3. High Baseline Controls
    The organization: Develops a security plan for the information system that: Describes the "background-color:#F0BBBC;" class="term_primary-noun">operational context of the information system in terms of missions and business processes; PL-2a.3. Moderate Baseline Controls
    The organization: Develops a security plan for the information system that: Describes the "background-color:#F0BBBC;" class="term_primary-noun">operational context of the information system in terms of missions and business processes; PL-2a.3. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the results of the security categorization in the system security plan. CC ID 14281
    [The organization: Documents the security categorization results (including supporting rationale) in the security plan for the information system; and RA-2b. High Baseline Controls
    The organization: Documents the security categorization results (including supporting rationale) in the security plan for the information system; and RA-2b. Moderate Baseline Controls
    The organization: Documents the security categorization results (including supporting rationale) in the security plan for the information system; and RA-2b. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the information types in the system security plan. CC ID 14696 Establish/Maintain Documentation Preventive
    Include the security requirements in the system security plan. CC ID 14274
    [The organization: Develops a security plan for the information system that: Provides an overview of the security requirements for the system; PL-2a.6. High Baseline Controls
    The organization: Develops a security plan for the information system that: Provides an overview of the security requirements for the system; PL-2a.6. Moderate Baseline Controls
    The organization: Develops a security plan for the information system that: Provides an overview of the security requirements for the system; PL-2a.6. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include threats in the system security plan. CC ID 14693 Establish/Maintain Documentation Preventive
    Include network diagrams in the system security plan. CC ID 14273
    [The organization: Develops a security plan for the information system that: Describes the operational environment for the information system and relationships with or connections to other information systems; PL-2a.5. High Baseline Controls
    The organization: Develops a security plan for the information system that: Describes the operational environment for the information system and relationships with or yle="background-color:#F0BBBC;" class="term_primary-noun">connections to other information systems; PL-2a.5. Moderate Baseline Controls
    The organization: Develops a security plan for the information system that: Describes the operational environment for the information system and relationships with or yle="background-color:#F0BBBC;" class="term_primary-noun">connections to other information systems; PL-2a.5. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682 Establish/Maintain Documentation Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Establish/Maintain Documentation Preventive
    Include remote access methods in the system security plan. CC ID 16441 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275
    [The organization: Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles]; PL-2b. High Baseline Controls
    The organization: Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles]; PL-2b. Moderate Baseline Controls
    The organization: Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles]; PL-2b. Low Baseline Controls]
    Communicate Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272
    [The organization: Develops a security plan for the information system that: Describes the operational environment for the information system and relationships with or connections to other information systems; PL-2a.5. High Baseline Controls
    The organization: Develops a security plan for the information system that: Describes the "background-color:#F0BBBC;" class="term_primary-noun">operational environment for the information system and relationships with or connections to other information systems; PL-2a.5. Moderate Baseline Controls
    The organization: Develops a security plan for the information system that: Describes the "background-color:#F0BBBC;" class="term_primary-noun">operational environment for the information system and relationships with or connections to other information systems; PL-2a.5. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270
    [The organization: Develops a security plan for the information system that: Provides the security categorization of the information system including supporting rationale; PL-2a.4. High Baseline Controls
    The organization: Develops a security plan for the information system that: Provides the security categorization of the information system style="background-color:#CBD0E5;" class="term_secondary-verb">including supporting rationale; PL-2a.4. Moderate Baseline Controls
    The organization: Develops a security plan for the information system that: Provides the security categorization of the information system style="background-color:#CBD0E5;" class="term_secondary-verb">including supporting rationale; PL-2a.4. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the authorization boundary in the system security plan. CC ID 14257
    [The organization: Develops a security plan for the information system that: Explicitly defines the authorization boundary for the system; PL-2a.2. High Baseline Controls
    The organization: Develops a security plan for the information system that: Explicitly defines the an style="background-color:#F0BBBC;" class="term_primary-noun">authorization boundary for the system; PL-2a.2. Moderate Baseline Controls
    The organization: Develops a security plan for the information system that: Explicitly defines the an style="background-color:#F0BBBC;" class="term_primary-noun">authorization boundary for the system; PL-2a.2. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Align the enterprise architecture with the system security plan. CC ID 14255
    [The organization: Develops a security plan for the information system that: Is consistent with the organization's enterprise architecture; PL-2a.1. High Baseline Controls
    The organization: Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions. PL-8c. High Baseline Controls
    The organization: Develops a security plan for the information system that: Is consistent with the organization's enterprise architecture; PL-2a.1. Moderate Baseline Controls
    The organization: Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions. PL-8c. Moderate Baseline Controls
    The organization: Develops a security plan for the information system that: Is consistent with the organization's enterprise architecture; PL-2a.1. Low Baseline Controls]
    Process or Activity Preventive
    Include security controls in the system security plan. CC ID 14239
    [The organization: Develops a security plan for the information system that: Identifies any relevant overlays, if applicable; PL-2a.7. High Baseline Controls
    The organization: Develops a security plan for the information system that: Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and PL-2a.8. High Baseline Controls
    The organization: Develops a security plan for the information system that: Identifies any relevant pan style="background-color:#F0BBBC;" class="term_primary-noun">overlays, if applicable; PL-2a.7. Moderate Baseline Controls
    The organization: Develops a security plan for the information system that: Describes the security controlsan> in place or planned for "background-color:#CBD0E5;" class="term_secondary-verb">meeting those requirements including a rationale for the tailoring and supplementation decisions; and PL-2a.8. Moderate Baseline Controls
    The organization: Develops a security plan for the information system that: Identifies any relevant pan style="background-color:#F0BBBC;" cl
    ass="term_primary-noun">overlays, if applicable; PL-2a.7. Low Baseline Controls
    The organization: Develops a security plan for the information system that: Describes the security controlsan> in place or planned for "background-color:#CBD0E5;" class="term_secondary-verb">meeting those requirements including a rationale for the tailoring and supplementation decisions; and PL-2a.8. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Create specific test plans to test each system component. CC ID 00661
    [The organization: Develops a security assessment plan that describes the scope of the assessment including: CA-2a. High Baseline Controls
    {security assessment} The organization: Develops a security assessment plan that describes the scope of the assessment including: Security controls and control enhancements under assessment; CA-2a.1. High Baseline Controls
    {security assessment} The organization: Develops a security assessment plan that describes the scope of the assessment including: Security controls and control enhancements under assessment; CA-2a.1. Moderate Baseline Controls
    {security assessment} The organization: Develops a security assessment plan that describes the scope of the assessment including: Security controls and control enhancements under assessment; CA-2a.1. Low Baseline Controls
    The organization: Develops a security assessment plan that describes the scope of the assessment including: CA-2a. Moderate Baseline Controls
    The organization: Develops a security assessment plan that describes the scope of the assessment including: CA-2a. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299
    [The organization: Develops a security assessment plan that describes the scope of the assessment including: Assessment environment, assessment team, and assessment roles and responsibilities; CA-2a.3. High Baseline Controls
    The organization: Develops a security assessment plan that describes the scope of the assessment including: Assessment environment, ss="term_primary-noun">assessment team, and assessment roles and responsibilities; CA-2a.3. Moderate Baseline Controls
    The organization: Develops a security assessment plan that describes the scope of the assessment including: Assessment environment, ss="term_primary-noun">assessment team, and assessment roles and responsibilities; CA-2a.3. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the assessment team in the test plan. CC ID 14297
    [The organization: Develops a security assessment plan that describes the scope of the assessment including: Assessment environment, assessment team, and assessment roles and responsibilities; CA-2a.3. High Baseline Controls
    The organization: Develops a security assessment plan that describes the scope of the assessment includingpan>: Assessment environment, assessment team, and assessment roles and responsibilities; CA-2a.3. Moderate Baseline Controls
    The organization: Develops a security assessment plan that describes the scope of the assessment includingpan>: Assessment environment, assessment team, and assessment roles and responsibilities; CA-2a.3. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the scope in the test plans. CC ID 14293
    [The organization: Develops a security assessment plan that describes the scope of the assessment including: CA-2a. High Baseline Controls
    The organization: Develops a security assessment plan that describes the scope of the kground-color:#F0BBBC;" class="term_primary-noun">assessment including: CA-2a. Moderate Baseline Controls
    The organization: Develops a security assessment plan that describes the scope of the kground-color:#F0BBBC;" class="term_primary-noun">assessment including: CA-2a. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the assessment environment in the test plan. CC ID 14271
    [The organization: Develops a security assessment plan that describes the scope of the assessment including: Assessment environment, assessment team, and assessment roles and responsibilities; CA-2a.3. High Baseline Controls
    The organization: Develops a security assessment plan that describes the scope of the assessment includingpan>: Assessment environment, assessment team, and assessment roles and responsibilities; CA-2a.3. Moderate Baseline Controls
    The organization: Develops a security assessment plan that describes the scope of the assessment includingpan>: Assessment environment, assessment team, and assessment roles and responsibilities; CA-2a.3. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Approve the system security plan. CC ID 14241
    [The organization: Develops a security plan for the information system that: Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; PL-2a.9. High Baseline Controls
    The organization: Develops a security plan for the information system that: Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; PL-2a.9. Moderate Baseline Controls
    The organization: Develops a security plan for the information system that: Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; PL-2a.9. Low Baseline Controls]
    Business Processes Preventive
    Adhere to the system security plan. CC ID 11640 Testing Detective
    Review the test plans for each system component. CC ID 00662 Establish/Maintain Documentation Preventive
    Validate all testing assumptions in the test plans. CC ID 00663 Testing Detective
    Document validated testing processes in the testing procedures. CC ID 06200 Establish/Maintain Documentation Preventive
    Require testing procedures to be complete. CC ID 00664 Testing Detective
    Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 Establish/Maintain Documentation Preventive
    Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 Testing Preventive
    Implement automated audit tools. CC ID 04882 Acquisition/Sale of Assets or Services Preventive
    Assign senior management to approve test plans. CC ID 13071 Human Resources Management Preventive
    Analyze system audit reports and determine the need to perform more tests. CC ID 00666 Testing Detective
    Monitor devices continuously for conformance with production specifications. CC ID 06201 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain a testing program. CC ID 00654
    [The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; CA-7c. High Baseline Controls
    The information system enforces access restrictions and supports auditing of the enforcement actions. CM-5(1) High Baseline Controls
    {performance testing} The organization includes as part of security control assessments, [FedRAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. CA-2(2) High Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Ongoing security control assessments</span> in accordance with the organizational continuous monitoring strategy; CA-7c. Low Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Ongoing security control assessments</span> in accordance with the organizational continuous monitoring strategy; CA-7c. Moderate Baseline Controls
    {performance testing} The organization includes as part of security control assessments, [FedRAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. CA-2(2) Moderate Baseline Controls
    The information system enforces access restrictions and supports auditing of the enforcement actions. CM-5(1) Moderate Baseline Controls]
    Behavior Preventive
    Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. High Baseline Controls
    The organization: Reviews and updates the current: Security assessment and authorization policy [FedRAMP Assignment: at least annually]; and CA-1b.1. High Baseline Controls
    Reviews and updates the current: Security assessment and authorization policy [FedRAMP Assignment: at least every 3 years]; and CA-1b.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. Low Baseline Controls
    Reviews and updates the current: Security assessment and authorization policy [FedRAMP Assignment: at least every 3 years]; and CA-1b.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Conduct Red Team exercises, as necessary. CC ID 12131 Technical Security Detective
    Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, d-color:#F0BBBC;" class="term_primary-noun">coordination among organizational entities, and compliance; and CA-1a.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, d-color:#F0BBBC;" class="term_primary-noun">coordination among organizational entities, and compliance; and CA-1a.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the scope in the security assessment and authorization policy. CC ID 14220
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, n style="background-color:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, n style="background-color:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the purpose in the security assessment and authorization policy. CC ID 14219
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses background-color:#F0BBBC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses background-color:#F0BBBC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. Low Baseline Controls]
    Communicate Preventive
    Include management commitment in the security assessment and authorization policy. CC ID 14189
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the security assessment and authorization policy. CC ID 14183
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, lass="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, lass="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and CA-1a.2. High Baseline Controls
    The organization: Reviews and updates the current: Security assessment and authorization procedures [FedRAMP Assignment: at least annually or whenever a significant change occurs]. CA-1b.2. High Baseline Controls
    Reviews and updates the current: Security assessment and authorization procedures [FedRAMP Assignment: at least annually]. CA-1b.2. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and CA-1a.2. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and CA-1a.2. Low Baseline Controls
    Reviews and updates the current: Security assessment and authorization procedures [FedRAMP Assignment: at least annually]. CA-1b.2. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and CA-1a.2. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and CA-1a.2. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and CA-1a.2. Low Baseline Controls]
    Communicate Preventive
    Employ third parties to carry out testing programs, as necessary. CC ID 13178 Human Resources Management Preventive
    Test security systems and associated security procedures, as necessary. CC ID 11901 Technical Security Detective
    Define the test requirements for each testing program. CC ID 13177 Establish/Maintain Documentation Preventive
    Test in scope systems for segregation of duties, as necessary. CC ID 13906 Testing Detective
    Include test requirements for the use of human subjects in the testing program. CC ID 16222 Testing Preventive
    Test the in scope system in accordance with its intended purpose. CC ID 14961 Testing Preventive
    Perform network testing in accordance with organizational standards. CC ID 16448 Testing Preventive
    Test user accounts in accordance with organizational standards. CC ID 16421 Testing Preventive
    Identify risk management measures when testing in scope systems. CC ID 14960 Process or Activity Detective
    Include mechanisms for emergency stops in the testing program. CC ID 14398 Establish/Maintain Documentation Preventive
    Scan organizational networks for rogue devices. CC ID 00536
    [{unauthorized software} {unauthorized firmware} The organization: Employs automated mechanisms [FedRAMP Assignment: Continuously, using automated mechanisms with a maximum five-minute delay in detection.] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and CM-8(3)(a) High Baseline Controls
    {not approved} The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel or roles]]. SI-4(22) High Baseline Controls
    {unauthorized software} {unauthorized firmware} The organization: Employs automated mechanisms [FedRAMP Assignment: Continuously, using automated mechanisms with a maximum five-minute delay in detection.] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and CM-8(3)(a) Moderate Baseline Controls]
    Testing Detective
    Scan the network for wireless access points. CC ID 00370 Testing Detective
    Document the business need justification for authorized wireless access points. CC ID 12044 Establish/Maintain Documentation Preventive
    Scan wireless networks for rogue devices. CC ID 11623 Technical Security Detective
    Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 Testing Detective
    Implement incident response procedures when rogue devices are discovered. CC ID 11880 Technical Security Corrective
    Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428
    [The organization: Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]. CM-8(3)(b) High Baseline Controls
    {not approved} The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel or roles]]. SI-4(22) High Baseline Controls
    The organization: Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; term_secondary-verb">lass="term_primary-verb">notifies [Assignment: organization-defined personnel or roles]]. CM-8(3)(b) Moderate Baseline Controls]
    Monitor and Evaluate Occurrences Corrective
    Deny network access to rogue devices until network access approval has been received. CC ID 11852 Configuration Preventive
    Isolate rogue devices after a rogue device has been detected. CC ID 07061
    [The organization: Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]. CM-8(3)(b) High Baseline Controls
    The organization: Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]. CM-8(3)(b) High Baseline Controls
    The organization: Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; <span style="background-color:#B7D8ED;" class="term_primary-verb">isolates the components; notifies [Assignment: organization-defined personnel or roles]]. CM-8(3)(b) Moderate Baseline Controls
    The organization: Takes the following actions when unauthorized components are detected: [Selection (one or more): disables term_secondary-verb">r:#F0BBBC;" class="term_primary-noun">network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]. CM-8(3)(b) Moderate Baseline Controls]
    Configuration Corrective
    Establish, implement, and maintain conformity assessment procedures. CC ID 15032 Establish/Maintain Documentation Preventive
    Share conformity assessment results with affected parties and interested personnel. CC ID 15113 Communicate Preventive
    Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 Communicate Preventive
    Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 Communicate Preventive
    Create technical documentation assessment certificates in an official language. CC ID 15110 Establish/Maintain Documentation Preventive
    Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 Testing Preventive
    Perform conformity assessments, as necessary. CC ID 15095 Testing Detective
    Define the test frequency for each testing program. CC ID 13176 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 Technical Security Detective
    Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a penetration test program. CC ID 01105 Behavior Preventive
    Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 Communicate Preventive
    Align the penetration test program with industry standards. CC ID 12469 Establish/Maintain Documentation Preventive
    Assign penetration testing to a qualified internal resource or external third party. CC ID 06429
    [The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components. CA-8(1) High Baseline Controls
    The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components. CA-8(1) Moderate Baseline Controls]
    Establish Roles Preventive
    Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 Testing Preventive
    Retain penetration test results according to internal policy. CC ID 10049 Records Management Preventive
    Retain penetration test remediation action records according to internal policy. CC ID 11629 Records Management Preventive
    Use dedicated user accounts when conducting penetration testing. CC ID 13728 Testing Detective
    Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 Testing Corrective
    Perform penetration tests, as necessary. CC ID 00655
    [The organization conducts penetration testing [FedRAMP Assignment: at least annually] on [Assignment: organization-defined information systems or system components]. CA-8 High Baseline Controls
    The organization conducts penetration testing [FedRAMP Assignment: at least annually] on [Assignment: organization-defined information systems or system components]. CA-8 Moderate Baseline Controls]
    Testing Detective
    Perform internal penetration tests, as necessary. CC ID 12471 Technical Security Detective
    Perform external penetration tests, as necessary. CC ID 12470 Technical Security Detective
    Include coverage of all in scope systems during penetration testing. CC ID 11957 Testing Detective
    Test the system for broken access controls. CC ID 01319 Testing Detective
    Test the system for broken authentication and session management. CC ID 01320 Testing Detective
    Test the system for insecure communications. CC ID 00535 Testing Detective
    Test the system for cross-site scripting attacks. CC ID 01321 Testing Detective
    Test the system for buffer overflows. CC ID 01322 Testing Detective
    Test the system for injection flaws. CC ID 01323 Testing Detective
    Ensure protocols are free from injection flaws. CC ID 16401 Process or Activity Preventive
    Test the system for Denial of Service. CC ID 01326 Testing Detective
    Test the system for insecure configuration management. CC ID 01327 Testing Detective
    Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 Testing Detective
    Test the system for cross-site request forgery. CC ID 06296 Testing Detective
    Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 Technical Security Detective
    Perform penetration testing on segmentation controls, as necessary. CC ID 12498 Technical Security Detective
    Verify segmentation controls are operational and effective. CC ID 12545 Audits and Risk Management Detective
    Repeat penetration testing, as necessary. CC ID 06860 Testing Detective
    Test the system for covert channels. CC ID 10652 Testing Detective
    Estimate the maximum bandwidth of any covert channels. CC ID 10653 Technical Security Detective
    Reduce the maximum bandwidth of covert channels. CC ID 10655 Technical Security Corrective
    Test systems to determine which covert channels might be exploited. CC ID 10654 Testing Detective
    Establish, implement, and maintain a business line testing strategy. CC ID 13245 Establish/Maintain Documentation Preventive
    Include facilities in the business line testing strategy. CC ID 13253 Establish/Maintain Documentation Preventive
    Include electrical systems in the business line testing strategy. CC ID 13251 Establish/Maintain Documentation Preventive
    Include mechanical systems in the business line testing strategy. CC ID 13250 Establish/Maintain Documentation Preventive
    Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 Establish/Maintain Documentation Preventive
    Include emergency power supplies in the business line testing strategy. CC ID 13247 Establish/Maintain Documentation Preventive
    Include environmental controls in the business line testing strategy. CC ID 13246 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a vulnerability management program. CC ID 15721 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a vulnerability assessment program. CC ID 11636
    [The organization: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; RA-5b.1. High Baseline Controls
    The organization: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Formatting checklists and test procedures; and RA-5b.2. High Baseline Controls
    The organization: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Measuring vulnerability impact; RA-5b.3. High Baseline Controls
    The organization: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: y-verb">Formatting checklists and test procedures; and RA-5b.2. Moderate Baseline Controls
    The organization: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: y-verb">Enumerating platforms, software flaws, and improper configurations; RA-5b.1. Moderate Baseline Controls
    The organization: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: y-verb">Measuring vulnerability impact; RA-5b.3. Moderate Baseline Controls
    The organization: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: y-verb">Enumerating platforms, software flaws, and improper configurations; RA-5b.1. Low Baseline Controls
    The organization: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: y-verb">Formatting checklists and test procedures; and RA-5b.2. Low Baseline Controls
    The organization: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: y-verb">Measuring vulnerability impact; RA-5b.3. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Perform vulnerability scans, as necessary. CC ID 11637
    [{performance testing} The organization includes as part of security control assessments, [FedRAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. CA-2(2) High Baseline Controls
    The organization: Scans for vulnerabilities in the information system and hosted applications [FedRAMP Assignment: monthly operating system/infrastructure; monthly web applications and databases] and when new vulnerabilities potentially affecting the system/applications are identified and reported; RA-5a. High Baseline Controls
    {performance testing} The organization includes as part of security control assessments, [FedRAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. CA-2(2) Moderate Baseline Controls
    The organization: Scans for vulnerabilities in the information system and hosted applications [FedRAMP Assignment: monthly operating system/infrastructure; monthly web applications and databases] and when new vulnerabilities potentially affecting the system/applications are identified and reported; RA-5a. Low Baseline Controls
    The organization: Scans for vulnerabilities in the information system and hosted applications [FedRAMP Assignment: monthly operating system/infrastructure; monthly web applications and databases] and when new vulnerabilities potentially affecting the system/applications are identified and reported; RA-5a. Moderate Baseline Controls]
    Technical Security Detective
    Repeat vulnerability scanning, as necessary. CC ID 11646
    [The organization determines what information about the information system is discoverable by adversaries and subsequently takes [FedRAMP Assignment: notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions]. RA-5(4) High Baseline Controls]
    Testing Detective
    Identify and document security vulnerabilities. CC ID 11857
    [The organization determines what information about the information system is discoverable by adversaries and subsequently takes [FedRAMP Assignment: notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions]. RA-5(4) High Baseline Controls]
    Technical Security Detective
    Rank discovered vulnerabilities. CC ID 11940 Investigate Detective
    Use dedicated user accounts when conducting vulnerability scans. CC ID 12098
    [The information system implements privileged access authorization to [FedRAMP Assignment: operating systems / web applications / databases] for selected [FedRAMP Assignment: all scans]. RA-5(5) High Baseline Controls
    The information system implements privileged access authorization to [FedRAMP Assignment: operating systems / web applications / databases] for selected [FedRAMP Assignment: all scans]. RA-5(5) Moderate Baseline Controls]
    Technical Security Preventive
    Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638
    [The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments. CA-2(1) High Baseline Controls
    The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis. CA-7(1) High Baseline Controls
    The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to ary-verb">conduct security control assessments. CA-2(1) Low Baseline Controls
    The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to ary-verb">conduct security control assessments. CA-2(1) Moderate Baseline Controls
    The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to ary-verb">monitor the security controls in the information system on an ongoing basis. CA-7(1) Moderate Baseline Controls]
    Technical Security Detective
    Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 Establish/Maintain Documentation Preventive
    Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 Communicate Preventive
    Maintain vulnerability scan reports as organizational records. CC ID 12092 Records Management Preventive
    Correlate vulnerability scan reports from the various systems. CC ID 10636
    [The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors. RA-5(10) High Baseline Controls]
    Technical Security Detective
    Perform internal vulnerability scans, as necessary. CC ID 00656
    [The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked). RA-5(3) High Baseline Controls
    The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked). RA-5(3) Moderate Baseline Controls]
    Testing Detective
    Perform vulnerability scans prior to installing payment applications. CC ID 12192 Technical Security Detective
    Implement scanning tools, as necessary. CC ID 14282
    [The organization: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: RA-5b. High Baseline Controls
    The organization: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: RA-5b. Moderate Baseline Controls
    The organization: Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: RA-5b. Low Baseline Controls]
    Technical Security Detective
    Update the vulnerability scanners' vulnerability list. CC ID 10634
    [The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned. RA-5(1) High Baseline Controls
    The organization updates the information system vulnerabilities scanned [FedRAMP Assignment: prior to a new scan]. RA-5(2) High Baseline Controls
    The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be <span style="background-color:#CBD0E5;" class="term_secondary-verb">scanned. RA-5(1) Moderate Baseline Controls
    The organization updates the information system vulnerabilities scanned [FedRAMP Assignment: prior to a new scan]. RA-5(2) Moderate Baseline Controls]
    Configuration Corrective
    Repeat vulnerability scanning after an approved change occurs. CC ID 12468 Technical Security Detective
    Perform external vulnerability scans, as necessary. CC ID 11624 Technical Security Detective
    Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 Business Processes Preventive
    Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 Testing Preventive
    Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635
    [{vulnerability scan results} The organization: Analyzes vulnerability scan reports and results from security control assessments; RA-5c. High Baseline Controls
    The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. RA-5(6) High Baseline Controls
    {vulnerability scan results} The organization: Analyzes vulnerability scan reports and results from security control assessments; RA-5c. Moderate Baseline Controls
    The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. RA-5(6) Moderate Baseline Controls
    {vulnerability scan results} The organization: Analyzes vulnerability scan reports and results from security control assessments; RA-5c. Low Baseline Controls]
    Technical Security Detective
    Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748
    [The information system: Notifies [FedRAMP Assignment: to include system administrators and security personnel] of failed security verification tests; and SI-6c. High Baseline Controls
    The organization employs automated tools that provide notification to [Assignment: organization- defined personnel or roles] upon discovering discrepancies during integrity verification. SI-7(2) High Baseline Controls
    The information system: Notifies [FedRAMP Assignment: to include system administrators and security personnel] of failed security verification tests; and SI-6c. Moderate Baseline Controls]
    Behavior Corrective
    Perform vulnerability assessments, as necessary. CC ID 11828
    [{performance testing} The organization includes as part of security control assessments, [FedRAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. CA-2(2) High Baseline Controls
    {performance testing} The organization includes as part of security control assessments, [FedRAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. CA-2(2) Moderate Baseline Controls]
    Technical Security Corrective
    Review applications for security vulnerabilities after the application is updated. CC ID 11938 Technical Security Detective
    Test the system for unvalidated input. CC ID 01318 Testing Detective
    Test the system for proper error handling. CC ID 01324 Testing Detective
    Test the system for insecure data storage. CC ID 01325 Testing Detective
    Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 Testing Detective
    Approve the vulnerability management program. CC ID 15722 Process or Activity Preventive
    Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 Establish Roles Preventive
    Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 Technical Security Preventive
    Test the system for insecure cryptographic storage. CC ID 11635 Technical Security Detective
    Perform self-tests on cryptographic modules within the system. CC ID 06537 Testing Detective
    Perform power-up tests on cryptographic modules within the system. CC ID 06538 Testing Detective
    Perform conditional tests on cryptographic modules within the system. CC ID 06539 Testing Detective
    Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 Configuration Detective
    Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 Technical Security Corrective
    Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 Configuration Corrective
    Recommend mitigation techniques based on penetration test results. CC ID 04881 Establish/Maintain Documentation Corrective
    Correct or mitigate vulnerabilities. CC ID 12497
    [The organization: Remediates legitimate vulnerabilities [FedRAMP Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery], in accordance with an organizational assessment of risk; and RA-5d. High Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to: Correct flaws identified during security testing/evaluation. SA-11e. High Baseline Controls
    The organization: Remediates legitimate vulnerabilities [FedRAMP Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery], in accordance with an organizational assessment of risk; and RA-5d. Moderate Baseline Controls
    The organization requires the developer of the information system, system component, or information system service to: s="term_primary-verb">Correct _primary-noun">flaws identified during security testing/evaluation. SA-11e. Moderate Baseline Controls
    The organization: Remediates legitimate vulnerabilities [FedRAMP Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery], in accordance with an organizational assessment of risk; and RA-5d. Low Baseline Controls]
    Technical Security Corrective
    Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 Technical Security Corrective
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 Establish/Maintain Documentation Preventive
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726
    [The organization: Monitors policy compliance at [FedRAMP Assignment: Continuously (via CM-7 (5))]. CM-11c. High Baseline Controls
    The organization: Monitors policy compliance at [FedRAMP Assignment: Continuously (via CM-7 (5))]. CM-11c. Low Baseline Controls
    The organization: Monitors policy compliance at [FedRAMP Assignment: Continuously (via CM-7 (5))]. CM-11c. Moderate Baseline Controls]
    Monitor and Evaluate Occurrences Detective
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499
    [The organization: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. SI-5d. High Baseline Controls
    The organization: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. SI-5d. Moderate Baseline Controls
    The organization: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. SI-5d. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 Business Processes Detective
    Determine the causes of compliance violations. CC ID 12401 Investigate Corrective
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Establish/Maintain Documentation Preventive
    Determine if multiple compliance violations of the same type could occur. CC ID 12402 Investigate Detective
    Correct compliance violations. CC ID 13515 Process or Activity Corrective
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 Investigate Detective
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 Behavior Corrective
    Align disciplinary actions with the level of compliance violation. CC ID 12404 Human Resources Management Preventive
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Establish/Maintain Documentation Preventive
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Establish/Maintain Documentation Preventive
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Establish/Maintain Documentation Preventive
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Establish/Maintain Documentation Preventive
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Establish/Maintain Documentation Preventive
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Establish/Maintain Documentation Preventive
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Establish/Maintain Documentation Preventive
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Communicate Preventive
    Include required information in the disciplinary action notice. CC ID 16584 Establish/Maintain Documentation Preventive
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Establish/Maintain Documentation Preventive
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Establish/Maintain Documentation Preventive
    Include the investigation results in the disciplinary action notice. CC ID 16581 Establish/Maintain Documentation Preventive
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Establish/Maintain Documentation Preventive
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Establish/Maintain Documentation Preventive
    Include contact information in the disciplinary action notice. CC ID 16578 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663
    [The organization: Develops a contingency plan for the information system that: Provides recovery objectives, restoration priorities, and metrics; CP-2a.2. High Baseline Controls
    The organization: Develops a contingency plan for the information system that: Provides recovery objectives, restoration priorities, and metrics; CP-2a.2. Low Baseline Controls
    The organization: Develops a contingency plan for the information system that: Provides recovery objectives, restoration priorities, and metrics; CP-2a.2. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Actionable Reports or Measurements Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Actionable Reports or Measurements Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a metrics standard and template. CC ID 02157
    [The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined metrics] to be monitored; CA-7a. High Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined m_primary-noun">metrics>] to be monitored; CA-7a. Low Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined m_primary-noun">metrics>] to be monitored; CA-7a. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085
    [The organization: Develops an incident response plan that: Provides metrics for measuring the incident response capability within the organization; IR-8a.6. High Baseline Controls
    The organization: Develops an incident response plan that: Provides metrics for measuring the le="background-color:#F0BBBC;" class="term_primary-noun">incident response capability within the organization; IR-8a.6. Moderate Baseline Controls
    The organization: Develops an incident response plan that: Provides metrics for measuring the le="background-color:#F0BBBC;" class="term_primary-noun">incident response capability within the organization; IR-8a.6. Low Baseline Controls]
    Business Processes Preventive
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Actionable Reports or Measurements Detective
    Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 Actionable Reports or Measurements Detective
    Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 Actionable Reports or Measurements Detective
    Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 Actionable Reports or Measurements Detective
    Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 Actionable Reports or Measurements Detective
    Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140
    [The organization: Measures the time between flaw identification and flaw remediation; and SI-2(3)(a) High Baseline Controls
    The organization: Measures the time between flaw identification and flaw remediation; and SI-2(3)(a) Moderate Baseline Controls]
    Actionable Reports or Measurements Detective
    Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 Actionable Reports or Measurements Detective
    Delay the reporting of incident management metrics, as necessary. CC ID 15501 Communicate Preventive
    Establish, implement, and maintain a log management program. CC ID 00673 Establish/Maintain Documentation Preventive
    Restrict access to logs to authorized individuals. CC ID 01342
    [The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]. AU-9(4) High Baseline Controls
    The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]. AU-9(4) Moderate Baseline Controls]
    Log Management Preventive
    Back up audit trails according to backup procedures. CC ID 11642
    [The information system backs up audit records [FedRAMP Assignment: at least weekly] onto a physically different system or system component than the system or component being audited. AU-9(2) High Baseline Controls
    The information system backs up audit records [FedRAMP Assignment: at least weekly] onto a physically different system or system component than the system or component being audited. AU-9(2) Moderate Baseline Controls]
    Systems Continuity Preventive
    Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346
    [The information system provides centralized management and configuration of the content to be captured in audit records generated by [FedRAMP Assignment: all network, data storage, and computing devices]. AU-3(2) High Baseline Controls]
    Log Management Preventive
    Identify hosts with logs that are not being stored. CC ID 06314 Log Management Preventive
    Identify hosts with logs that are being stored at the system level only. CC ID 06315 Log Management Preventive
    Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 Log Management Preventive
    Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 Log Management Preventive
    Protect logs from unauthorized activity. CC ID 01345
    [The information system protects audit information and audit tools from unauthorized access, modification, and deletion. AU-9 High Baseline Controls
    The information system protects audit information and audit tools from unauthorized access, modification, and deletion. AU-9 Low Baseline Controls
    The information system protects audit information and audit tools from unauthorized access, modification, and deletion. AU-9 Moderate Baseline Controls]
    Log Management Preventive
    Establish, implement, and maintain a corrective action plan. CC ID 00675
    [The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Response actions to address results of the analysis of security-related information; and CA-7f. High Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: r:#F0BBBC;" class="term_primary-noun">Response actions to address results of the analysis of security-related information; and CA-7f. Low Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: r:#F0BBBC;" class="term_primary-noun">Response actions to address results of the analysis of security-related information; and CA-7f. Moderate Baseline Controls]
    Monitor and Evaluate Occurrences Detective
    Align corrective actions with the level of environmental impact. CC ID 15193 Business Processes Preventive
    Include risks and opportunities in the corrective action plan. CC ID 15178 Establish/Maintain Documentation Preventive
    Include environmental aspects in the corrective action plan. CC ID 15177 Establish/Maintain Documentation Preventive
    Include the completion date in the corrective action plan. CC ID 13272 Establish/Maintain Documentation Preventive
    Include monitoring in the corrective action plan. CC ID 11645
    [The organization: Updates existing plan of action and milestones [FedRAMP Assignment: at least monthly] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. CA-5b. High Baseline Controls
    The organization: Updates existing plan of action and milestones [FedRAMP Assignment: at least monthly] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. CA-5b. Low Baseline Controls
    The organization: Updates existing plan of action and milestones [FedRAMP Assignment: at least monthly] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. CA-5b. Moderate Baseline Controls]
    Monitor and Evaluate Occurrences Detective
    Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676
    [The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [FedRAMP Assignment: to meet Federal and FedRAMP requirements]. CA-7g. High Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Reporting the ackground-color:#F0BBBC;" class="term_primary-noun">security status of organization and the information system to [Assignment: organization-defined personnel or roles] [FedRAMP Assignment: to meet Federal and FedRAMP requirements]. CA-7g. Low Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Reporting the ackground-color:#F0BBBC;" class="term_primary-noun">security status of organization and the information system to [Assignment: organization-defined personnel or roles] [FedRAMP Assignment: to meet Federal and FedRAMP requirements]. CA-7g. Moderate Baseline Controls]
    Actionable Reports or Measurements Corrective
    Protect against misusing automated audit tools. CC ID 04547
    [The information system protects audit information and audit tools from unauthorized access, modification, and deletion. AU-9 High Baseline Controls
    The information system protects audit information and audit tools from unauthorized access, modification, and deletion. AU-9 Low Baseline Controls
    The information system protects audit information and audit tools from unauthorized access, modification, and deletion. AU-9 Moderate Baseline Controls]
    Technical Security Preventive
    Evaluate the measurement process used for metrics. CC ID 06920
    [The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; CA-7d. High Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Ongoing security status monitoring of organization-defined s="term_primary-noun">metrics in accordance with the organizational continuous monitoring strategy; CA-7d. Low Baseline Controls
    The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Ongoing security status monitoring of organization-defined s="term_primary-noun">metrics in accordance with the organizational continuous monitoring strategy; CA-7d. Moderate Baseline Controls]
    Testing Detective
    Evaluate the information technology products used for metrics. CC ID 11644 Technical Security Detective
    Identify and communicate improvements in metrics reporting. CC ID 06921 Establish/Maintain Documentation Corrective
  • Operational and Systems Continuity
    176
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational and Systems Continuity CC ID 00731 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a business continuity program. CC ID 13210 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a business continuity policy. CC ID 12405
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. High Baseline Controls
    The organization: Reviews and updates the current: Contingency planning policy [FedRAMP Assignment: at least annually]; and CP-1b.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. Low Baseline Controls
    Reviews and updates the current: Contingency planning policy [FedRAMP Assignment: at least every 3 years]; and CP-1b.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. Moderate Baseline Controls
    Reviews and updates the current: Contingency planning policy [FedRAMP Assignment: at least every 3 years]; and CP-1b.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the business continuity policy. CC ID 14237
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the business continuity policy. CC ID 14235
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, class="term_primary-noun">coordination among organizational entities, and compliance; and CP-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, class="term_primary-noun">coordination among organizational entities, and compliance; and CP-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include management commitment in the business continuity policy. CC ID 14233
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the scope in the business continuity policy. CC ID 14231
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, nd-color:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, nd-color:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the business continuity policy. CC ID 14190
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, ackground-color:#F0BBBC;" class="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, ackground-color:#F0BBBC;" class="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. Moderate Baseline Controls]
    Communicate Preventive
    Include the purpose in the business continuity policy. CC ID 14188
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses #F0BBBC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses #F0BBBC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a continuity framework. CC ID 00732 Establish/Maintain Documentation Preventive
    Coordinate continuity planning with other business units responsible for related plans. CC ID 01386
    [The organization coordinates contingency plan development with organizational elements responsible for related plans. CP-2(1) High Baseline Controls
    The organization coordinates contingency plan development with organizational elements responsible for related plans. CP-2(1) Moderate Baseline Controls]
    Systems Continuity Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752
    [The organization: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; CP-2e. High Baseline Controls
    The organization: Develops a contingency plan for the information system that: CP-2a. High Baseline Controls
    The organization: Develops a contingency plan for the information system that: Is reviewed and approved by [Assignment: organization-defined personnel or roles]; CP-2a.6. High Baseline Controls
    The organization: Reviews the contingency plan for the information system [FedRAMP Assignment: at least annually]. CP-2d. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and CP-1a.2. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and CP-1a.2. Low Baseline Controls
    The organization: Develops a contingency plan for the information system that: CP-2a. Low Baseline Controls
    The organization: Develops a contingency plan for the information system that: Is reviewed and approved by [Assignment: organization-defined personnel or roles]; CP-2a.6. Low Baseline Controls
    The organization: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; CP-2e. Low Baseline Controls
    The organization: Develops a contingency plan for the information system that: CP-2a. Moderate Baseline Controls
    The organization: Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; CP-2e. Moderate Baseline Controls
    The organization: Develops a contingency plan for the information system that: Is reviewed and approved by [Assignment: organization-defined personnel or roles]; CP-2a.6. Moderate Baseline Controls
    The organization: Reviews the contingency plan for the information system [FedRAMP Assignment: at least annually]. CP-2d. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and CP-1a.2. Moderate Baseline Controls
    The organization: Reviews the contingency plan for the information system [FedRAMP Assignment: at least annually]. CP-2d. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Report changes in the continuity plan to senior management. CC ID 12757 Communicate Corrective
    Identify all stakeholders in the continuity plan. CC ID 13256 Establish/Maintain Documentation Preventive
    Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 Systems Continuity Corrective
    Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 Communicate Preventive
    Maintain normal security levels when an emergency occurs. CC ID 06377 Systems Continuity Preventive
    Execute fail-safe procedures when an emergency occurs. CC ID 07108
    [The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure. SC-24 High Baseline Controls
    The information system fails securely in the event of an operational failure of a boundary protection device. SC-7(18) High Baseline Controls
    The information system fails securely in the event of an operational failure of a boundary protection device. SC-7(18) Moderate Baseline Controls]
    Systems Continuity Preventive
    Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 Establish/Maintain Documentation Preventive
    Lead or manage business continuity and system continuity, as necessary. CC ID 12240 Human Resources Management Preventive
    Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 Establish/Maintain Documentation Preventive
    Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 Human Resources Management Preventive
    Include the in scope system's location in the continuity plan. CC ID 16246 Systems Continuity Preventive
    Include the system description in the continuity plan. CC ID 16241 Systems Continuity Preventive
    Establish, implement, and maintain redundant systems. CC ID 16354 Configuration Preventive
    Include identification procedures in the continuity plan, as necessary. CC ID 14372 Establish/Maintain Documentation Preventive
    Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 Behavior Preventive
    Restore systems and environments to be operational. CC ID 13476
    [The organization provides the capability to restore information system components within [FedRAMP Assignment: time period consistent with the restoration time-periods defined in the service provider and organization SLA] from configuration-controlled and integrity-protected information representing a known, operational state for the components. CP-10(4) High Baseline Controls]
    Systems Continuity Corrective
    Include the continuity strategy in the continuity plan. CC ID 13189 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254
    [The organization: Develops a contingency plan for the information system that: Addresses contingency roles, responsibilities, assigned individuals with contact information; CP-2a.3. High Baseline Controls
    The organization: Develops a contingency plan for the information system that: Addresses background-color:#F0BBBC;" class="term_primary-noun">contingency roles, responsibilities, assigned individuals with contact information; CP-2a.3. Low Baseline Controls
    The organization: Develops a contingency plan for the information system that: Addresses background-color:#F0BBBC;" class="term_primary-noun">contingency roles, responsibilities, assigned individuals with contact information; CP-2a.3. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Document and use the lessons learned to update the continuity plan. CC ID 10037
    [The organization: Initiates corrective actions, if needed. CP-4c. High Baseline Controls
    The organization: Initiates corrective actions, if needed. CP-4c. Low Baseline Controls
    The organization: Initiates corrective actions, if needed. CP-4c. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 Technical Security Preventive
    Monitor and evaluate business continuity management system performance. CC ID 12410 Monitor and Evaluate Occurrences Detective
    Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 Process or Activity Preventive
    Record business continuity management system performance for posterity. CC ID 12411 Monitor and Evaluate Occurrences Preventive
    Coordinate continuity planning with community organizations, as necessary. CC ID 13259 Process or Activity Preventive
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 Establish/Maintain Documentation Preventive
    Include incident management procedures in the continuity plan. CC ID 13244
    [The organization: Coordinates incident handling activities with contingency planning activities; and IR-4b. High Baseline Controls
    The organization: Coordinates incident handling activities with contingency planning activities; and IR-4b. Low Baseline Controls
    The organization: Coordinates incident handling activities with contingency planning activities; and IR-4b. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the use of virtual meeting tools in the continuity plan. CC ID 14390 Establish/Maintain Documentation Preventive
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 Establish/Maintain Documentation Preventive
    Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 Establish Roles Preventive
    Establish, implement, and maintain the continuity procedures. CC ID 14236
    [The organization: Reviews and updates the current: Contingency planning procedures [FedRAMP Assignment: at least annually or whenever a significant change occurs]. CP-1b.2. High Baseline Controls
    Reviews and updates the current: Contingency planning procedures [FedRAMP Assignment: at least annually]. CP-1b.2. Moderate Baseline Controls
    Reviews and updates the current: Contingency planning procedures [FedRAMP Assignment: at least annually]. CP-1b.2. Low Baseline Controls]
    Establish/Maintain Documentation Corrective
    Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and CP-1a.2. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and CP-1a.2. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and CP-1a.2. Moderate Baseline Controls]
    Communicate Preventive
    Document the uninterrupted power requirements for all in scope systems. CC ID 06707 Establish/Maintain Documentation Preventive
    Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725
    [The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss. PE-11 High Baseline Controls
    The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss. PE-11 Moderate Baseline Controls]
    Configuration Preventive
    Install a generator sized to support the facility. CC ID 06709
    [The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source. PE-11(1) High Baseline Controls]
    Configuration Preventive
    Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 Acquisition/Sale of Assets or Services Preventive
    Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 Establish/Maintain Documentation Preventive
    Include notifications to alternate facilities in the continuity plan. CC ID 13220 Establish/Maintain Documentation Preventive
    Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 Systems Continuity Preventive
    Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the organization's call tree. CC ID 01167 Testing Detective
    Establish, implement, and maintain damage assessment procedures. CC ID 01267 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a recovery plan. CC ID 13288
    [The information system implements transaction oun">recovery for systems that are transaction-based. CP-10(2) High Baseline Controls
    The information system implements transaction oun">recovery for systems that are transaction-based. CP-10(2) Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 Communicate Preventive
    Include procedures to restore network connectivity in the recovery plan. CC ID 16250 Establish/Maintain Documentation Preventive
    Include addressing backup failures in the recovery plan. CC ID 13298 Establish/Maintain Documentation Preventive
    Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 Human Resources Management Preventive
    Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 Establish/Maintain Documentation Preventive
    Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 Establish/Maintain Documentation Preventive
    Include the criteria for activation in the recovery plan. CC ID 13293 Establish/Maintain Documentation Preventive
    Include escalation procedures in the recovery plan. CC ID 16248 Establish/Maintain Documentation Preventive
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 Establish/Maintain Documentation Preventive
    Determine the cause for the activation of the recovery plan. CC ID 13291 Investigate Detective
    Test the recovery plan, as necessary. CC ID 13290 Testing Detective
    Test the backup information, as necessary. CC ID 13303
    [The organization tests backup information [FedRAMP Assignment: at least monthly] to verify media reliability and information integrity. CP-9(1) High Baseline Controls
    The organization tests backup information [FedRAMP Assignment: at least annually] to verify media reliability and information integrity. CP-9(1) Moderate Baseline Controls]
    Testing Detective
    Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 Establish/Maintain Documentation Detective
    Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 Communicate Preventive
    Include restoration procedures in the continuity plan. CC ID 01169
    [The organization: Develops a contingency plan for the information system that: Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and CP-2a.5. High Baseline Controls
    The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. CP-10 High Baseline Controls
    The organization: Develops a contingency plan for the information system that: Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and CP-2a.5. Low Baseline Controls
    The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. CP-10 Low Baseline Controls
    The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. CP-10 Moderate Baseline Controls
    The organization: Develops a contingency plan for the information system that: Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and CP-2a.5. Moderate Baseline Controls]
    Establish Roles Preventive
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166
    [The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. CP-2(3) High Baseline Controls
    The organization plans for the resumption of all missions and business functions within [FedRAMP Assignment: time period defined in service provider and organization SLA] of contingency plan activation. CP-2(4) High Baseline Controls
    The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation. CP-2(3) Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the recovery plan in the continuity plan. CC ID 01377
    [The organization: Develops a contingency plan for the information system that: Provides recovery objectives, restoration priorities, and metrics; CP-2a.2. High Baseline Controls
    The organization: Develops a contingency plan for the information system that: Provides recovery objectives, le="background-color:#F0BBBC;" class="term_primary-noun">restoration priorities, and metrics; CP-2a.2. Low Baseline Controls
    The organization: Develops a contingency plan for the information system that: Provides recovery objectives, le="background-color:#F0BBBC;" class="term_primary-noun">restoration priorities, and metrics; CP-2a.2. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Communicate Preventive
    Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 Systems Continuity Preventive
    Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 Systems Continuity Preventive
    Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 Systems Continuity Preventive
    Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 Systems Continuity Corrective
    Establish, implement, and maintain organizational facility continuity plans. CC ID 02224 Establish/Maintain Documentation Preventive
    Install and maintain redundant power supplies for critical facilities. CC ID 06355 Configuration Preventive
    Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439
    [The organization: Provides the capability of shutting off power to the information system or individual system components in emergency situations; PE-10a. High Baseline Controls
    The organization: Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and PE-10b. High Baseline Controls
    The organization: Protects emergency power shutoff capability from unauthorized activation. PE-10c. High Baseline Controls
    The organization: Provides the capability of shutting off power to the information system or individual system components in emergency situations; PE-10a. Moderate Baseline Controls
    The organization: Protects emergency power shutoff capability from unauthorized activation. PE-10c. Moderate Baseline Controls
    The organization: Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy an style="background-color:#CBD0E5;" class="term_secondary-verb">access for personnel; and PE-10b. Moderate Baseline Controls]
    Physical and Environmental Protection Preventive
    Establish, implement, and maintain system continuity plan strategies. CC ID 00735 Establish/Maintain Documentation Preventive
    Define and prioritize critical business functions. CC ID 00736
    [The organization: Develops a contingency plan for the information system that: Identifies essential missions and business functions and associated contingency requirements; CP-2a.1. High Baseline Controls
    The organization: Develops a contingency plan for the information system that: Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; CP-2a.4. High Baseline Controls
    The organization: Develops a contingency plan for the information system that: Identifies essential missions and ">business functions and associated contingency requirements; CP-2a.1. Low Baseline Controls
    The organization: Develops a contingency plan for the information system that: Addresses maintaining essential ">missions> and business functions despite an information system disruption, compromise, or failure; CP-2a.4. Low Baseline Controls
    The organization: Develops a contingency plan for the information system that: Identifies essential missions and ">business functions
    and associated contingency requirements; CP-2a.1. Moderate Baseline Controls
    The organization: Develops a contingency plan for the information system that: Addresses maintaining essential ">missions> and business functions despite an information system disruption, compromise, or failure; CP-2a.4. Moderate Baseline Controls]
    Establish/Maintain Documentation Detective
    Review and prioritize the importance of each business unit. CC ID 01165 Systems Continuity Preventive
    Review and prioritize the importance of each business process. CC ID 11689 Establish/Maintain Documentation Preventive
    Document the mean time to failure for system components. CC ID 10684 Systems Continuity Preventive
    Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 Audits and Risk Management Preventive
    Include the protection of personnel in the continuity plan. CC ID 06378 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a critical personnel list. CC ID 00739
    [The organization: Develops a contingency plan for the information system that: Addresses contingency roles, responsibilities, assigned individuals with contact information; CP-2a.3. High Baseline Controls
    The organization: Develops a contingency plan for the information system that: Addresses contingency roles, responsibilities, assigned class="term_primary-noun">individuals with contact information; CP-2a.3. Low Baseline Controls
    The organization: Develops a contingency plan for the information system that: Addresses contingency roles, responsibilities, assigned class="term_primary-noun">individuals with contact information; CP-2a.3. Moderate Baseline Controls]
    Establish/Maintain Documentation Detective
    Identify alternate personnel for each person on the critical personnel list. CC ID 12771 Human Resources Management Preventive
    Define the triggering events for when to activate the pandemic plan. CC ID 06801 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a critical resource list. CC ID 00740
    [The organization identifies critical information system assets supporting essential missions and business functions. CP-2(8) High Baseline Controls
    The organization identifies critical information system assets supporting essential missions and business functions. CP-2(8) Moderate Baseline Controls]
    Establish/Maintain Documentation Detective
    Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 Establish/Maintain Documentation Preventive
    Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 Establish/Maintain Documentation Preventive
    Include website continuity procedures in the continuity plan. CC ID 01380 Establish/Maintain Documentation Preventive
    Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579
    [The organization: Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and AC-22c. High Baseline Controls
    The organization: Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is m_secondary-verb">not included; and AC-22c. Moderate Baseline Controls
    The organization: Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is m_secondary-verb">not included; and AC-22c. Low Baseline Controls]
    Data and Information Management Preventive
    Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743 Establish/Maintain Documentation Detective
    Include Wide Area Network continuity procedures in the continuity plan. CC ID 01294
    [{alternate processing site} {alternate storage site} {primary site} The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. CP-8 High Baseline Controls
    {alternate processing site} {alternate storage site} {primary site} The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. CP-8 Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include priority-of-service provisions in the telecommunications Service Level Agreements. CC ID 01396
    [{primary telecommunications services} The organization: Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier. CP-8(1)(b) High Baseline Controls
    {alternate processing site} {alternate storage site} {primary site} The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. CP-8 High Baseline Controls
    {primary telecommunications service agreements} The organization: Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and CP-8(1)(a) High Baseline Controls
    {primary telecommunications services} The organization: Requests Telecommunications Service Priority for all telecommunications services ackground-color:#CBD0E5;" class="term_secondary-verb">used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are D0E5;" class="term_secondary-verb">provided by a common carrier. CP-8(1)(b) Moderate Baseline Controls
    {alternate processing site} {alternate storage site} {primary site} The organization establishes alternate telecommunications services including necessary agreements to permit the ass="term_primary-noun">resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities E5;" class="term_secondary-verb">are unavailable at either the primary or alternate processing or storage sites. CP-8 Moderate Baseline Controls
    {primary telecommunications service agreements} The organization: Develops primary and alternate telecommunications service agreements that tyle="background-color:#B7D8ED;" class="term_primary-verb">contain "background-color:#F0BBBC;" class="term_primary-noun">priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and CP-8(1)(a) Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers. CC ID 01397
    [The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. CP-8(2) High Baseline Controls
    The organization obtains alternate telecommunications services to reduce the likelihood of -verb">sharing a single point of failure with primary telecommunications services. CP-8(2) Moderate Baseline Controls]
    Testing Detective
    Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards. CC ID 01399
    [{primary telecommunications service provider} The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. CP-8(3) High Baseline Controls]
    Testing Detective
    Require telecommunications service providers to have adequate continuity plans. CC ID 01400
    [{primary telecommunications service provider} The organization: Requires primary and alternate telecommunications service providers to have contingency plans; CP-8(4)(a) High Baseline Controls
    {primary telecommunications service provider} The organization: Requires primary and alternate telecommunications service providers to have contingency plans; CP-8(4)(a) High Baseline Controls]
    Testing Detective
    Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374
    [{primary processing sites} {primary storage site} The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. CP-2(5) High Baseline Controls
    {primary processing sites} {primary storage site} The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites. CP-2(5) High Baseline Controls]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 Physical and Environmental Protection Corrective
    Designate an alternate facility in the continuity plan. CC ID 00742 Establish/Maintain Documentation Detective
    Separate the alternate facility from the primary facility through geographic separation. CC ID 01394
    [The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats. CP-7(1) High Baseline Controls
    The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats. CP-7(1) Moderate Baseline Controls]
    Physical and Environmental Protection Preventive
    Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs. CC ID 01391
    [{area-wide disaster} The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. CP-7(2) High Baseline Controls
    {area-wide disaster} The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and 8ED;" class="term_primary-verb">outlines explicit round-color:#F0BBBC;" class="term_primary-noun">mitigation actions. CP-7(2) Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 Systems Continuity Preventive
    Establish and maintain off-site electronic media storage facilities. CC ID 00957
    [The organization: Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and CP-6a. High Baseline Controls
    The organization: Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and CP-6a. Moderate Baseline Controls]
    Physical and Environmental Protection Preventive
    Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390
    [The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. CP-6(1) High Baseline Controls
    The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. CP-6(1) Moderate Baseline Controls]
    Testing Detective
    Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392
    [{recovery time objectives} The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. CP-6(2) High Baseline Controls]
    Configuration Preventive
    Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393
    [{area-wide disaster} The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. CP-6(3) High Baseline Controls
    {area-wide disaster} The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit style="background-color:#F0BBBC;" class="term_primary-noun">mitigation actions. CP-6(3) Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573
    [The organization: Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. CP-6b. High Baseline Controls
    The organization: Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. CP-6b. Moderate Baseline Controls]
    Systems Continuity Detective
    Store backup media at an off-site electronic media storage facility. CC ID 01332
    [The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. CP-9(3) High Baseline Controls
    The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. CP-9(3) Moderate Baseline Controls]
    Data and Information Management Preventive
    Transport backup media in lockable electronic media storage containers. CC ID 01264
    [The organization transfers information system backup information to the alternate storage site [FedRAMP Assignment: time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA]. CP-9(5) High Baseline Controls]
    Data and Information Management Preventive
    Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289
    [The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. CP-9(3) High Baseline Controls
    The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. CP-9(3) Moderate Baseline Controls]
    Systems Continuity Preventive
    Perform backup procedures for in scope systems. CC ID 11692
    [The organization: Conducts backups of system-level information contained in the information system [FedRAMP Assignment: daily incremental; weekly full]; CP-9b. High Baseline Controls
    The organization: Conducts backups of user-level information contained in the information system [FedRAMP Assignment: daily incremental; weekly full]; CP-9a. High Baseline Controls
    The organization: Conducts backups of user-level information contained in the information system [FedRAMP Assignment: daily incremental; weekly full]; CP-9a. Low Baseline Controls
    The organization: Conducts backups of system-level information contained in the information system [FedRAMP Assignment: daily incremental; weekly full]; CP-9b. Low Baseline Controls
    The organization: Conducts backups of system-level information contained in the information system [FedRAMP Assignment: daily incremental; weekly full]; CP-9b. Moderate Baseline Controls
    The organization: Conducts backups of user-level information contained in the information system [FedRAMP Assignment: daily incremental; weekly full]; CP-9a. Moderate Baseline Controls]
    Process or Activity Preventive
    Perform full backups in accordance with organizational standards. CC ID 16376 Data and Information Management Preventive
    Perform incremental backups in accordance with organizational standards. CC ID 16375 Data and Information Management Preventive
    Back up all records. CC ID 11974
    [The organization: Conducts backups of information system documentation including security-related documentation [FedRAMP Assignment: daily incremental; weekly full]; and CP-9c. High Baseline Controls
    The organization: Conducts backups of information system documentation including security-related documentation [FedRAMP Assignment: daily incremental; weekly full]; and CP-9c. Low Baseline Controls
    The organization: Conducts backups of information system documentation including security-related documentation [FedRAMP Assignment: daily incremental; weekly full]; and CP-9c. Moderate Baseline Controls]
    Systems Continuity Preventive
    Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 Data and Information Management Preventive
    Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259
    [The organization: Develops a contingency plan for the information system that: Provides recovery objectives, restoration priorities, and metrics; CP-2a.2. High Baseline Controls
    The organization: Develops a contingency plan for the information system that: Provides ackground-color:#F0BBBC;" class="term_primary-noun">recovery objectives, restoration priorities, and metrics; CP-2a.2. Low Baseline Controls
    The organization: Develops a contingency plan for the information system that: Provides ackground-color:#F0BBBC;" class="term_primary-noun">recovery objectives, restoration priorities, and metrics; CP-2a.2. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Encrypt backup data. CC ID 00958 Configuration Preventive
    Log the execution of each backup. CC ID 00956 Establish/Maintain Documentation Preventive
    Test backup media for media integrity and information integrity, as necessary. CC ID 01401 Testing Detective
    Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 Testing Detective
    Test each restored system for media integrity and information integrity. CC ID 01920 Testing Detective
    Include stakeholders when testing restored systems, as necessary. CC ID 13066 Testing Corrective
    Digitally sign disk images, as necessary. CC ID 06814 Establish/Maintain Documentation Preventive
    Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760
    [The organization: Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; CP-2b. High Baseline Controls
    The organization: Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; CP-2b. Low Baseline Controls
    The organization: Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; CP-2b. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 Establish/Maintain Documentation Preventive
    Prepare the alternate facility for an emergency offsite relocation. CC ID 00744
    [The organization: Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and CP-7b. High Baseline Controls
    The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions. CP-7(4) High Baseline Controls
    {recovery time objectives} The organization: Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; CP-7a. High Baseline Controls
    {recovery time objectives} The organization: Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities ss="term_secondary-verb">are unavailable; CP-7a. Moderate Baseline Controls
    The organization: Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and CP-7b. Moderate Baseline Controls]
    Systems Continuity Preventive
    Include coverage for alternate facilities for all offices in contingency arrangements. CC ID 00746 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Service Level Agreements for all alternate facilities. CC ID 00745
    [The organization: Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and CP-6a. High Baseline Controls
    The organization: Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and CP-7b. High Baseline Controls
    The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). CP-7(3) High Baseline Controls
    {recovery time objectives} The organization: Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; CP-7a. High Baseline Controls
    The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (erm_secondary-verb">including recovery time objectives). CP-7(3) Moderate Baseline Controls
    The organization: Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and CP-6a. Moderate Baseline Controls
    The organization: Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to n style="background-color:#B7D8ED;" class="term_primary-verb">support e="background-color:#F0BBBC;" class="term_primary-noun">delivery to the site within the organization-defined time period for transfer/resumption; and CP-7b. Moderate Baseline Controls
    {recovery time objectives} The organization: Establishes an alternate processing site including necessary ss="term_primary-noun">agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; CP-7a. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include recovery time in Service Level Agreements for all alternate facilities. CC ID 16331 Establish/Maintain Documentation Preventive
    Include priority-of-service provisions in Service Level Agreements for all alternate facilities. CC ID 16330 Establish/Maintain Documentation Preventive
    Include backup media transportation in Service Level Agreements for alternate facilities. CC ID 16329 Establish/Maintain Documentation Preventive
    Include transportation services in Service Level Agreements for alternate facilities. CC ID 16328 Establish/Maintain Documentation Preventive
    Include that the shared service provider will not oversubscribe their services in the Service Level Agreement. CC ID 04892 Establish/Maintain Documentation Preventive
    Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement. CC ID 04893 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Memorandums Of Understanding for all alternate facilities. CC ID 11695 Establish/Maintain Documentation Preventive
    Configure the alternate facility to meet the least needed operational capabilities. CC ID 01395
    [The organization: Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. CP-7c. High Baseline Controls
    The organization: Employs [Assignment: organization-defined security controls] at alternate work sites; PE-17a. High Baseline Controls
    The organization: Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. CP-7c. Moderate Baseline Controls
    The organization: Employs [Assignment: organization-defined security controls] at alternate work sites; PE-17a. Moderate Baseline Controls]
    Configuration Preventive
    Establish, implement, and maintain logical access controls at alternate facilities. CC ID 13227 Technical Security Preventive
    Establish, implement, and maintain physical access controls for alternate facilities. CC ID 13226 Physical and Environmental Protection Preventive
    Notify the primary facilities of any changes at the alternate facilities that could affect the continuity plan. CC ID 13225 Communicate Preventive
    Protect backup systems and restoration systems at the alternate facility. CC ID 04883 Systems Continuity Preventive
    Review the alternate facility preparation procedures. CC ID 04884
    [The organization: Assesses as feasible, the effectiveness of security controls at alternate work sites; and PE-17b. High Baseline Controls
    The organization: Assesses as feasible, the effectiveness of security controls at alternate work sites; and PE-17b. Moderate Baseline Controls]
    Systems Continuity Detective
    Train personnel on the continuity plan. CC ID 00759
    [The organization provides contingency training to information system users consistent with assigned roles and responsibilities: CP-3 High Baseline Controls
    The organization provides contingency training to information system users consistent with assigned roles and responsibilities: Within [FedRAMP Assignment: ten (10) days] of assuming a contingency role or responsibility; CP-3a. High Baseline Controls
    The organization provides contingency training to information system users consistent with assigned roles and responsibilities: When required by information system changes; and CP-3b. High Baseline Controls
    {at least once each year} The organization provides contingency training to information system users consistent with assigned roles and responsibilities: [FedRAMP Assignment: at least annually] thereafter. CP-3c. High Baseline Controls
    The organization provides contingency training to information system users m_secondary-verb">consistent with assigned roles and responsibilities: CP-3 Low Baseline Controls
    The organization provides contingency training to information system users consistent with assigned roles and responsibilities: Within [FedRAMP Assignment: ten (10) days] of <span style="background-color:#CBD0E5;" class="term_secondary-verb">assuming a contingency role or responsibility; CP-3a. Low Baseline Controls
    The organization provides contingency training to information system users consistent with assigned roles and responsibilities: When ass="term_secondary-verb">required by information system changes; and CP-3b. Low Baseline Controls
    {at least once each year} The organization provides contingency training to information system users m_secondary-verb">consistent with assigned roles and responsibilities: [FedRAMP Assignment: at least annually] thereafter. CP-3c. Low Baseline Controls
    The organization provides contingency training to information system users m_secondary-verb">consistent with assigned roles and responsibilities: CP-3 Moderate Baseline Controls
    The organization provides contingency training to information system users consistent with assigned roles and responsibilities: Within [FedRAMP Assignment: ten (10) days] of <span style="background-color:#CBD0E5;" class="term_secondary-verb">assuming a contingency role or responsibility; CP-3a. Moderate Baseline Controls
    The organization provides contingency training to information system users consistent with assigned roles and responsibilities: When ass="term_secondary-verb">required by information system changes; and CP-3b. Moderate Baseline Controls
    {at least once each year} The organization provides contingency training to information system users m_secondary-verb">consistent with assigned roles and responsibilities: [FedRAMP Assignment: at least annually] thereafter. CP-3c. Moderate Baseline Controls]
    Behavior Preventive
    Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 Behavior Preventive
    Incorporate simulated events into the continuity plan training. CC ID 01402
    [The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations. CP-3(1) High Baseline Controls]
    Behavior Preventive
    Include cross-team coordination in continuity plan training. CC ID 16235 Training Preventive
    Include stay at home order training in the continuity plan training. CC ID 14382 Training Preventive
    Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 Training Preventive
    Include personal protection in continuity plan training. CC ID 14394 Training Preventive
    Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 Testing Preventive
    Test the continuity plan, as necessary. CC ID 00755
    [The organization: Tests the contingency plan for the information system [FedRAMP Assignment: at least annually] using [FedRAMP Assignment: functional exercises] to determine the effectiveness of the plan and the organizational readiness to execute the plan CP-4a. High Baseline Controls
    The organization: Tests the contingency plan for the information system [FedRAMP Assignment: at least annually for moderate impact systems; at least every three years for low impact systems] using [FedRAMP Assignment: functional exercises for moderate impact systems; classroom exercises/table top written tests for low impact systems] to determine the effectiveness of the plan and the organizational readiness to execute the plan; CP-4a. Moderate Baseline Controls
    The organization: Tests the contingency plan for the information system [FedRAMP Assignment: at least annually for moderate impact systems; at least every three years for low impact systems] using [FedRAMP Assignment: functional exercises for moderate impact systems; classroom exercises/table top written tests for low impact systems] to determine the effectiveness of the plan and the organizational readiness to execute the plan; CP-4a. Low Baseline Controls]
    Testing Detective
    Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 Testing Preventive
    Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 Testing Preventive
    Validate the emergency communications procedures during continuity plan tests. CC ID 12777 Testing Preventive
    Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 Testing Preventive
    Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 Testing Detective
    Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757
    [The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing. CP-9(2) High Baseline Controls]
    Testing Detective
    Analyze system interdependence during continuity plan tests. CC ID 13082 Testing Detective
    Validate the evacuation plans during continuity plan tests. CC ID 12760 Testing Preventive
    Test the continuity plan at the alternate facility. CC ID 01174
    [The organization tests the contingency plan at the alternate processing site: CP-4(2) High Baseline Controls
    The organization tests the contingency plan at the alternate processing site: To familiarize contingency personnel with the facility and available resources; and CP-4(2)(a) High Baseline Controls
    The organization tests the contingency plan at the alternate processing site: To evaluate the capabilities of the alternate processing site to support contingency operations. CP-4(2)(b) High Baseline Controls]
    Testing Detective
    Include predefined goals and realistic conditions during off-site testing. CC ID 01175 Establish/Maintain Documentation Preventive
    Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388
    [The organization coordinates contingency plan testing with organizational elements responsible for related plans. CP-4(1) High Baseline Controls
    The organization coordinates contingency plan testing with organizational elements responsible for related plans. CP-4(1) Moderate Baseline Controls]
    Testing Preventive
    Review all third party's continuity plan test results. CC ID 01365
    [{telecommunications service providers} The organization: Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and CP-8(4)(b) High Baseline Controls
    The organization: Obtains evidence of contingency testing/training by providers [FedRAMP Assignment: annually]. CP-8(4)(c) High Baseline Controls]
    Testing Detective
    Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 Testing Detective
    Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548
    [The organization: Reviews the contingency plan test results; and CP-4b. High Baseline Controls
    {incident response procedures} {incident response testing} The organization tests the incident response capability for the information system [FedRAMP Assignment: at least every six (6) months] using [FedRAMP Assignment: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.] to determine the incident response effectiveness and documents the results. IR-3 High Baseline Controls
    The organization: Reviews the contingency plan test results; and CP-4b. Low Baseline Controls
    The organization: Reviews the contingency plan test results; and CP-4b. Moderate Baseline Controls
    {incident response procedures} The organization tests the incident response capability for the information system [FedRAMP Assignment: at least annually] using [FedRAMP Assignment: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). For JAB authorization, the service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.] to determine the incident response effectiveness and documents the results. IR-3 Moderate Baseline Controls]
    Actionable Reports or Measurements Preventive
    Approve the continuity plan test results. CC ID 15718 Systems Continuity Preventive
    Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 Testing Detective
    Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 Testing Detective
  • Operational management
    553
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a capacity management plan. CC ID 11751 Establish/Maintain Documentation Preventive
    Utilize resource capacity management controls. CC ID 00939 Testing Detective
    Perform system capacity testing. CC ID 01616
    [The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. CP-2(2) High Baseline Controls
    The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. CP-2(2) Moderate Baseline Controls]
    Testing Detective
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Establish/Maintain Documentation Preventive
    Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955
    [The organization: Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and CP-2f. High Baseline Controls
    Communicates incident response plan changes to [FedRAMP Assignment: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.]; and IR-8e. High Baseline Controls
    The organization: Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles]; PL-2b. High Baseline Controls
    The organization: Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and CP-2f. Low Baseline Controls
    The organization: Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and CP-2f. Moderate Baseline Controls
    Communicates incident response plan changes to [FedRAMP Assignment: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.]; and IR-8e. Moderate Baseline Controls
    Communicates incident response plan changes to [FedRAMP Assignment: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.]; and IR-8e. Low Baseline Controls
    The organization: Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles]; PL-2b. Moderate Baseline Controls
    The organization: Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles]; PL-2b. Low Baseline Controls]
    Behavior Preventive
    Establish, implement, and maintain an internal control framework. CC ID 00820 Establish/Maintain Documentation Preventive
    Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358
    [The organization: Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; SI-4e. High Baseline Controls
    The organization: Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; SI-4e. Moderate Baseline Controls
    The organization: Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; SI-4e. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 Establish/Maintain Documentation Preventive
    Include security information sharing procedures in the internal control framework. CC ID 06489
    [The organization: Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). RA-5e. High Baseline Controls
    The organization: Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). RA-5e. Moderate Baseline Controls
    The organization: Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). RA-5e. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Share security information with interested personnel and affected parties. CC ID 11732 Communicate Preventive
    Evaluate information sharing partners, as necessary. CC ID 12749 Process or Activity Preventive
    Establish, implement, and maintain an information security program. CC ID 00812
    [The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. PL-2(3) High Baseline Controls
    The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. PL-2(3) Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include physical safeguards in the information security program. CC ID 12375 Establish/Maintain Documentation Preventive
    Include technical safeguards in the information security program. CC ID 12374 Establish/Maintain Documentation Preventive
    Include administrative safeguards in the information security program. CC ID 12373 Establish/Maintain Documentation Preventive
    Include system development in the information security program. CC ID 12389 Establish/Maintain Documentation Preventive
    Include system maintenance in the information security program. CC ID 12388
    [The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections. MA-4(2) High Baseline Controls
    The organization: Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system; MA-4b. High Baseline Controls
    The organization documents in the security plan for the information system, the policies and procedures for the establishment and m_primary-noun">use of nonlocal maintenance and diagnostic connections. MA-4(2) Moderate Baseline Controls
    The organization: Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system; MA-4b. Moderate Baseline Controls
    The organization: Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system; MA-4b. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include system acquisition in the information security program. CC ID 12387 Establish/Maintain Documentation Preventive
    Include access control in the information security program. CC ID 12386
    [{remote access} The organization: Documents the rationale for such access in the security plan for the information system. AC-17(4)(b) High Baseline Controls
    The organization authorizes network access to [FedRAMP Assignment: all privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system. AC-6(3) High Baseline Controls
    {remote access} The organization: Documents the rationale for such access in the security plan for the information system. AC-17(4)(b) Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Review and approve access controls, as necessary. CC ID 13074 Process or Activity Detective
    Include operations management in the information security program. CC ID 12385 Establish/Maintain Documentation Preventive
    Include communication management in the information security program. CC ID 12384 Establish/Maintain Documentation Preventive
    Include environmental security in the information security program. CC ID 12383 Establish/Maintain Documentation Preventive
    Include physical security in the information security program. CC ID 12382 Establish/Maintain Documentation Preventive
    Include human resources security in the information security program. CC ID 12381 Establish/Maintain Documentation Preventive
    Include asset management in the information security program. CC ID 12380 Establish/Maintain Documentation Preventive
    Include a continuous monitoring program in the information security program. CC ID 14323 Establish/Maintain Documentation Preventive
    Include change management procedures in the continuous monitoring plan. CC ID 16227 Establish/Maintain Documentation Preventive
    include recovery procedures in the continuous monitoring plan. CC ID 16226 Establish/Maintain Documentation Preventive
    Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 Establish/Maintain Documentation Preventive
    Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 Establish/Maintain Documentation Preventive
    Include how the information security department is organized in the information security program. CC ID 12379 Establish/Maintain Documentation Preventive
    Include risk management in the information security program. CC ID 12378 Establish/Maintain Documentation Preventive
    Include mitigating supply chain risks in the information security program. CC ID 13352 Establish/Maintain Documentation Preventive
    Provide management direction and support for the information security program. CC ID 11999 Process or Activity Preventive
    Monitor and review the effectiveness of the information security program. CC ID 12744 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain an information security policy. CC ID 11740 Establish/Maintain Documentation Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Business Processes Preventive
    Include business processes in the information security policy. CC ID 16326 Establish/Maintain Documentation Preventive
    Include the information security strategy in the information security policy. CC ID 16125 Establish/Maintain Documentation Preventive
    Include a commitment to continuous improvement in the information security policy. CC ID 16123 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the information security policy. CC ID 16120 Establish/Maintain Documentation Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Establish/Maintain Documentation Preventive
    Include information security objectives in the information security policy. CC ID 13493
    [The organization: Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. CA-9b. High Baseline Controls
    The organization: Documents, for each internal connection, the interface characteristics, nd-color:#F0BBBC;" class="term_primary-noun">security requirements, and the nature of the information communicated. CA-9b. Low Baseline Controls
    The organization: Documents, for each internal connection, the interface characteristics, nd-color:#F0BBBC;" class="term_primary-noun">security requirements, and the nature of the information communicated. CA-9b. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Establish/Maintain Documentation Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737 Process or Activity Preventive
    Establish, implement, and maintain information security procedures. CC ID 12006 Business Processes Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Establish/Maintain Documentation Preventive
    Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 Communicate Preventive
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Establish/Maintain Documentation Preventive
    Define thresholds for approving information security activities in the information security program. CC ID 15702 Process or Activity Preventive
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Establish Roles Preventive
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Human Resources Management Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 Establish/Maintain Documentation Preventive
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Human Resources Management Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 Communicate Preventive
    Establish, implement, and maintain a social media governance program. CC ID 06536 Establish/Maintain Documentation Preventive
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Business Processes Preventive
    Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 Business Processes Preventive
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Behavior Preventive
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Establish/Maintain Documentation Preventive
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655
    [{social networking} The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites. PL-4(1) High Baseline Controls
    {social networking} The organization includes in the rules of behavior, explicit restrictions on the use of round-color:#F0BBBC;" class="term_primary-noun">social media/networking sites and posting organizational information on public websites. PL-4(1) Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Establish/Maintain Documentation Preventive
    Perform social network analysis, as necessary. CC ID 14864 Investigate Detective
    Establish, implement, and maintain operational control procedures. CC ID 00831
    [The organization: Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions. PL-8c. High Baseline Controls
    The organization: Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions. PL-8c. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include assigning and approving operations in operational control procedures. CC ID 06382 Establish/Maintain Documentation Preventive
    Include startup processes in operational control procedures. CC ID 00833 Establish/Maintain Documentation Preventive
    Include change control processes in the operational control procedures. CC ID 16793 Establish/Maintain Documentation Preventive
    Establish and maintain a data processing run manual. CC ID 00832 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 Establish/Maintain Documentation Preventive
    Use systems in accordance with the standard operating procedures manual. CC ID 15049 Process or Activity Preventive
    Include metrics in the standard operating procedures manual. CC ID 14988 Establish/Maintain Documentation Preventive
    Include maintenance measures in the standard operating procedures manual. CC ID 14986 Establish/Maintain Documentation Preventive
    Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 Establish/Maintain Documentation Preventive
    Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 Establish/Maintain Documentation Preventive
    Include predetermined changes in the standard operating procedures manual. CC ID 14977 Establish/Maintain Documentation Preventive
    Include specifications for input data in the standard operating procedures manual. CC ID 14975 Establish/Maintain Documentation Preventive
    Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 Establish/Maintain Documentation Preventive
    Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 Establish/Maintain Documentation Preventive
    Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 Establish/Maintain Documentation Preventive
    Include the intended purpose in the standard operating procedures manual. CC ID 14967 Establish/Maintain Documentation Preventive
    Include information on system performance in the standard operating procedures manual. CC ID 14965 Establish/Maintain Documentation Preventive
    Include contact details in the standard operating procedures manual. CC ID 14962 Establish/Maintain Documentation Preventive
    Include information sharing procedures in standard operating procedures. CC ID 12974 Records Management Preventive
    Establish, implement, and maintain information sharing agreements. CC ID 15645 Business Processes Preventive
    Provide support for information sharing activities. CC ID 15644 Process or Activity Preventive
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Business Processes Preventive
    Update operating procedures that contribute to user errors. CC ID 06935 Establish/Maintain Documentation Corrective
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 Communicate Preventive
    Establish, implement, and maintain a job scheduling methodology. CC ID 00834 Establish/Maintain Documentation Preventive
    Establish and maintain a job schedule exceptions list. CC ID 00835 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a data processing continuity plan. CC ID 00836 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583
    [The organization: Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and SC-19a. High Baseline Controls
    The organization: Authorizes, monitors, and controls the use of VoIP within the information system. SC-19b. High Baseline Controls
    The organization: Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and SC-19a. Moderate Baseline Controls
    The organization: Authorizes, monitors, and controls the use of VoIP within the information system. SC-19b. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350
    [The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts]. AC-2(11) High Baseline Controls
    The organization: Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; PL-4a. High Baseline Controls
    The organization: Reviews and updates the rules of behavior [FedRAMP Assignment: annually]; and PL-4c. High Baseline Controls
    The organization: Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; PL-4a. Moderate Baseline Controls
    The organization: Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; PL-4a. Low Baseline Controls
    The organization: Reviews and updates the rules of behavior [FedRAMP Assignment: at least every 3 years]; and PL-4c. Moderate Baseline Controls
    The organization: Reviews and updates the rules of behavior [FedRAMP Assignment: at least every 3 years]; and PL-4c. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351
    [The organization: Authorizes, monitors, and controls the use of mobile code within the information system. SC-18c. High Baseline Controls
    The organization: Authorizes, monitors, and controls the use of mobile code within the information system. SC-18c. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894
    [{social networking} The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites. PL-4(1) High Baseline Controls
    {social networking} The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational BBC;" class="term_primary-noun">information on public websites. PL-4(1) Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 Establish/Maintain Documentation Preventive
    Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 Establish/Maintain Documentation Preventive
    Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 Establish/Maintain Documentation Preventive
    Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 Establish/Maintain Documentation Preventive
    Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Establish/Maintain Documentation Preventive
    Include a web usage policy in the Acceptable Use Policy. CC ID 16496 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Establish/Maintain Documentation Preventive
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Establish/Maintain Documentation Preventive
    Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 Establish/Maintain Documentation Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355
    [The organization: Defines acceptable and unacceptable mobile code and mobile code technologies; SC-18a. High Baseline Controls
    The organization: Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and SC-18b. High Baseline Controls
    The organization: Defines acceptable and unacceptable mobile code and mobile code technologies; SC-18a. Moderate Baseline Controls
    The organization: Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and SC-18b. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Establish/Maintain Documentation Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Establish/Maintain Documentation Preventive
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Technical Security Preventive
    Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Establish/Maintain Documentation Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Data and Information Management Preventive
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Establish/Maintain Documentation Preventive
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Establish/Maintain Documentation Preventive
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Establish/Maintain Documentation Preventive
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Establish/Maintain Documentation Preventive
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Establish/Maintain Documentation Corrective
    Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 Establish/Maintain Documentation Preventive
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749
    [The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. CM-5(3) High Baseline Controls
    The organization: Establishes [Assignment: organization-defined policies] governing the installation of software by users; CM-11a. High Baseline Controls
    The organization: Enforces software installation policies through [Assignment: organization-defined methods]; and CM-11b. High Baseline Controls
    The organization: Establishes [Assignment: organization-defined policies] governing the installation of software by users; CM-11a. Low Baseline Controls
    The organization: Enforces software installation policies through [Assignment: organization-defined methods]; and CM-11b. Low Baseline Controls
    The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and class="term_secondary-verb">approved by the organization. CM-5(3) Moderate Baseline Controls
    The organization: Establishes [Assignment: organization-defined policies] governing the installation of software by users; CM-11a. Moderate Baseline Controls
    The organization: Enforces software installation policies through [Assignment: organization-defined methods]; and CM-11b. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431
    [The organization: Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; PL-4a. High Baseline Controls
    The organization: Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; PL-4a. Moderate Baseline Controls
    The organization: Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; PL-4a. Low Baseline Controls]
    Communicate Preventive
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661
    [The organization: Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system; PL-4b. High Baseline Controls
    The organization: Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before rm_secondary-verb">authorizing access to information and the information system; PL-4b. Moderate Baseline Controls
    The organization: Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before rm_secondary-verb">authorizing access to information and the information system; PL-4b. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663
    [The organization: Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. PL-4d. High Baseline Controls
    The organization: Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. PL-4d. Moderate Baseline Controls
    The organization: Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. PL-4d. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821
    [The organization: Uses software and associated documentation in accordance with contract agreements and copyright laws; CM-10a. High Baseline Controls
    {unauthorized display} {unauthorized performance} {unauthorized reproduction} The organization: Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. CM-10c. High Baseline Controls
    The organization: Uses software and associated documentation in accordance with contract agreements and copyright laws; CM-10a. Low Baseline Controls
    The organization: Uses software and associated documentation in accordance with contract agreements and copyright laws; CM-10a. Moderate Baseline Controls
    {unauthorized display} {unauthorized performance} {unauthorized reproduction} The organization: Controls and documents the use of ound-color:#F0BBBC;" class="term_primary-noun">peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. CM-10c. Moderate Baseline Controls
    {unauthorized display} {unauthorized performance} {unauthorized reproduction} The organization: Controls and documents the use of ound-color:#F0BBBC;" class="term_primary-noun">peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. CM-10c. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 Business Processes Preventive
    Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 Establish/Maintain Documentation Preventive
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Establish/Maintain Documentation Preventive
    Include business use of personal e-mail in the e-mail policy. CC ID 14381 Establish/Maintain Documentation Preventive
    Identify the sender in all electronic messages. CC ID 13996 Data and Information Management Preventive
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603
    [{unauthorized modification} he organization develops, documents, and implements a configuration management plan for the information system that: Protects the configuration management plan from unauthorized disclosure and modification. CM-9d. High Baseline Controls
    {unauthorized modification} The organization: Protects the contingency plan from unauthorized disclosure and modification. CP-2g. High Baseline Controls
    {unauthorized modification} Protects the incident response plan from unauthorized disclosure and modification. IR-8f. High Baseline Controls
    {unauthorized modification} The organization: Protects the security plan from unauthorized disclosure and modification. PL-2e. High Baseline Controls
    The organization: Protects documentation as required, in accordance with the risk management strategy; and SA-5d. High Baseline Controls
    {unauthorized modification} The organization: Protects the ckground-color:#F0BBBC;" class="term_primary-noun">contingency plan from unauthorized disclosure and modification. CP-2g. Low Baseline Controls
    {unauthorized modification} he organization develops, documents, and implements a configuration management plan for the information system that: pan style="background-color:#B7D8ED;" class="term_primary-verb">Protects the configuration management plan from unauthorized disclosure and modification. CM-9d. Moderate Baseline Controls
    {unauthorized modification} Protects the BBBC;" class="term_primary-noun">incident response plan from unauthorized disclosure and modification. IR-8f. Moderate Baseline Controls
    {unauthorized modification} The organization: Protects the ckground-color:#F0BBBC;" class="term_primary-noun">security plan from unauthorized disclosure and modification. PL-2e. Moderate Baseline Controls
    The organization: Protects documentation as required, in accordance with the risk management strategy; and SA-5d. Moderate Baseline Controls
    {unauthorized modification} Protects the BBBC;" class="term_primary-noun">incident response plan from unauthorized disclosure and modification. IR-8f. Low Baseline Controls
    {unauthorized modification} The organization: Protects the ckground-color:#F0BBBC;" class="term_primary-noun">security plan from unauthorized disclosure and modification. PL-2e. Low Baseline Controls
    The organization: Protects documentation as required, in accordance with the risk management strategy; and SA-5d. Low Baseline Controls
    {unauthorized modification} The organization: Protects the ckground-color:#F0BBBC;" class="term_primary-noun">contingency plan from unauthorized disclosure and modification. CP-2g. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Asset Management program. CC ID 06630 Business Processes Preventive
    Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 Establish/Maintain Documentation Preventive
    Classify assets according to the Asset Classification Policy. CC ID 07186 Establish Roles Preventive
    Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185
    [The organization: Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. RA-2c. High Baseline Controls
    The organization: Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. RA-2c. Moderate Baseline Controls
    The organization: Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. RA-2c. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an asset inventory. CC ID 06631
    [The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. CM-8(1) High Baseline Controls
    The organization develops and documents an inventory of information system components that: Includes all components within the authorization boundary of the information system; CM-8a.2. High Baseline Controls
    The organization develops and documents an inventory of information system components that: Is at the level of granularity deemed necessary for tracking and reporting; and CM-8a.3. High Baseline Controls
    The organization develops and documents an inventory of information system components that: Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and CM-8a.4. High Baseline Controls
    The organization develops and documents an inventory of information system components that: Accurately reflects the current information system; CM-8a.1. High Baseline Controls
    The organization: Develops and documents an inventory of information system components that: CM-8a. High Baseline Controls
    The organization: Reviews and updates the information system component inventory [FedRAMP Assignment: at least monthly]. CM-8b. High Baseline Controls
    The organization: Develops and documents an inventory of information system components that: CM-8a. Low Baseline Controls
    The organization develops and documents an inventory of information system components that: Accurately reflects the current information system; CM-8a.1. Low Baseline Controls
    The organization develops and documents an inventory of information system components that: Includes all components within the authorization boundary of the information system; CM-8a.2. Low Baseline Controls
    The organization develops and documents an inventory of information system components that: Is at the level of granularity deemed necessary for rm_secondary-verb">tracking and an style="background-color:#CBD0E5;" class="term_secondary-verb">reporting
    ; and CM-8a.3. Low Baseline Controls
    The organization develops and documents an inventory of information system components that: Includes [Assignment: organization-defined information "term_secondary-verb">deemed necess
    ary to achieve effective information system component accountability]; and CM-8a.4. Low Baseline Controls
    The organization: Reviews and updates the information system component inventory [FedRAMP Assignment: at least monthly]. CM-8b. Low Baseline Controls
    The organization: Develops and documents an inventory of information system components that: CM-8a. Moderate Baseline Controls
    The organization develops and documents an inventory of information system components that: Accurately reflects the current information system; CM-8a.1. Moderate Baseline Controls
    The organization develops and documents an inventory of information system components that: Includes all components within the authorization boundary of the information system; CM-8a.2. Moderate Baseline Controls
    The organization develops and documents an inventory of information system components that: Is at the level of granularity deemed necessary for rm_secondary-verb">tracking and an style="background-color:#CBD0E5;" class="term_secondary-verb">reporting
    ; and CM-8a.3. Moderate Baseline Controls
    The organization develops and documents an inventory of information system components that: Includes [Assignment: organization-defined information "term_secondary-verb">deemed necess
    ary to achieve effective information system component accountability]; and CM-8a.4. Moderate Baseline Controls
    The organization: Reviews and updates the information system component inventory [FedRAMP Assignment: at least monthly]. CM-8b. Moderate Baseline Controls
    The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. CM-8(1) Moderate Baseline Controls]
    Business Processes Preventive
    Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 Establish/Maintain Documentation Preventive
    Include all account types in the Information Technology inventory. CC ID 13311 Establish/Maintain Documentation Preventive
    Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 Systems Design, Build, and Implementation Preventive
    Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 Data and Information Management Preventive
    Include each Information System's major applications in the Information Technology inventory. CC ID 01407 Establish/Maintain Documentation Preventive
    Categorize all major applications according to the business information they process. CC ID 07182 Establish/Maintain Documentation Preventive
    Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 Establish/Maintain Documentation Preventive
    Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 Establish/Maintain Documentation Preventive
    Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 Establish/Maintain Documentation Preventive
    Conduct environmental surveys. CC ID 00690 Physical and Environmental Protection Preventive
    Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a hardware asset inventory. CC ID 00691 Establish/Maintain Documentation Preventive
    Include network equipment in the Information Technology inventory. CC ID 00693 Establish/Maintain Documentation Preventive
    Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 Establish/Maintain Documentation Preventive
    Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 Process or Activity Preventive
    Include software in the Information Technology inventory. CC ID 00692 Establish/Maintain Documentation Preventive
    Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a storage media inventory. CC ID 00694 Establish/Maintain Documentation Preventive
    Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 Establish/Maintain Documentation Preventive
    Add inventoried assets to the asset register database, as necessary. CC ID 07051 Establish/Maintain Documentation Preventive
    Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052
    [The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system inventories. CM-8(5) High Baseline Controls
    The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system inventories. CM-8(5) Moderate Baseline Controls]
    Monitor and Evaluate Occurrences Corrective
    Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 Monitor and Evaluate Occurrences Corrective
    Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 Establish/Maintain Documentation Preventive
    Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054
    [The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. CM-8(2) High Baseline Controls]
    Technical Security Preventive
    Link the authentication system to the asset inventory. CC ID 13718 Technical Security Preventive
    Record a unique name for each asset in the asset inventory. CC ID 16305 Data and Information Management Preventive
    Record the decommission date for applicable assets in the asset inventory. CC ID 14920 Establish/Maintain Documentation Preventive
    Record the status of information systems in the asset inventory. CC ID 16304 Data and Information Management Preventive
    Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 Data and Information Management Preventive
    Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 Establish/Maintain Documentation Preventive
    Include source code in the asset inventory. CC ID 14858 Records Management Preventive
    Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 Human Resources Management Preventive
    Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 Technical Security Detective
    Record the review date for applicable assets in the asset inventory. CC ID 14919 Establish/Maintain Documentation Preventive
    Record software license information for each asset in the asset inventory. CC ID 11736
    [The organization: Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and CM-10b. High Baseline Controls
    The organization: Tracks the use of software and associated documentation protected by quantity licenses to condary-verb">control copying and distribution; and CM-10b. Low Baseline Controls
    The organization: Tracks the use of software and associated documentation protected by quantity licenses to condary-verb">control copying and distribution; and CM-10b. Moderate Baseline Controls]
    Data and Information Management Preventive
    Record services for applicable assets in the asset inventory. CC ID 13733 Establish/Maintain Documentation Preventive
    Record protocols for applicable assets in the asset inventory. CC ID 13734 Establish/Maintain Documentation Preventive
    Record the software version in the asset inventory. CC ID 12196 Establish/Maintain Documentation Preventive
    Record the publisher for applicable assets in the asset inventory. CC ID 13725 Establish/Maintain Documentation Preventive
    Record the authentication system in the asset inventory. CC ID 13724 Establish/Maintain Documentation Preventive
    Tag unsupported assets in the asset inventory. CC ID 13723 Establish/Maintain Documentation Preventive
    Record the install date for applicable assets in the asset inventory. CC ID 13720 Establish/Maintain Documentation Preventive
    Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 Establish/Maintain Documentation Preventive
    Record the asset tag for physical assets in the asset inventory. CC ID 06632 Establish/Maintain Documentation Preventive
    Record the host name of applicable assets in the asset inventory. CC ID 13722 Establish/Maintain Documentation Preventive
    Record network ports for applicable assets in the asset inventory. CC ID 13730 Establish/Maintain Documentation Preventive
    Record the MAC address for applicable assets in the asset inventory. CC ID 13721 Establish/Maintain Documentation Preventive
    Record the operating system version for applicable assets in the asset inventory. CC ID 11748 Data and Information Management Preventive
    Record the operating system type for applicable assets in the asset inventory. CC ID 06633 Establish/Maintain Documentation Preventive
    Record rooms at external locations in the asset inventory. CC ID 16302 Data and Information Management Preventive
    Record the department associated with the asset in the asset inventory. CC ID 12084 Establish/Maintain Documentation Preventive
    Record the physical location for applicable assets in the asset inventory. CC ID 06634 Establish/Maintain Documentation Preventive
    Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 Establish/Maintain Documentation Preventive
    Record the firmware version for applicable assets in the asset inventory. CC ID 12195 Establish/Maintain Documentation Preventive
    Record the related business function for applicable assets in the asset inventory. CC ID 06636 Establish/Maintain Documentation Preventive
    Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 Establish/Maintain Documentation Preventive
    Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 Establish/Maintain Documentation Preventive
    Record trusted keys and certificates in the asset inventory. CC ID 15486 Data and Information Management Preventive
    Record cipher suites and protocols in the asset inventory. CC ID 15489 Data and Information Management Preventive
    Link the software asset inventory to the hardware asset inventory. CC ID 12085 Establish/Maintain Documentation Preventive
    Record the owner for applicable assets in the asset inventory. CC ID 06640
    [{be responsible} {be accountable} The organization includes in the information system component inventory information, a means for identifying by [FedRAMP Selection : position and role], individuals responsible/accountable for administering those components. CM-8(4) High Baseline Controls]
    Establish/Maintain Documentation Preventive
    Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 Establish/Maintain Documentation Preventive
    Record all changes to assets in the asset inventory. CC ID 12190 Establish/Maintain Documentation Preventive
    Record cloud service derived data in the asset inventory. CC ID 13007 Establish/Maintain Documentation Preventive
    Include cloud service customer data in the asset inventory. CC ID 13006 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a software accountability policy. CC ID 00868
    [The organization: Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and CM-7(5)(b) High Baseline Controls
    The organization: Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and CM-7(5)(b) Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software asset management procedures. CC ID 00895 Establish/Maintain Documentation Preventive
    Prevent users from disabling required software. CC ID 16417 Technical Security Preventive
    Establish, implement, and maintain software archives procedures. CC ID 00866 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software distribution procedures. CC ID 00894 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software documentation management procedures. CC ID 06395 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software license management procedures. CC ID 06639 Establish/Maintain Documentation Preventive
    Automate software license monitoring, as necessary. CC ID 07057 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a system redeployment program. CC ID 06276
    [Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. MA-5(1)(b) High Baseline Controls
    Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or background-color:#CBD0E5;" class="term_secondary-verb">disconnected from the system. MA-5(1)(b) Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Test systems for malicious code prior to when the system will be redeployed. CC ID 06339
    [The organization: Removes the component to be serviced from the information system and prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system. MA-4(3)(b) High Baseline Controls]
    Testing Detective
    Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 Behavior Preventive
    Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 Data and Information Management Preventive
    Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 Acquisition/Sale of Assets or Services Preventive
    Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 Establish/Maintain Documentation Preventive
    Redeploy systems to other organizational units, as necessary. CC ID 11452 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 Establish/Maintain Documentation Preventive
    Establish and maintain maintenance reports. CC ID 11749
    [The organization: Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; MA-2a. High Baseline Controls
    The organization: Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed. MA-2(2)(b) High Baseline Controls
    The organization: Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and MA-2(2)(a) High Baseline Controls
    The organization: Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. MA-2f. High Baseline Controls
    The organization: Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. MA-2f. Moderate Baseline Controls
    The organization: Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; MA-2a. High Baseline Controls
    The organization: Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; MA-2a. Low Baseline Controls
    The organization: Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. MA-2f. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Establish and maintain system inspection reports. CC ID 06346 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system maintenance policy. CC ID 14032
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. High Baseline Controls
    The organization: Reviews and updates the current: System maintenance policy [FedRAMP Assignment: at least annually]; and MA-1b.1. High Baseline Controls
    Reviews and updates the current: System maintenance policy [FedRAMP Assignment: at least every 3 years]; and MA-1b.1. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. Moderate Baseline Controls
    Reviews and updates the current: System maintenance policy [FedRAMP Assignment: at least every 3 years]; and MA-1b.1. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the system maintenance policy. CC ID 14217
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include management commitment in the system maintenance policy. CC ID 14216
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system maintenance policy. CC ID 14215
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, kground-color:#F0BBBC;" class="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, kground-color:#F0BBBC;" class="term_primary-noun">roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include the scope in the system maintenance policy. CC ID 14214
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, -color:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, -color:#F0BBBC;" class="term_primary-noun">scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. Moderate Baseline Controls]
    Communicate Preventive
    Include the purpose in the system maintenance policy. CC ID 14187
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses 0BBBC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses 0BBBC;" class="term_primary-noun">purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the system maintenance policy. CC ID 14181
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1. High Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, lass="term_primary-noun">coordination among organizational entities, and compliance; and MA-1a.1. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, lass="term_primary-noun">coordination among organizational entities, and compliance; and MA-1a.1. Moderate Baseline Controls]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain system maintenance procedures. CC ID 14059
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and MA-1a.2. High Baseline Controls
    The organization: Reviews and updates the current: System maintenance procedures [FedRAMP Assignment: at least annually or whenever a significant change occurs]. MA-1b.2. High Baseline Controls
    Reviews and updates the current: System maintenance procedures [FedRAMP Assignment: at least annually]. MA-1b.2. Moderate Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and MA-1a.2. Low Baseline Controls
    The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and MA-1a.2. Moderate Baseline Controls
    Reviews and updates the current: System maintenance procedures [FedRAMP Assignment: at least annually]. MA-1b.2. Low Baseline Controls]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194
    [The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the