Back

North America > US National Institute of Standards and Technology

Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 5



AD ID

0003241

AD STATUS

Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 5

ORIGINATOR

US National Institute of Standards and Technology

TYPE

International or National Standard

AVAILABILITY

Free

SYNONYMS

NIST SP 800-53 R5

Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53

EFFECTIVE

2020-09-23

ADDED

The document as a whole was last reviewed and released on 2020-12-07T00:00:00-0800.

AD ID

0003241

AD STATUS

Free

ORIGINATOR

US National Institute of Standards and Technology

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

NIST SP 800-53 R5

Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53

EFFECTIVE

2020-09-23

ADDED

The document as a whole was last reviewed and released on 2020-12-07T00:00:00-0800.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2021 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 5 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 5 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
1318 Mandated Controls - bold    
261 Implied Controls - italic     8839 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
10418 Total
  • Acquisition or sale of facilities, technology, and services
    174
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Establish and maintain a product upgrade program. CC ID 12216 Establish/Maintain Documentation Preventive
    Establish and maintain product update procedures. CC ID 12218
    [Assess the system, system component, or system service prior to selection, acceptance, modification, or update. SR-5(2) ¶ 1]
    Establish/Maintain Documentation Preventive
    Plan for selling facilities, technology, or services. CC ID 06893 Acquisition/Sale of Assets or Services Preventive
    Provide identification mechanisms for the organization's supply chain members. CC ID 12201
    [Coordinate with the following external organizations for cross-organization management of identifiers: [Assignment: organization-defined external organizations]. IA-4(6) ¶ 1]
    Business Processes Preventive
    Plan for acquiring facilities, technology, or services. CC ID 06892
    [Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that class="term_secondary-verb">incorporates information security and privacy considerations; SA-3a.]
    Acquisition/Sale of Assets or Services Preventive
    Involve all stakeholders in the acquisition process. CC ID 13169 Human Resources Management Preventive
    Allocate sufficient resources to protect Information Systems during capital planning. CC ID 01444
    [Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and SA-2b.
    {information security resource} Make available for expenditure, the planned information security and privacy resources. PM-3c.]
    Acquisition/Sale of Assets or Services Preventive
    Establish, implement, and maintain system acquisition contracts. CC ID 14758
    [Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: SA-4 Control]
    Establish/Maintain Documentation Preventive
    Include security requirements in system acquisition contracts. CC ID 01124
    [{information security requirements} Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; SA-2a.
    {security strength requirements}Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Strength of mechanism requirements; SA-4b.
    Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Security and privacy documentation requirements; SA-4e.
    {security assurance requirements}Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Security and privacy assurance requirements; SA-4c.
    {privacy requirement} Include [Assignment: organization-defined Privacy Act requirements] in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function. SA-4(11) ¶ 1
    Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: [Assignment: organization-defined systems engineering methods]; SA-4(3) ¶ 1(a)
    {security engineering method} Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: [Assignment: organization-defined [Selection (one or more): systems security; privacy] engineering methods]; and SA-4(3) ¶ 1(b)
    Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Security and privacy functional requirements; SA-4a.
    {security-related documentation}Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Requirements for protecting security and privacy documentation; SA-4f.]
    Establish/Maintain Documentation Preventive
    Include operational requirements in system acquisition contracts. CC ID 00825 Establish/Maintain Documentation Preventive
    Provide suppliers with operational requirement information needed to define required service levels in system acquisition contracts. CC ID 06890 Establish/Maintain Documentation Preventive
    Include required service levels in system acquisition contracts. CC ID 11652 Establish/Maintain Documentation Preventive
    Include security controls in system acquisition contracts. CC ID 01125
    [{security requirements} Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Controls needed to satisfy the security and privacy requirements. SA-4d.]
    Establish/Maintain Documentation Preventive
    Include the cost effectiveness of security controls in system acquisition contracts. CC ID 11653 Technical Security Detective
    Obtain system documentation before acquiring products and services. CC ID 01445
    [Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented. SA-4(1) ¶ 1
    Obtain or develop administrator documentation for the system, system component, or system service that describes: SA-5a.]
    Establish/Maintain Documentation Preventive
    Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309
    [{security function}{security mechanisms}Obtain or develop administrator documentation for the system, system component, or system service that describes: Effective use and maintenance of security and privacy functions and mechanisms; and SA-5a.2.]
    Establish/Maintain Documentation Preventive
    Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302
    [{administrative function}Obtain or develop administrator documentation for the system, system component, or system service that describes: Known vulnerabilities regarding configuration and use of administrative or privileged functions; SA-5a.3.]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285
    [Distribute documentation to [Assignment: organization-defined personnel or roles]. SA-5d.]
    Communicate Preventive
    Document attempts to obtain system documentation. CC ID 14284
    [Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take [Assignment: organization-defined actions] in response; and SA-5c.]
    Process or Activity Corrective
    Obtain user documentation before acquiring products and services. CC ID 14283
    [Obtain or develop user documentation for the system, system component, or system service that describes: SA-5b.]
    Acquisition/Sale of Assets or Services Preventive
    Include instructions on how to use the security functions in the user documentation. CC ID 14314
    [{security functions} Obtain or develop user documentation for the system, system component, or system service that describes: User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; SA-5b.1.]
    Establish/Maintain Documentation Preventive
    Include security functions in the user documentation. CC ID 14313
    [{security functions} Obtain or develop user documentation for the system, system component, or system service that describes: User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; SA-5b.1.]
    Establish/Maintain Documentation Preventive
    Include user responsibilities for maintaining system security in the user documentation. CC ID 14312
    [Obtain or develop user documentation for the system, system component, or system service that describes: User responsibilities in maintaining the security of the system, component, or service and privacy of individuals; SA-5b.3.]
    Establish/Maintain Documentation Preventive
    Include a description of user interactions in the user documentation. CC ID 14311
    [Obtain or develop user documentation for the system, system component, or system service that describes: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and SA-5b.2.]
    Establish/Maintain Documentation Preventive
    Require the information system developer to create a continuous monitoring plan. CC ID 14307
    [Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization. SA-4(8) ¶ 1
    {security tracking tool} Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process. SA-15(2) ¶ 1]
    Establish/Maintain Documentation Preventive
    Provide a Configuration Management plan by the Information System developer for all newly acquired information technology assets. CC ID 01446
    [The organization requires the developer of the information system, system component, or information system service to: Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and SA-4(5) ¶ 1(a)
    The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: Secure configuration, installation, and operation of the system, component, or service; SA-5a.1.
    Require the developer of the system, system component, or system service to: Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation; disposal]; SA-10a.
    {external system service provider} Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [Assignment: organization-defined external system services]. SA-9(2) ¶ 1]
    Testing Detective
    Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired Information Technology assets. CC ID 01447
    [Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: SA-11(2) ¶ 1
    Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; SA-11(2) ¶ 1(a)
    Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; SA-11(2) ¶ 1(a)
    Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; SA-11(2) ¶ 1(a)
    Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; SA-11(2) ¶ 1(a)
    Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: Employs the following tools and methods: [Assignment: organization-defined tools and methods]; SA-11(2) ¶ 1(b)
    Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: Conducts the modeling and analyses at the following level of rigor: [Assignment: organization-defined breadth and depth of modeling and analyses]; and SA-11(2) ¶ 1(c)
    Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: Produces evidence that meets the following acceptance criteria: [Assignment: organization-defined acceptance criteria]. SA-11(2) ¶ 1(d)
    Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: [Assignment: organization-defined software development methods; testing, evaluation, assessment, verification, and validation methods; and quality control processes]. SA-4(3) ¶ 1(c)
    Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; SA-11c.
    Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; SA-11c.
    Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; SA-11b.
    Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results. SA-11(9) ¶ 1
    Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results. SA-11(9) ¶ 1
    {security assessment}Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Develop and implement a plan for ongoing security and privacy assessments; SA-11a.
    {security testing} Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: [Assignment: organization-defined breadth and depth of testing and evaluation]. SA-11(7) ¶ 1]
    Testing Detective
    Include roles and responsibilities in system acquisition contracts. CC ID 14765
    [Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and SA-4h.]
    Establish/Maintain Documentation Preventive
    Include the acceptance criteria in system acquisition contracts. CC ID 14288
    [Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Acceptance criteria. SA-4i.]
    Acquisition/Sale of Assets or Services Preventive
    Include a description of the development environment and operational environment in system acquisition contracts. CC ID 14256
    [Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Description of the system development environment and environment in which the system is intended to operate; SA-4g.]
    Acquisition/Sale of Assets or Services Preventive
    Identify and include alternatives to meeting the security requirements when acquiring Information Technology assets. CC ID 01128 Acquisition/Sale of Assets or Services Detective
    Conduct an acquisition feasibility study prior to acquiring Information Technology assets. CC ID 01129
    [Assess the system, system component, or system service prior to selection, acceptance, modification, or update. SR-5(2) ¶ 1]
    Acquisition/Sale of Assets or Services Detective
    Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. CC ID 01135
    [Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and SA-9(1)(a)]
    Testing Detective
    Refrain from implementing systems that are beyond the organization's risk acceptance level. CC ID 13054 Acquisition/Sale of Assets or Services Preventive
    Approve the risk assessment report of operational risks as a part of the acquisition feasibility study. CC ID 11666 Technical Security Preventive
    Establish test environments separate from the production environment to support feasibility testing before product acquisition. CC ID 01130 Configuration Preventive
    Establish test environments separate from the production environment to support integration testing before product acquisition. CC ID 11668 Testing Detective
    Analyze the proposed Information Architecture as it pertains to acquisition feasibility. CC ID 01132 Acquisition/Sale of Assets or Services Detective
    Establish, implement, and maintain a product and services acquisition strategy. CC ID 01133
    [Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. SR-5 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a product and services acquisition program. CC ID 01136 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a product and services acquisition policy. CC ID 14028
    [[Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and SA-1a.1(b)
    Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: SA-1a.1.]
    Establish/Maintain Documentation Preventive
    Review and update the product and services acquisition policy. CC ID 14164
    [{system and services acquisition policy} Review and update the current system and services: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and SA-1c.1.]
    Establish/Maintain Documentation Corrective
    Include compliance requirements in the product and services acquisition policy. CC ID 14163
    [[Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the product and services acquisition policy. CC ID 14162
    [[Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include management commitment in the product and services acquisition policy. CC ID 14161
    [[Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the product and services acquisition policy. CC ID 14160
    [[Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the scope in the product and services acquisition policy. CC ID 14159
    [[Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the purpose in the product and services acquisition policy. CC ID 14158
    [[Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: SA-1a.1.]
    Communicate Preventive
    Establish, implement, and maintain product and services acquisition procedures. CC ID 14065
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls; SA-1a.2.]
    Establish/Maintain Documentation Preventive
    Review and update the product and services acquisition procedures, as necessary. CC ID 14153
    [{system and services acquisition procedures} Review and update the current system and services: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. SA-1c.2.]
    Establish/Maintain Documentation Corrective
    Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls; SA-1a.2.]
    Communicate Preventive
    Establish and maintain acquisition approval requirements. CC ID 13704 Establish/Maintain Documentation Preventive
    Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706 Communicate Preventive
    Include preventive maintenance contracts in system acquisition contracts. CC ID 06658 Establish/Maintain Documentation Preventive
    Prohibit the use of Personal Electronic Devices, absent approval. CC ID 04599
    [Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using [Assignment: organization-defined restrictions]. AC-20(3) ¶ 1]
    Behavior Detective
    Sign a forfeiture statement acknowledging unapproved Personal Electronic Devices will be confiscated. CC ID 11667 Physical and Environmental Protection Preventive
    Include chain of custody procedures in the product and services acquisition program. CC ID 10058 Acquisition/Sale of Assets or Services Preventive
    Review and update the acquisition contracts, as necessary. CC ID 14279
    [{security plans} Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. PL-8c.]
    Acquisition/Sale of Assets or Services Corrective
    Establish, implement, and maintain a software product acquisition methodology. CC ID 01138
    [Verify that the acquisition, development, and use of mobile code to be deployed in the system meets [Assignment: organization-defined mobile code requirements]. SC-18(2) ¶ 1]
    Establish/Maintain Documentation Preventive
    Align the service management program with the Code of Conduct. CC ID 14211 Establish/Maintain Documentation Preventive
    Store source code documentation in escrow by an independent third party. CC ID 01139 Testing Detective
    Review software licensing agreements to ensure compliance. CC ID 01140 Establish/Maintain Documentation Detective
    Establish, implement, and maintain third party Software Maintenance Agreements. CC ID 01143 Establish/Maintain Documentation Preventive
    Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836
    [{approve}{relevant authority} Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and SA-4(6)(a)
    {approved product list} Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. SA-4(10) ¶ 1
    {external requirement}{information assurance product}{information technology product} Ensure that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures. SA-4(6)(b)
    {external requirement} Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and SA-4(7)(a)
    Obtain software and data employed during system component and service refreshes from the following trusted sources: [Assignment: organization-defined trusted sources]. SI-14(1) ¶ 1
    Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: The device meets [Assignment: organization-defined strength of mechanism requirements]. IA-2(6) ¶ 1(b)]
    Establish/Maintain Documentation Preventive
    Install software that originates from approved third parties. CC ID 12184 Technical Security Preventive
    Promote joint acquisition of products or services. CC ID 11453 Acquisition/Sale of Assets or Services Preventive
    Acquire products or services. CC ID 11450
    [{be different} Require that [Assignment: organization-defined controls] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers. PL-8(2) ¶ 1]
    Acquisition/Sale of Assets or Services Preventive
    Acquire products through suppliers, as necessary. CC ID 13171 Acquisition/Sale of Assets or Services Preventive
    Pay suppliers in a timely manner. CC ID 06891 Acquisition/Sale of Assets or Services Preventive
    Register new systems with the program office or other applicable stakeholder. CC ID 13986 Business Processes Preventive
    Refrain from accepting assets with questionable provenance. CC ID 12194 Business Processes Preventive
    Discourage the modification of vendor-supplied software. CC ID 12016 Process or Activity Preventive
    Refuse acquisition of products or services absent acquisition approval. CC ID 11451 Acquisition/Sale of Assets or Services Preventive
    Establish and maintain an anti-counterfeit program for acquiring new systems. CC ID 10641
    [Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and SR-11a.]
    Establish/Maintain Documentation Detective
    Establish and maintain an anti-counterfeit policy. CC ID 11499 Establish/Maintain Documentation Detective
    Include details and legal requirements in the anti-counterfeit policy. CC ID 11500 Establish/Maintain Documentation Detective
    Include notification procedures in the anti-counterfeit policy. CC ID 11501 Establish/Maintain Documentation Detective
    Include directions for the quarantine process in the anti-counterfeit policy. CC ID 11502 Establish/Maintain Documentation Detective
    Include evidence gathering procedures in the anti-counterfeit policy. CC ID 11503 Establish/Maintain Documentation Detective
    Include directions to not request the return of products that are found to be counterfeit in the anti-counterfeit policy. CC ID 11504 Establish/Maintain Documentation Detective
    Include counterfeit product quarantine procedures in the anti-counterfeit policy. CC ID 11505 Establish/Maintain Documentation Detective
    Include the counterfeit product reporting procedures in the anti-counterfeit policy. CC ID 11506 Establish/Maintain Documentation Detective
    Establish and maintain anti-counterfeit procedures. CC ID 11498 Establish/Maintain Documentation Detective
    Agree upon anti-counterfeit authentication tools to be used for counterfeit testing. CC ID 11566 Establish/Maintain Documentation Detective
    Scan for potential counterfeit parts and potential counterfeit components. CC ID 10643
    [Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and SR-11a.
    Scan for counterfeit system components [Assignment: organization-defined frequency]. SR-11(3) ¶ 1]
    Physical and Environmental Protection Detective
    Terminate employees that traffic counterfeit products. CC ID 11479 Physical and Environmental Protection Detective
    Seize counterfeit products. CC ID 11510
    [Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and SR-11a.]
    Physical and Environmental Protection Detective
    Conduct a visual examination of all parts and components as part of anti-counterfeit testing. CC ID 11567 Physical and Environmental Protection Detective
    Visually examine to verify all parts are received in a single shipment. CC ID 11569 Physical and Environmental Protection Detective
    Visually examine to verify all parts are marked with part identification codes. CC ID 11570 Physical and Environmental Protection Detective
    Visually examine to verify all parts of the same type are identical. CC ID 11571 Physical and Environmental Protection Detective
    Visually examine to verify all parts are packaged identically. CC ID 11572 Physical and Environmental Protection Detective
    Visually examine to verify all parts have maintained their physical placement in packaging relative to each other. CC ID 11573 Physical and Environmental Protection Detective
    Compare the packaging of parts being inspected to the supplier's packaging description. CC ID 11575 Physical and Environmental Protection Detective
    Visually examine to verify all parts have not been resurfaced or reshaped. CC ID 11578 Physical and Environmental Protection Detective
    Utilize a solvent test to verify parts have not been resurfaced or reshaped, as necessary. CC ID 11579 Physical and Environmental Protection Detective
    Compare potential counterfeit parts and potential counterfeit components to authentic parts and authentic components. CC ID 11568 Physical and Environmental Protection Detective
    Use a minimum of 3X optical magnification when comparing a potential counterfeit part and potential counterfeit component to an authentic part and authentic component. CC ID 11574 Physical and Environmental Protection Detective
    Compare the dimensions of a potential counterfeit part or potential counterfeit component to the authentic part's or authentic component's dimensions. CC ID 11576 Physical and Environmental Protection Detective
    Compare the specifications of the potential counterfeit parts and potential counterfeit components to the specifications for the authentic parts and authentic components. CC ID 11577 Physical and Environmental Protection Detective
    Conduct scanning acoustic microscopy inspections of all potential counterfeit parts and potential counterfeit components. CC ID 11580 Physical and Environmental Protection Detective
    Conduct scanning acoustic microscopy inspections of the top and bottom component package surfaces. CC ID 11581 Physical and Environmental Protection Detective
    Conduct scanning acoustic microscopy inspections of interior top scans of the die, die paddle, bond wires, and lead frames. CC ID 11582 Physical and Environmental Protection Detective
    Conduct scanning acoustic microscopy inspections to include overall calculations showing the percentage of die-voiding that is present. CC ID 11583 Physical and Environmental Protection Detective
    Conduct x-ray inspections of all potential counterfeit parts and potential counterfeit components. CC ID 11584 Physical and Environmental Protection Detective
    Conduct lead finish inspections of all potential counterfeit parts and potential counterfeit components. CC ID 11585 Physical and Environmental Protection Detective
    Conduct electrical testing inspections of all potential counterfeit parts and potential counterfeit components. CC ID 11586 Physical and Environmental Protection Detective
    Follow the applicable performance data sheet when conducting electrical testing inspections of all potential counterfeit parts and potential counterfeit components. CC ID 11587 Physical and Environmental Protection Detective
    Conduct pre-burn in electrical testing inspections and post-burn in electrical testing inspections of on all potential counterfeit parts and potential counterfeit components. CC ID 11588 Physical and Environmental Protection Detective
    Conduct destructive physical analysis on a representative sample of all potential counterfeit parts and potential counterfeit components. CC ID 11589 Physical and Environmental Protection Detective
    Create and distribute a counterfeit product report. CC ID 10642
    [Report counterfeit system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. SR-11b.]
    Communicate Corrective
    Include a detailed description of the counterfeit product in the counterfeit product report. CC ID 11481 Communicate Corrective
    Include the source of the counterfeit product in the counterfeit product report. CC ID 11482 Communicate Corrective
    Include the cost of the counterfeit product in the counterfeit product report. CC ID 11483 Communicate Corrective
    Include a description of the counterfeit indications in the counterfeit product report. CC ID 11484 Communicate Corrective
    Include product information about the counterfeit product in the counterfeit product report. CC ID 11491 Communicate Corrective
    Generalize the information about seized counterfeit products in the counterfeit product report. CC ID 11511 Communicate Corrective
    Disseminate and communicate the counterfeit product report to appropriate law enforcement authorities. CC ID 11490
    [Report counterfeit system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. SR-11b.]
    Communicate Corrective
    Disseminate and communicate the counterfeit product report to the supplier. CC ID 11494
    [Report counterfeit system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. SR-11b.]
    Communicate Corrective
    Request a counterfeit product investigation from the supplier as part of the counterfeit product report. CC ID 11495 Communicate Corrective
    Exclude the supplier's information in the counterfeit product report unless the supplier is a proven counterfeiter. CC ID 11507 Communicate Corrective
    Exclude the supplier's information in the counterfeit product report unless a subpoena requires it. CC ID 11508 Communicate Corrective
    Ban counterfeit products from all facilities. CC ID 11480 Business Processes Preventive
    Quarantine counterfeit materials and counterfeit products. CC ID 11485 Establish/Maintain Documentation Detective
    Quarantine counterfeit products and counterfeit materials for a period of time determined by counterfeit product quarantine procedures. CC ID 11565 Establish/Maintain Documentation Detective
    Release counterfeit products and counterfeit materials from quarantine only for evaluation. CC ID 11486 Establish/Maintain Documentation Detective
    Refrain from returning counterfeit products and counterfeit materials to the source. CC ID 11487 Establish/Maintain Documentation Detective
    Refrain from requesting the return of counterfeit products and counterfeit materials. CC ID 11488 Establish/Maintain Documentation Detective
    Notify interested personnel and affected parties regarding the status of a request to release counterfeit products or counterfeit materials. CC ID 11509 Establish/Maintain Documentation Detective
    Mark counterfeit products and counterfeit materials as being counterfeit. CC ID 11600 Establish/Maintain Documentation Detective
    Establish and maintain shipped counterfeit product procedures. CC ID 11492 Establish/Maintain Documentation Detective
    Refund or replace counterfeit products when notified they were shipped by the organization. CC ID 11493 Establish/Maintain Documentation Detective
    Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144
    [Assess the system, system component, or system service prior to selection, acceptance, modification, or update. SR-5(2) ¶ 1]
    Establish/Maintain Documentation Preventive
    Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740 Testing Detective
    Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741 Testing Detective
    Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742 Testing Detective
    Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743 Testing Detective
    Test new software or upgraded software for security vulnerabilities. CC ID 01898 Testing Detective
    Test new software or upgraded software for compatibility with the current system. CC ID 11654 Testing Detective
    Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655 Testing Detective
    Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899
    [Require the developer of the system, system component, or system service to enable integrity verification of hardware components. SA-10(3) ¶ 1]
    Testing Detective
    Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744 Testing Detective
    Correct defective acquired goods or services. CC ID 06911 Acquisition/Sale of Assets or Services Corrective
    Authorize new assets prior to putting them into the production environment. CC ID 13530
    [Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. SA-9(1)(b)]
    Process or Activity Preventive
    Establish and maintain a consumer complaint management program. CC ID 04570
    [{security practice} Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: PM-26 Control]
    Business Processes Preventive
    Document consumer complaints. CC ID 13903 Business Processes Preventive
    Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816 Establish/Maintain Documentation Preventive
    Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815 Establish/Maintain Documentation Preventive
    Post the dispute resolution body's contact information in an easily seen location at facilities. CC ID 13812
    [{complaint process}{include}{be accessible} Mechanisms that are easy to use and readily accessible by the public; PM-26a.]
    Communicate Preventive
    Provide users a list of the available dispute resolution bodies. CC ID 13814 Communicate Preventive
    Post the dispute resolution body's contact information on the organization's website. CC ID 13811 Communicate Preventive
    Establish and maintain consumer complaint escalation procedures. CC ID 07208
    [{complaint process}{include} Acknowledgement of receipt of complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]; and PM-26d.]
    Establish/Maintain Documentation Preventive
    Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209 Actionable Reports or Measurements Preventive
    Establish and maintain notice and take-down procedures. CC ID 09963 Establish/Maintain Documentation Preventive
    Check communications for take-down requests. CC ID 09964 Monitor and Evaluate Occurrences Preventive
    Include complete information in the take-down request. CC ID 09965 Business Processes Detective
    Include the complainant's contact information in the take-down request. CC ID 09966 Business Processes Detective
    Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967 Business Processes Detective
    Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968 Business Processes Detective
    Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969 Business Processes Detective
    Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970 Business Processes Preventive
    Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971 Business Processes Detective
    Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972 Business Processes Detective
    Notify the complainant regarding any missing information in the take-down request. CC ID 09973 Behavior Preventive
    Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974 Business Processes Detective
    Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975 Establish/Maintain Documentation Preventive
    Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976 Establish/Maintain Documentation Preventive
    Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977 Establish/Maintain Documentation Preventive
    Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978 Business Processes Preventive
    Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979 Business Processes Preventive
    Process product return requests. CC ID 11598 Acquisition/Sale of Assets or Services Corrective
    Refrain from returning products absent a return request authorization. CC ID 11599 Acquisition/Sale of Assets or Services Corrective
  • Audits and risk management
    130
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Establish and maintain an audit program. CC ID 00684 Establish/Maintain Documentation Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Business Processes Preventive
    Audit in scope audit items and compliance documents as defined in the audit scope. CC ID 06730 Audits and Risk Management Preventive
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 Testing Detective
    Document test plans for auditing in scope controls. CC ID 06985 Testing Detective
    Determine the effectiveness of in scope controls. CC ID 06984
    [Develop a control assessment plan that describes the scope of the assessment including: Assessment procedures to be used to determine control effectiveness; and CA-2b.2.]
    Testing Detective
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and Risk Management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and Risk Management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155
    [Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and PM-11b.
    Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; PM-31b.]
    Audits and Risk Management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and Risk Management Detective
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and Risk Management Detective
    Establish and maintain organizational audit reports. CC ID 06731 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 Establish/Maintain Documentation Preventive
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653
    [{audit record review} Report findings to [Assignment: organization-defined personnel or roles]; and AU-6b.]
    Log Management Detective
    Implement a corrective action plan in response to the audit report. CC ID 06777
    [Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: Are <span style="background-color:#B7D8ED;" class="term_primary-verb">developed and maintained; PM-4a.1.
    {information security program}{privacy program} Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: PM-4a.]
    Establish/Maintain Documentation Corrective
    Assign responsibility for remediation actions. CC ID 13622 Human Resources Management Preventive
    Review management's response to issues raised in past audit reports. CC ID 01149 Audits and Risk Management Detective
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 Establish/Maintain Documentation Preventive
    Establish and maintain a risk management program. CC ID 12051 Establish/Maintain Documentation Preventive
    Integrate the risk management program with the organization's business activities. CC ID 13661
    [{be consistent} Implement the risk management strategy consistently across the organization; and PM-9b.]
    Business Processes Preventive
    Integrate the risk management program into daily business decision-making. CC ID 13659
    [Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; RA-3b.]
    Business Processes Preventive
    Establish and maintain risk management strategies, as necessary. CC ID 13209
    [Develops a comprehensive strategy to manage: Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and PM-9a.1.
    Develops a comprehensive strategy to manage: Privacy risk to individuals resulting from the authorized processing of personally identifiable information; PM-9a.2.]
    Establish/Maintain Documentation Preventive
    Include off-site storage of supplies in the risk management strategies. CC ID 13221 Establish/Maintain Documentation Preventive
    Include the use of alternate service providers in the risk management strategies. CC ID 13217 Establish/Maintain Documentation Preventive
    Include minimizing service interruptions in the risk management strategies. CC ID 13215 Establish/Maintain Documentation Preventive
    Establish and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Analyze the risk management strategy for addressing threats. CC ID 12925
    [{physical hazards} For existing facilities, consider the physical and environmental hazards in the organizational risk management strategy. PE-23b.]
    Audits and Risk Management Detective
    Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456
    [Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and PM-10b.]
    Establish Roles Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a risk assessment policy. CC ID 14026
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: RA-1a.1.
    Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and RA-1a.1(b)]
    Establish/Maintain Documentation Preventive
    Review and update the risk assessment policy, as necessary. CC ID 14122
    [{risk assessment policy} Review and update the current risk assessment: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and RA-1c.1.]
    Establish/Maintain Documentation Corrective
    Include compliance requirements in the risk assessment policy. CC ID 14121
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the risk assessment policy. CC ID 14120
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include management commitment in the risk assessment policy. CC ID 14119
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the risk assessment policy. CC ID 14118
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the scope in the risk assessment policy. CC ID 14117
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the purpose in the risk assessment policy. CC ID 14116
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: RA-1a.1.]
    Communicate Preventive
    Establish, implement, and maintain risk assessment procedures. CC ID 06446
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; RA-1a.2.]
    Establish/Maintain Documentation Preventive
    Analyze the organization's information security environment. CC ID 13122 Technical Security Preventive
    Document cybersecurity risks. CC ID 12281 Establish/Maintain Documentation Preventive
    Engage third parties to assist with risk assessments, as necessary. CC ID 12153 Human Resources Management Preventive
    Establish and maintain risk profiling procedures for internal risk assessments. CC ID 01157 Audits and Risk Management Preventive
    Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 Establish/Maintain Documentation Preventive
    Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183
    [Review and update risk framing considerations [Assignment: organization-defined frequency]. PM-28c.]
    Establish/Maintain Documentation Preventive
    Document organizational risk criteria. CC ID 12277 Establish/Maintain Documentation Preventive
    Include security threats and vulnerabilities to the system in the threat and risk classification scheme. CC ID 00699
    [Identifying threats to and vulnerabilities in the system; RA-3a.1.]
    Technical Security Preventive
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Investigate Detective
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443
    [Categorize the system and information it processes, stores, and transmits; RA-2a.]
    Audits and Risk Management Preventive
    Include the risks to the organization's critical personnel and assets in the threat and risk classification scheme. CC ID 00698 Audits and Risk Management Preventive
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Establish/Maintain Documentation Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 Audits and Risk Management Preventive
    Include language that is easy to understand in the risk assessment report. CC ID 06461 Establish/Maintain Documentation Preventive
    Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 Establish/Maintain Documentation Preventive
    Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462
    [Use all-source intelligence to assist in the analysis of risk. RA-3(2) ¶ 1
    Identify and document: Assumptions affecting risk assessments, risk responses, and risk monitoring; PM-28a.1.]
    Establish/Maintain Documentation Preventive
    Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 Establish/Maintain Documentation Preventive
    Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 Establish/Maintain Documentation Preventive
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and Risk Management Preventive
    Review the risk assessment procedures, as necessary. CC ID 06460
    [{risk assessment procedures} Review and update the current risk assessment: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. RA-1c.2.
    Identify and document: Constraints affecting risk assessments, risk responses, and risk monitoring; PM-28a.2.]
    Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account information classification. CC ID 06477 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account the target environment. CC ID 06479 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484
    [Identify and document: Assumptions affecting risk assessments, risk responses, and risk monitoring; PM-28a.1.]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; RA-1a.2.
    Distribute the results of risk framing activities to [Assignment: organization-defined personnel]; and PM-28b.]
    Communicate Preventive
    Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 Establish/Maintain Documentation Preventive
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [Conduct a risk assessment, including: RA-3a.]
    Testing Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Establish/Maintain Documentation Preventive
    Include physical assets in the scope of the risk assessment. CC ID 13075 Establish/Maintain Documentation Preventive
    Include the results of the risk assessment in the risk assessment report. CC ID 06481
    [{security plans} Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; RA-3c.
    Produce a control assessment report that document the results of the assessment; and CA-2e.]
    Establish/Maintain Documentation Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109
    [Leverage the results of control assessments performed by [Assignment: organization-defined external organization] on [Assignment: organization-defined system] when the assessment meets [Assignment: organization-defined requirements]. CA-2(3) ¶ 1]
    Audits and Risk Management Preventive
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Establish/Maintain Documentation Detective
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and Risk Management Preventive
    Update the risk assessment upon changes to the risk profile. CC ID 11627
    [Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. RA-3(1)(b)
    Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. RA-3f.]
    Establish/Maintain Documentation Detective
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and Risk Management Preventive
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Establish/Maintain Documentation Preventive
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633
    [Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and RA-3e.
    Provide the results of the control assessment to [Assignment: organization-defined individuals or roles]. CA-2f.]
    Communicate Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and Risk Management Detective
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Communicate Preventive
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and Risk Management Preventive
    Conduct a Business Impact Analysis based on the risk assessment findings in the risk assessment report. CC ID 01147 Audits and Risk Management Detective
    Document organizational risk tolerance in a risk register. CC ID 09961
    [Identify and document: Organizational risk tolerance; PM-28a.4.]
    Establish/Maintain Documentation Preventive
    Update the risk register, as necessary. CC ID 13047 Establish/Maintain Documentation Preventive
    Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 Business Processes Preventive
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]. RA-3(4) ¶ 1
    Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; RA-3a.3.
    {unauthorized use} {unauthorized disclosure} {unauthorized modification} {unauthorized destruction} Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and RA-3a.2.]
    Audits and Risk Management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703
    [Identify and document: Priorities and trade-offs considered by the organization for managing risk; and PM-28a.3.]
    Audits and Risk Management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and Risk Management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and Risk Management Detective
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Investigate Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and Risk Management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Actionable Reports or Measurements Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and Risk Management Detective
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 Establish/Maintain Documentation Preventive
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Investigate Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Behavior Preventive
    Establish and maintain a risk treatment plan. CC ID 11983 Establish/Maintain Documentation Preventive
    Include risk assessment results in the risk treatment plan. CC ID 11978
    [{security plans} Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; RA-3c.]
    Establish/Maintain Documentation Preventive
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619
    [Identify and document: Constraints affecting risk assessments, risk responses, and risk monitoring; PM-28a.2.]
    Establish/Maintain Documentation Preventive
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705
    [Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and CA-5a.
    {remedial action}Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and PM-4a.2.
    {information security program}{privacy program} Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: Are reported in accordance with established reporting requirements. PM-4a.3.]
    Establish/Maintain Documentation Corrective
    Review and approve the risk assessment findings. CC ID 06485
    [Review risk assessment results [Assignment: organization-defined frequency]; RA-3d.]
    Establish/Maintain Documentation Preventive
    Include risk responses in the risk management program. CC ID 13195
    [Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. RA-7 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a supply chain risk management policy CC ID 14663
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: SR-1a.1.
    [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and SR-1a.1(b)
    Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; PM-30a.
    {consistent approach} Implement the supply chain risk management strategy consistently across the organization; and PM-30b.]
    Establish/Maintain Documentation Preventive
    Review and update the supply chain risk management policy. CC ID 14714
    [{supply chain risk management policy} Review and update the current supply chain risk management: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and SR-1c.1]
    Business Processes Preventive
    Include compliance requirements in the supply chain risk management policy. CC ID 14711
    [[Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SR-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the supply chain risk management policy. CC ID 14710
    [[Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SR-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include management commitment in the supply chain risk management policy. CC ID 14709
    [[Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SR-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the supply chain risk management policy. CC ID 14708
    [[Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SR-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the scope in the supply chain risk management policy. CC ID 14707
    [[Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SR-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the purpose in the supply chain risk management policy. CC ID 14706
    [[Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SR-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: SR-1a.1.]
    Communicate Preventive
    Establish, implement, and maintain a supply chain risk management plan. CC ID 14713
    [Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: [Assignment: organization-defined systems, system components, or system services]; SR-2a.]
    Establish/Maintain Documentation Preventive
    Review and update the supply chain risk management plan. CC ID 14719
    [Review and update the supply chain risk management plan [Assignment: organization-defined frequency] or as required, to address threat, organizational or environmental changes; and SR-2b.]
    Business Processes Preventive
    Include supply chain risk management procedures in the risk management program. CC ID 13190
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; SR-1a.2
    Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]; SR-3a.
    Assess supply chain risks associated with [Assignment: organization-defined systems, system components, and system services]; and RA-3(1)(a)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; SR-1a.2]
    Communicate Preventive
    Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 Human Resources Management Preventive
    Analyze supply chain risk management procedures, as necessary. CC ID 13198
    [{supply chain risk management procedure} Review and update the current supply chain risk management: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. SR-1c.2.
    Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency] or as required, to address organizational changes. PM-30c.]
    Process or Activity Detective
    Review and update the risk management program, as necessary. CC ID 13049
    [Review and update the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes. PM-9c.]
    Establish/Maintain Documentation Preventive
  • Harmonization Methods and Manual of Style
    5
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Harmonization Methods and Manual of Style CC ID 06095 IT Impact Zone IT Impact Zone
    Establish and maintain a matching program for external requirements and organizational records. CC ID 14764
    [When a system or organization processes information for the purpose of conducting a matching program: Obtain approval from the Data Integrity Board to conduct the matching program; PT-8a.]
    Business Processes Detective
    Review and update the matching program, as necessary. CC ID 14766
    [{annual basis} Conduct an annual review of all matching programs in which the agency has participated. PM-24b.]
    Establish/Maintain Documentation Corrective
    Request proposals to conduct or participate in a matching program. CC ID 14757 Establish/Maintain Documentation Preventive
    Review proposals to conduct or participate in a matching program. CC ID 14763
    [Review proposals to conduct or participate in a matching program; and PM-24a.]
    Establish/Maintain Documentation Detective
  • Human Resources management
    214
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Establish and maintain high level operational roles and responsibilities. CC ID 00806
    [Establish a Data Integrity Board to: PM-24 Control]
    Establish Roles Preventive
    Define and assign the head of Information Security's roles and responsibilities. CC ID 06091
    [Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. PM-2 Control]
    Establish Roles Preventive
    Establish, implement, and maintain a security operations center. CC ID 14762
    [Establish and maintain a security operations center. IR-4(14) ¶ 1]
    Human Resources Management Preventive
    Designate an alternate for each organizational leader. CC ID 12053 Human Resources Management Preventive
    Limit the activities performed as a proxy to an organizational leader. CC ID 12054 Behavior Preventive
    Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 Human Resources Management Preventive
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 Establish Roles Preventive
    Establish and maintain board committees, as necessary. CC ID 14789 Human Resources Management Preventive
    Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 Establish/Maintain Documentation Preventive
    Assign oversight of C-level executives to the Board of Directors. CC ID 14784 Human Resources Management Preventive
    Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 Establish/Maintain Documentation Preventive
    Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 Establish/Maintain Documentation Preventive
    Assign oversight of the financial management program to the board of directors. CC ID 14781 Human Resources Management Preventive
    Assign senior management to the role of supporting Quality Management. CC ID 13692 Human Resources Management Preventive
    Assign senior management to the role of authorizing official. CC ID 14238
    [Assign a senior official as the authorizing official for the system; CA-6a.
    Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems; CA-6b.
    Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization. CA-6(1) ¶ 1]
    Establish Roles Preventive
    Assign members who are independent from management to the Board of Directors. CC ID 12395 Human Resources Management Preventive
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 Human Resources Management Preventive
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 Human Resources Management Preventive
    Rotate members of the board of directors, as necessary. CC ID 14803 Human Resources Management Corrective
    Define and assign board committees, as necessary. CC ID 14787 Human Resources Management Preventive
    Define and assign risk committees, as necessary. CC ID 14795 Human Resources Management Preventive
    Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 Establish/Maintain Documentation Preventive
    Define and assign audit committees, as necessary. CC ID 14788 Human Resources Management Preventive
    Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 Human Resources Management Preventive
    Define and assign compensation committees, as necessary. CC ID 14793 Human Resources Management Preventive
    Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 Establish Roles Preventive
    Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 Establish Roles Preventive
    Define and assign the business unit manager's roles and responsibilities. CC ID 00810 Establish Roles Preventive
    Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 Establish Roles Preventive
    Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333
    [Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization. PM-29b.]
    Human Resources Management Preventive
    Define and assign roles and responsibilities for network management. CC ID 13128 Human Resources Management Preventive
    Define and assign the technology security leader's roles and responsibilities. CC ID 01897 Establish Roles Preventive
    Define and assign the security staff roles and responsibilities. CC ID 11750
    [{information security roles and responsibilities} Define and document information security and privacy roles and responsibilities throughout the system development life cycle; SA-3b.]
    Establish/Maintain Documentation Preventive
    Define and assign the property management leader's roles and responsibilities. CC ID 00669 Establish Roles Preventive
    Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 Establish Roles Preventive
    Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714
    [{assign} Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program. PM-19 Control]
    Establish Roles Preventive
    Define and assign the Information Technology facility management personnel's roles and responsibilities. CC ID 06381 Establish Roles Preventive
    Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 Establish/Maintain Documentation Preventive
    Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 Establish Roles Preventive
    Establish and maintain an Information Technology steering committee. CC ID 12706 Human Resources Management Preventive
    Assign the Information Technology steering committee to report to senior management. CC ID 12731 Human Resources Management Preventive
    Convene the Information Technology steering committee, as necessary. CC ID 12730 Human Resources Management Preventive
    Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 Human Resources Management Preventive
    Assign a contact person to all business units. CC ID 07144 Establish Roles Preventive
    Define and assign the assessment team's roles and responsibilities. CC ID 08890 Business Processes Preventive
    Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 Human Resources Management Preventive
    Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 Human Resources Management Preventive
    Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 Human Resources Management Preventive
    Define and assign workforce roles and responsibilities. CC ID 13267
    [Define and document organizational oversight and user roles and responsibilities with regard to external system services; and SA-9b.]
    Human Resources Management Preventive
    Establish and maintain cybersecurity roles and responsibilities. CC ID 13201 Human Resources Management Preventive
    Assign roles and responsibilities for physical security, as necessary. CC ID 13113 Establish Roles Preventive
    Define and assign roles and responsibilities for those involved in risk management. CC ID 13660
    [Establish a supply chain risk management team consisting of [Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: [Assignment: organization-defined supply chain risk management activities]. SR-2(1) ¶ 1
    {information security process}{strategic planning process}{operational planning process} Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and PM-29a.]
    Human Resources Management Preventive
    Include the management structure in the duties and responsibilities for risk management. CC ID 13665 Human Resources Management Preventive
    Assign the roles and responsibilities for the change control program. CC ID 13118
    [Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element]. CM-3(4) ¶ 1
    Require [Assignment: organization-defined security and privacy representatives] to be included in the [Assignment: organization-defined configuration change management and control process]. SA-10(7) ¶ 1]
    Human Resources Management Preventive
    Identify and define all key Information Technology roles. CC ID 00777
    [{publicly accessible information system} Designate individuals authorized to make information publicly accessible; AC-22a.]
    Establish Roles Preventive
    Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 Establish Roles Preventive
    Assign responsibility for cyber threat intelligence. CC ID 12746 Human Resources Management Preventive
    Assign the role of security management to applicable controls. CC ID 06444 Establish Roles Preventive
    Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 Human Resources Management Preventive
    Define and assign the data processor's roles and responsibilities. CC ID 12607 Human Resources Management Preventive
    Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 Human Resources Management Preventive
    Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 Communicate Preventive
    Define and assign the data controller's roles and responsibilities. CC ID 00471
    [Establish a Data Governance Body consisting of [Assignment: organization-defined roles] with [Assignment: organization-defined responsibilities]. PM-23 Control]
    Establish Roles Preventive
    Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 Human Resources Management Preventive
    Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 Human Resources Management Preventive
    Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 Human Resources Management Preventive
    Assign the role of data controller to applicable controls. CC ID 00354 Establish Roles Preventive
    Assign the role of data controller to provide advice, when requested. CC ID 12611 Human Resources Management Preventive
    Assign the role of data controller to additional personnel, as necessary. CC ID 00473 Establish Roles Preventive
    Assign the role of Information Technology operations to applicable controls. CC ID 00682 Establish Roles Preventive
    Assign the role of logical access control to applicable controls. CC ID 00772 Establish Roles Preventive
    Assign the role of asset physical security to applicable controls. CC ID 00770 Establish Roles Preventive
    Assign the role of data custodian to applicable controls. CC ID 04789 Establish Roles Preventive
    Assign the role of the Quality Management committee to applicable controls. CC ID 00769 Establish Roles Preventive
    Assign interested personnel to the Quality Management committee. CC ID 07193 Establish Roles Preventive
    Assign the roles and responsibilities for the Information Technology asset management system. CC ID 14368 Establish/Maintain Documentation Preventive
    Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 Establish Roles Preventive
    Assign the role of fire protection management to applicable controls. CC ID 04891 Establish Roles Preventive
    Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 Establish Roles Preventive
    Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 Establish Roles Preventive
    Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 Establish Roles Preventive
    Define and assign the roles and responsibilities of security guards. CC ID 12543 Human Resources Management Preventive
    Define and assign roles and responsibilities for dispute resolution. CC ID 13626 Human Resources Management Preventive
    Define and assign the roles for Legal Support Workers. CC ID 13711 Human Resources Management Preventive
    Establish and maintain a personnel management program. CC ID 14018 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personnel security policy. CC ID 14025
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: PS-1a.1.
    Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and PS-1a.1(b)]
    Establish/Maintain Documentation Preventive
    Review and update the personnel security policy, as necessary. CC ID 14155
    [{personnel security policy} Review and update the current personnel security: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and PS-1c.1.]
    Establish/Maintain Documentation Corrective
    Include compliance requirements in the personnel security policy. CC ID 14154
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the personnel security policy. CC ID 14114
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include management commitment in the personnel security policy. CC ID 14113
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the personnel security policy. CC ID 14112
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the scope in the personnel security policy. CC ID 14111
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the purpose in the personnel security policy. CC ID 14110
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: PS-1a.1.]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain personnel security procedures. CC ID 14058
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls; PS-1a.2.]
    Establish/Maintain Documentation Preventive
    Review and update the personnel security procedures, as necessary. CC ID 14156
    [{personnel security procedures} Review and update the current personnel security: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. PS-1c.2.]
    Establish/Maintain Documentation Corrective
    Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls; PS-1a.2.]
    Communicate Preventive
    Establish and maintain Information Technology staff security clearance level criteria. CC ID 00780
    [Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system. PS-3(1) ¶ 1]
    Establish/Maintain Documentation Preventive
    Assign risk designations for all positions. CC ID 14280
    [Assign a risk designation to all organizational positions; PS-2a.]
    Human Resources Management Preventive
    Review and update staff position risk designations, as necessary. CC ID 10629
    [Review and update position risk designations [Assignment: organization-defined frequency]. PS-2c.]
    Human Resources Management Preventive
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 Testing Detective
    Establish and maintain personnel screening procedures. CC ID 11700
    [Establish screening criteria for individuals filling those positions; and PS-2b.
    Require that the developer of [Assignment: organization-defined system, system component, or system service]: Satisfies the following additional personnel screening criteria: [Assignment: organization-defined additional personnel screening criteria]. SA-21b.]
    Establish/Maintain Documentation Preventive
    Perform a background check during personnel screening. CC ID 11758 Human Resources Management Detective
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources Management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Establish/Maintain Documentation Preventive
    Include all residences in the criminal records check. CC ID 13306 Process or Activity Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Establish/Maintain Documentation Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources Management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources Management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Establish/Maintain Documentation Preventive
    Perform a drug test during personnel screening. CC ID 06648 Testing Preventive
    Perform a resume check during personnel screening. CC ID 06659 Human Resources Management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources Management Preventive
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources Management Preventive
    Perform personnel screening procedures, as necessary. CC ID 11763
    [Screen individuals prior to authorizing access to the system; and PS-3a.
    Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening]. PS-3b.
    Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection: Satisfy [Assignment: organization-defined additional personnel screening criteria]. PS-3(3) ¶ 1(b)]
    Human Resources Management Preventive
    Identify and watch individuals that pose a risk to the organization. CC ID 10674
    [Implement the following additional monitoring of individuals during [Assignment: organization-defined probationary period]: [Assignment: organization-defined additional monitoring]. SI-4(21) ¶ 1
    Implement [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk. SI-4(19) ¶ 1]
    Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549
    [Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; PS-5b.
    Align account management processes with personnel termination and transfer processes. AC-2l.]
    Establish/Maintain Documentation Preventive
    Assign an owner of the personnel status change and termination procedures. CC ID 11805 Human Resources Management Preventive
    Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 Human Resources Management Preventive
    Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677
    [Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. PS-5d
    Use [Assignment: organization-defined automated mechanisms] to [Selection (one or more): notify [Assignment: organization-defined personnel or roles] of individual termination actions; disable access to system resources]. PS-4(2) ¶ 1
    Notify account managers and [Assignment: organization-defined personnel or roles] within: [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; AC-2h.3.
    Notify account managers and [Assignment: organization-defined personnel or roles] within: [Assignment: organization-defined time period] when accounts are no longer required; AC-2h.1.
    Notify account managers and [Assignment: organization-defined personnel or roles] within: [Assignment: organization-defined time period] when users are terminated or transferred; and AC-2h.2.]
    Behavior Preventive
    Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630
    [Notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and PS-4(1)(a)
    Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and PS-6(3)(a)]
    Communicate Preventive
    Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 Human Resources Management Preventive
    Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 Human Resources Management Corrective
    Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 Behavior Preventive
    Conduct exit interviews upon termination of employment. CC ID 14290
    [Upon termination of individual employment: Conduct exit interviews that include a discussion of [Assignment: organization-defined information security topics]; PS-4c.]
    Human Resources Management Preventive
    Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631
    [{post-employment requirements} Require individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information. PS-6(3)(b)
    Require terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process. PS-4(1)(b)]
    Establish/Maintain Documentation Preventive
    Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 Human Resources Management Detective
    Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 Establish Roles Preventive
    Document and communicate role descriptions to all applicable personnel. CC ID 00776
    [{security roles and responsibilities} Incorporate security and privacy roles and responsibilities into organizational position descriptions. PS-9 Control]
    Establish Roles Detective
    Implement segregation of duties in roles and responsibilities. CC ID 00774
    [Define system access authorizations to support separation of duties. AC-5b.
    Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and AC-5a.]
    Testing Detective
    Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 Technical Security Preventive
    Train all personnel and third parties, as necessary. CC ID 00785
    [Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant types of information to which they have access on the system. PS-3(2) ¶ 1
    Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware). SR-11(1) ¶ 1
    Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): AT-2a.
    Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; AC-22b.]
    Behavior Preventive
    Establish and maintain an education methodology. CC ID 06671
    [{security awareness} Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; AT-2b.]
    Business Processes Preventive
    Support certification programs as viable training programs. CC ID 13268 Human Resources Management Preventive
    Retrain all personnel, as necessary. CC ID 01362
    [{security training} {privacy training} Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): When required by system changes or following [Assignment: organization-defined events]; AT-2a.2.]
    Behavior Preventive
    Tailor training to meet published guidance on the subject being taught. CC ID 02217
    [Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. AT-3(2) ¶ 1
    Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. AT-3(1) ¶ 1
    Provide literacy training on the advanced persistent threat. AT-2(5) ¶ 1
    Provide literacy training on the cyber threat environment; and AT-2(6)(a)
    Establish and institutionalize contact with selected groups and associations within the security and privacy communities: To facilitate ongoing security and privacy education and training for organizational personnel; PM-15a.]
    Behavior Preventive
    Tailor training to be taught at each person's level of responsibility. CC ID 06674
    [{security training} Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: AT-3a.
    {security training} Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and AT-3a.1.]
    Behavior Preventive
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 Behavior Preventive
    Document all training in a training record. CC ID 01423
    [Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and AT-4a.
    {contingency training} Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency]. CP-8(4)(c)]
    Establish/Maintain Documentation Detective
    Use automated mechanisms in the training environment, where appropriate. CC ID 06752
    [Provide practical exercises in literacy training that simulate events and incidents. AT-2(1) ¶ 1
    {security training} Provide practical exercises in security and privacy training that reinforce training objectives. AT-3(3) ¶ 1
    {security training} Provide practical exercises in security and privacy training that reinforce training objectives. AT-3(3) ¶ 1
    Provide an incident response training environment using [Assignment: organization-defined automated mechanisms]. IR-2(2) ¶ 1]
    Behavior Preventive
    Conduct tests and evaluate training. CC ID 06672 Testing Detective
    Hire third parties to conduct training, as necessary. CC ID 13167 Human Resources Management Preventive
    Review the current published guidance and awareness and training programs. CC ID 01245
    [Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and AT-4a.
    Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. CP-3b.
    Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. IR-2b.
    Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and AT-3b.]
    Establish/Maintain Documentation Preventive
    Establish and implement training plans. CC ID 00828
    [{security training}{security monitoring}Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: Are erm_primary-verb">developed and maintained; and PM-14a.1.
    {information security workforce development and improvement program} Establish a security and privacy workforce development and improvement program. PM-13 Control
    {testing plan}{training plan} Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. PM-14b.]
    Establish/Maintain Documentation Preventive
    Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 Training Detective
    Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 Training Preventive
    Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 Training Preventive
    Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 Training Detective
    Develop or acquire content to update the training plans. CC ID 12867 Training Preventive
    Include portions of the visitor control program in the training plan. CC ID 13287 Establish/Maintain Documentation Preventive
    Include ethical culture in the training plan, as necessary. CC ID 12801 Human Resources Management Preventive
    Include in scope external requirements in the training plan, as necessary. CC ID 13041 Training Preventive
    Include duties and responsibilities in the training plan, as necessary. CC ID 12800 Human Resources Management Preventive
    Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 Training Preventive
    Include risk management in the training plan, as necessary. CC ID 13040 Training Preventive
    Conduct Archives and Records Management training. CC ID 00975 Behavior Preventive
    Conduct personal data processing training. CC ID 13757
    [{security awareness} Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; AT-2b.
    Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls. AT-3(5) ¶ 1]
    Training Preventive
    Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 Training Preventive
    Include the cloud service usage standard in the training plan. CC ID 13039 Training Preventive
    Establish and maintain a security awareness program. CC ID 11746 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] awareness and training policy that: AT-1a.1.
    [Selection (one or more): organization-level; mission/business process-level; system-level] awareness and training policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and AT-1a.1(b)]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the security awareness and training policy. CC ID 14092
    [[Selection (one or more): organization-level; mission/business process-level; system- level] awareness and training policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091
    [[Selection (one or more): organization-level; mission/business process-level; system- level] awareness and training policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; AT-1a.2.]
    Establish/Maintain Documentation Preventive
    Review and update the security awareness and training procedures, as necessary. CC ID 14140
    [{Security awareness and training procedures} Review and update the current awareness and training: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. AT-1c.2.]
    Establish/Maintain Documentation Corrective
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; AT-1a.2.]
    Communicate Preventive
    Review and update the security awareness and training policy, as necessary. CC ID 14050 Establish/Maintain Documentation Corrective
    Include management commitment in the security awareness and training policy. CC ID 14049
    [[Selection (one or more): organization-level; mission/business process-level; system- level] awareness and training policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048
    [[Selection (one or more): organization-level; mission/business process-level; system- level] awareness and training policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the scope in the security awareness and training policy. CC ID 14047
    [[Selection (one or more): organization-level; mission/business process-level; system- level] awareness and training policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the purpose in the security awareness and training policy. CC ID 14045
    [[Selection (one or more): organization-level; mission/business process-level; system- level] awareness and training policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include configuration management procedures in the security awareness program. CC ID 13967 Establish/Maintain Documentation Preventive
    Document security awareness requirements. CC ID 12146 Establish/Maintain Documentation Preventive
    Include safeguards for information systems in the security awareness program. CC ID 13046 Establish/Maintain Documentation Preventive
    Include security policies and security standards in the security awareness program. CC ID 13045 Establish/Maintain Documentation Preventive
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Establish/Maintain Documentation Preventive
    Include updates on emerging issues in the security awareness program. CC ID 13184 Training Preventive
    Include cybersecurity in the security awareness program. CC ID 13183 Training Preventive
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Establish/Maintain Documentation Preventive
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800
    [{security training}{privacy training} Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): As part of initial training for new users and [Assignment: organization-defined frequency] thereafter; and AT-2a.1.]
    Establish/Maintain Documentation Preventive
    Include remote access in the security awareness program. CC ID 13892 Establish/Maintain Documentation Preventive
    Document the goals of the security awareness program. CC ID 12145 Establish/Maintain Documentation Preventive
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Establish/Maintain Documentation Preventive
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources Management Preventive
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources Management Preventive
    Document the scope of the security awareness program. CC ID 12148 Establish/Maintain Documentation Preventive
    Establish and maintain a security awareness baseline. CC ID 12147 Establish/Maintain Documentation Preventive
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources Management Preventive
    Disseminate and communicate security awareness and the internal control framework to all interested personnel and affected parties. CC ID 00823
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] awareness and training policy that: AT-1a.1.]
    Behavior Preventive
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211
    [Provide literacy training on recognizing and reporting potential indicators of insider threat. AT-2(2) ¶ 1
    Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using [Assignment: organization-defined indicators of malicious code]. AT-2(4) ¶ 1
    Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining. AT-2(3) ¶ 1
    Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining. AT-2(3) ¶ 1
    Require personnel to report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and IR-6a.]
    Behavior Preventive
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Training Preventive
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 Establish/Maintain Documentation Preventive
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Monitor and Evaluate Occurrences Detective
    Conduct secure coding and development training for developers. CC ID 06822 Behavior Corrective
    Conduct tampering prevention training. CC ID 11875 Training Preventive
    Include the mandate to refrain from installing, refrain from replacing, refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 Training Preventive
    Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 Training Preventive
    Include how to report tampering in the tampering prevention training. CC ID 11879 Training Preventive
    Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 Training Preventive
    Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 Training Preventive
    Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 Training Preventive
    Update training plans, as necessary. CC ID 12868
    [Incorporate lessons learned from internal or external security or privacy incidents into role-based training. AT-3c.
    Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and AT-2c.
    Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. CP-3b.]
    Training Preventive
    Conduct crime prevention training. CC ID 06350 Behavior Preventive
    Analyze and evaluate training records to improve the training program. CC ID 06380
    [Provide feedback on organizational training results to the following personnel [Assignment: organization-defined frequency]: [Assignment: organization-defined personnel]. AT-6 Control]
    Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain a personnel health and safety policy. CC ID 00716 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a travel program for all personnel. CC ID 10597 Human Resources Management Preventive
    Issue devices with secure configurations to individuals traveling to locations deemed to be of risk. CC ID 10598
    [Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and CM-2(7)(a)]
    Configuration Preventive
    Scan devices for malicious code when an individual returns from locations deemed to be of risk. CC ID 10599
    [Apply the following controls to the systems or components when the individuals return from travel: [Assignment: organization-defined controls]. CM-2(7)(b)]
    Process or Activity Detective
    Establish and maintain a Code of Conduct as a part of the Terms and Conditions of employment. CC ID 04897 Establish/Maintain Documentation Preventive
    Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442
    [{information security program} {privacy program} Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and PS-8a.
    When a system or organization processes information for the purpose of conducting a matching program: Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and PT-8d.]
    Behavior Corrective
    Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632
    [Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. PS-8b.]
    Communicate Preventive
    Establish and maintain an insider threat program. CC ID 10687
    [Implement an insider threat program that includes a cross-discipline insider threat incident handling team. PM-12 Control]
    Human Resources Management Preventive
  • Leadership and high level objectives
    133
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Analyze organizational objectives, functions, and activities. CC ID 00598 Monitor and Evaluate Occurrences Preventive
    Analyze the business environment in which the organization operates. CC ID 12798
    [Determine the current cyber threat environment on an ongoing basis using [Assignment: organization-defined means]. RA-3(3) ¶ 1]
    Business Processes Preventive
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Process or Activity Preventive
    Include key processes in the analysis of the internal business environment. CC ID 12947 Process or Activity Preventive
    Include existing information in the analysis of the internal business environment. CC ID 12943 Process or Activity Preventive
    Include resources in the analysis of the internal business environment. CC ID 12942 Process or Activity Preventive
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Process or Activity Preventive
    Include incentives in the analysis of the internal business environment. CC ID 12940 Process or Activity Preventive
    Include organizational structures in the analysis of the internal business environment. CC ID 12939 Process or Activity Preventive
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937 Process or Activity Preventive
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 Process or Activity Preventive
    Align assets with business functions and the business environment. CC ID 13681 Business Processes Preventive
    Disseminate and communicate the organization's business environment and place in its industry sector, as necessary. CC ID 13200 Communicate Preventive
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 Monitor and Evaluate Occurrences Preventive
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 Monitor and Evaluate Occurrences Preventive
    Document organizational objectives. CC ID 09959 Establish/Maintain Documentation Preventive
    Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783
    [Review and revise the mission and business processes [Assignment: organization-defined frequency]. PM-11c.]
    Establish/Maintain Documentation Preventive
    Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 Establish/Maintain Documentation Preventive
    Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 Establish/Maintain Documentation Preventive
    Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 Establish/Maintain Documentation Preventive
    Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 Establish/Maintain Documentation Preventive
    Document and communicate the linkage between organizational objectives, functions, activities and general controls. CC ID 12398
    [{security plan} Document the selected and implemented supply chain processes and controls in [Selection: security and privacy plans; supply chain risk management plan; [Assignment: organization-defined document]]. SR-3c.]
    Establish/Maintain Documentation Preventive
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Business Processes Preventive
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829 Process or Activity Preventive
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805 Process or Activity Preventive
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Business Processes Preventive
    Establish, implement, and maintain an information classification standard. CC ID 00601 Establish/Maintain Documentation Preventive
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786
    [Use automated tools to identify [Assignment: organization-defined information by information type] on [Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy. CM-12(1) ¶ 1]
    Data and Information Management Preventive
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785
    [Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels. RA-2(1) ¶ 1]
    Data and Information Management Preventive
    Establish and maintain a data classification scheme. CC ID 11628
    [Attach data tags containing [Assignment: organization-defined permissible processing] to [Assignment: organization-defined elements of personally identifiable information]. PT-2(1) ¶ 1]
    Establish/Maintain Documentation Preventive
    Review and approve the data classification scheme. CC ID 13858 Establish/Maintain Documentation Detective
    Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599
    [Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation. PM-7 Control]
    Establish/Maintain Documentation Preventive
    Establish and maintain sustainable infrastructure planning. CC ID 00603 Establish/Maintain Documentation Preventive
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486
    [Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. PM-8 Control]
    Behavior Preventive
    Monitor regulatory trends to maintain compliance. CC ID 00604 Monitor and Evaluate Occurrences Detective
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135
    [Receive system security alerts, advisories, and directives from [Assignment: organization- defined external organizations] on an ongoing basis; SI-5a.]
    Technical Security Detective
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185
    [Reflect current cyber threat information in system operations. AT-2(6)(b)
    Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and SI-5c.
    Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and SI-5c.]
    Communicate Preventive
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Communicate Corrective
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Establish/Maintain Documentation Preventive
    Implement the Quality Management program. CC ID 13696 Business Processes Preventive
    Correct errors and deficiencies in a timely manner. CC ID 13501
    [Ensure that the facility undergoes [Assignment: organization-defined frequency] fire protection inspections by authorized and qualified inspectors and identified deficiencies are resolved within [Assignment: organization-defined time period]. PE-13(4) ¶ 1
    Identify, report, and correct system flaws; SI-2a.]
    Business Processes Corrective
    Establish and maintain a Quality Management program. CC ID 07201
    [Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process. SA-15(6) ¶ 1]
    Establish/Maintain Documentation Preventive
    Include quality objectives in the Quality Management program. CC ID 13693 Establish/Maintain Documentation Preventive
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Systems Design, Build, and Implementation Preventive
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 Establish/Maintain Documentation Preventive
    Include program documentation standards in the Quality Management program. CC ID 01016 Establish/Maintain Documentation Preventive
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Business Processes Detective
    Include program testing standards in the Quality Management program. CC ID 01017 Establish/Maintain Documentation Preventive
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Business Processes Detective
    Include system testing standards in the Quality Management program. CC ID 01018 Establish/Maintain Documentation Preventive
    Include a bug tracking system in the Quality Management program. CC ID 06824
    [The organization requires the developer of the information system, system component, or information system service to: Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. SA-10e.
    The organization requires the developer of the information system, system component, or information system service to: Implement a verifiable flaw remediation process; and SA-11d.]
    Systems Design, Build, and Implementation Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285
    [{security plans} Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. PL-8c.
    Define and document organizational oversight and user roles and responsibilities with regard to external system services; and SA-9b.
    Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. SI-5d.]
    Establish/Maintain Documentation Preventive
    Include the effective date on all organizational policies. CC ID 06820
    [Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that: Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes. PM-20(1) ¶ 1(c)]
    Establish/Maintain Documentation Preventive
    Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 Establish/Maintain Documentation Preventive
    Include threats in the organization’s policies, standards, and procedures. CC ID 12953 Establish/Maintain Documentation Preventive
    Analyze organizational policies, as necessary. CC ID 14037 Establish/Maintain Documentation Detective
    Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 Establish/Maintain Documentation Preventive
    Establish and maintain a list of compliance documents. CC ID 07113 Establish/Maintain Documentation Preventive
    Map in scope assets and in scope records to external requirements. CC ID 12189 Establish/Maintain Documentation Detective
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636
    [{applicable requirements} Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and PM-17a.]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 Communicate Preventive
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Establish/Maintain Documentation Preventive
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Establish/Maintain Documentation Preventive
    Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 Establish/Maintain Documentation Preventive
    Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 Establish/Maintain Documentation Preventive
    Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 Establish/Maintain Documentation Corrective
    Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the Statement on Internal Control CC ID 14774 Establish/Maintain Documentation Preventive
    Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 Establish/Maintain Documentation Preventive
    Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 Establish/Maintain Documentation Preventive
    Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 Establish/Maintain Documentation Preventive
    Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 Establish/Maintain Documentation Detective
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Establish Roles Preventive
    Approve all compliance documents. CC ID 06286 Establish/Maintain Documentation Preventive
    Align the list of compliance documents with external requirements. CC ID 06288 Establish/Maintain Documentation Preventive
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284
    [Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the und-color:#F0BBBC;" class="term_primary-noun">personally identifiable information processing and transparency policy and procedures; and PT-1b.
    Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and SR-1b.
    {planning procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the planning policy and procedures; and PL-1b.
    Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personnel security policy and procedures; and PS-1b.
    {physical and environmental protection procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and PE-1b.
    {risk assessment procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and RA-1b.
    Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and AC-1b.
    Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and AT-1b.
    Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and AU-1b.
    {Configuration Management procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and CM-1b.
    Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and CA-1b.
    {contingency planning procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and CP-1b.
    {identification and authentication procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and IA-1b.
    {incident response procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; and IR-1b.
    {maintenance procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the maintenance policy and procedures; and MA-1b.
    {system and communications protection procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and SC-1b.
    {media protection procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the media protection policy and procedures; and MP-1b.
    {system and information integrity procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and SI-1b.]
    Establish Roles Preventive
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a compliance exception standard. CC ID 01628 Establish/Maintain Documentation Preventive
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Establish/Maintain Documentation Preventive
    Document compliance exceptions, as necessary. CC ID 01630
    [{information security program} Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; PM-3a.
    For systems that process personally identifiable information: Document each processing exception; and SC-7(24) ¶ 1(c)]
    Establish/Maintain Documentation Detective
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631
    [Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; SC-7(4)(d)]
    Establish/Maintain Documentation Preventive
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632
    [Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; SC-7(4)(e)]
    Business Processes Preventive
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Establish/Maintain Documentation Preventive
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Establish Roles Preventive
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Establish/Maintain Documentation Preventive
    Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 Behavior Preventive
    Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283
    [{security plans} {privacy plans} Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles]; PL-2b.
    {security plans} {privacy plans} Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles]; PL-2b.]
    Behavior Preventive
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Establish Roles Preventive
    Establish and maintain a compliance oversight committee. CC ID 00765 Establish Roles Detective
    Address Information Security during the business planning processes. CC ID 06495
    [Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and PM-11a.]
    Data and Information Management Preventive
    Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 Establish/Maintain Documentation Preventive
    Establish and maintain a strategic plan. CC ID 12784 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a planning policy. CC ID 14673
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system- level] planning policy that: PL-1a.1.
    Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] planning policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and PL-1a.1(b)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain planning procedures. CC ID 14698
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the planning policy and the associated planning controls; PL-1a.2.]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the planning policy and the associated planning controls; PL-1a.2.]
    Communicate Preventive
    Review and update the planning procedures, as necessary. CC ID 14703
    [{planning procedures} Review and update the current planning: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. PL-1c.2.]
    Establish/Maintain Documentation Preventive
    Review and update the planning policy, as necessary. CC ID 14697
    [{planning policy} Review and update the current planning: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and PL-1c.1.]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system- level] planning policy that: PL-1a.1.]
    Communicate Preventive
    Include compliance requirements in the planning policy. CC ID 14688
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the planning policy. CC ID 14687
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include management commitment in the planning policy. CC ID 14686
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the planning policy. CC ID 14685
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the scope in the planning policy. CC ID 14684
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the purpose in the planning policy. CC ID 14683
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Establish and maintain a high-level Strategic Information Technology Plan. CC ID 00628 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279
    [{information security program} Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; PM-3a.
    {information security program}{applicable requirements} Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and PM-3b.]
    Establish/Maintain Documentation Preventive
    Establish and maintain communication protocols. CC ID 12245
    [Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components. RA-5(11) ¶ 1]
    Establish/Maintain Documentation Preventive
    Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 Establish/Maintain Documentation Preventive
    Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 Process or Activity Detective
    Include external requirements in the organization's communication protocol. CC ID 12418 Establish/Maintain Documentation Preventive
    Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 Communicate Preventive
    Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 Establish/Maintain Documentation Preventive
    Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 Communicate Preventive
    Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 Process or Activity Preventive
    Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 Communicate Preventive
    Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 Communicate Preventive
    Route notifications, as necessary. CC ID 12832 Process or Activity Preventive
    Substantiate notifications, as necessary. CC ID 12831 Process or Activity Preventive
    Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 Business Processes Preventive
    Prioritize notifications, as necessary. CC ID 12830 Process or Activity Preventive
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 Actionable Reports or Measurements Preventive
    Disseminate and communicate internal controls with supply chain members, as necessary. CC ID 12416 Communicate Preventive
    Establish and maintain the organization's survey method. CC ID 12869 Process or Activity Preventive
    Provide a consolidated view of information in the organization's survey method. CC ID 12894 Process or Activity Preventive
    Establish and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 Establish/Maintain Documentation Preventive
    Establish and maintain alert procedures that follow the organization's communication protocol. CC ID 12406
    [Generate internal security alerts, advisories, and directives as deemed necessary; SI-5b.
    Broadcast security alert and advisory information throughout the organization using [Assignment: organization-defined automated mechanisms]. SI-5(1) ¶ 1]
    Establish/Maintain Documentation Preventive
    Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of performance variances in the notification system. CC ID 12929 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 Monitor and Evaluate Occurrences Preventive
  • Monitoring and measurement
    496
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Establish and maintain Security Control System monitoring and reporting procedures. CC ID 12506
    [Provide and implement an audit record reduction and report generation capability that: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and AU-7a.]
    Establish/Maintain Documentation Preventive
    Include detecting and reporting the failure of File Integrity Monitoring in the Security Control System monitoring and reporting procedures. CC ID 12525 Establish/Maintain Documentation Preventive
    Include detecting and reporting the failure of audit logging in the Security Control System monitoring and reporting procedures. CC ID 12513 Establish/Maintain Documentation Preventive
    Include detecting and reporting the failure of antivirus software in the Security Control System monitoring and reporting procedures. CC ID 12512 Establish/Maintain Documentation Preventive
    Include detecting and reporting the failure of a segmentation control in the Security Control System monitoring and reporting procedures. CC ID 12511 Establish/Maintain Documentation Preventive
    Include detecting and reporting the failure of a physical access control in the Security Control System monitoring and reporting procedures. CC ID 12510 Establish/Maintain Documentation Preventive
    Include detecting and reporting the failure of a logical access control in the Security Control System monitoring and reporting procedures. CC ID 12509 Establish/Maintain Documentation Preventive
    Include detecting and reporting the failure of an Intrusion Detection and Prevention System in the Security Control System monitoring and reporting procedures. CC ID 12508 Establish/Maintain Documentation Preventive
    Include detecting and reporting the failure of a firewall in the Security Control System monitoring and reporting procedures. CC ID 12507 Establish/Maintain Documentation Preventive
    Implement Security Control System monitoring and reporting procedures. CC ID 13500
    [Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; PM-31b.
    Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Response actions to address results of the analysis of control assessment and monitoring information; and PM-31e.]
    Monitor and Evaluate Occurrences Detective
    Respond to failures of security controls. CC ID 12516
    [Take the following actions in response to identified faults, errors, or compromises: [Assignment: organization-defined actions]. SC-36(1)(b)
    {security policy} [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy]. AC-4(8)(b)
    {security policy} [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy]. AC-4(8)(b)
    {security policy} [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy]. AC-4(8)(b)
    {security policy} [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy]. AC-4(8)(b)]
    Technical Security Corrective
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637
    [{security training}{security monitoring}Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: Are erm_primary-verb">developed and maintained; and PM-14a.1.
    Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]; and AU-14a.
    Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; CA-7b.
    Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; CA-7b.
    {testing plan}{training plan} Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. PM-14b.
    Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: PM-31 Control
    Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. AU-14b.]
    Log Management Detective
    Establish, implement, and maintain an audit and accountability policy. CC ID 14035
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system- level] audit and accountability policy that: AU-1a.1.
    [Selection (one or more): organization-level; mission/business process-level; system-level] audit and accountability policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and AU-1a.1(b)]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the audit and accountability policy. CC ID 14103
    [[Selection (one or more): organization-level; mission/business process-level; system-level] audit and accountability policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the audit and accountability policy. CC ID 14102
    [[Selection (one or more): organization-level; mission/business process-level; system-level] audit and accountability policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the purpose in the audit and accountability policy. CC ID 14100
    [[Selection (one or more): organization-level; mission/business process-level; system-level] audit and accountability policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the audit and accountability policy. CC ID 14098
    [[Selection (one or more): organization-level; mission/business process-level; system-level] audit and accountability policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include management commitment in the audit and accountability policy. CC ID 14097
    [[Selection (one or more): organization-level; mission/business process-level; system-level] audit and accountability policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the scope in the audit and accountability policy. CC ID 14096
    [[Selection (one or more): organization-level; mission/business process-level; system-level] audit and accountability policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system- level] audit and accountability policy that: AU-1a.1.]
    Communicate Preventive
    Review and update the audit and accountability policy, as necessary. CC ID 14094
    [{audit and accountability policy} Review and update the current audit and accountability: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and AT-1c.1.
    {audit and accountability policy} Review and update the current audit and accountability: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and AU-1c.1.]
    Establish/Maintain Documentation Corrective
    Establish, implement, and maintain audit and accountability procedures. CC ID 14057
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; AU-1a.2.]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; AU-1a.2.]
    Communicate Preventive
    Review and update the audit and accountability procedures, as necessary. CC ID 14124
    [{audit and accountability procedure} Review and update the current audit and accountability: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. AU-1c.2.]
    Establish/Maintain Documentation Corrective
    Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312
    [Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]. AU-12(3) ¶ 1]
    Log Management Preventive
    Review and approve the use of continuous security management systems. CC ID 13181 Process or Activity Preventive
    Protect continuous security management systems from unauthorized use. CC ID 13097 Configuration Preventive
    Establish and maintain intrusion management operations. CC ID 00580
    [Discover, collect, and distribute to [Assignment: organization-defined personnel or roles], indicators of compromise provided by [Assignment: organization-defined sources]. SI-4(24) ¶ 1]
    Monitor and Evaluate Occurrences Preventive
    Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581
    [Recognize [Assignment: organization-defined classes or types of intrusions] and initiate [Assignment: organization-defined response actions] using [Assignment: organization-defined automated mechanisms]. PE-6(2) ¶ 1
    Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]; and SC-5(3)(a)
    Employ automated tools and mechanisms to support near real-time analysis of events. SI-4(2) ¶ 1
    Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms. SI-4(3) ¶ 1
    Implement the following host-based monitoring mechanisms at [Assignment: organization-defined system components]: [Assignment: organization-defined host-based monitoring mechanisms]. SI-4(23) ¶ 1
    Invoke internal monitoring capabilities or deploy monitoring devices: SI-4c.
    Connect and configure individual intrusion detection tools into a system-wide intrusion detection system. SI-4(1) ¶ 1
    Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices. SI-4(25) ¶ 1]
    Configuration Preventive
    Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035
    [Obtain legal opinion regarding system monitoring activities; and SI-4f.]
    Behavior Preventive
    Do not intercept communications of any kind when providing a service to clients. CC ID 09985 Behavior Preventive
    Determine if honeypots should be installed, and if so, where the honeypots should be placed. CC ID 00582
    [{security posture} Employ realistic, but misleading information in [Assignment: organization-defined system components] about its security state or posture. SC-30(4) ¶ 1
    Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks. SC-26 Control]
    Technical Security Detective
    Monitor systems for inappropriate usage and other security violations. CC ID 00585
    [Monitor physical access to the system in addition to the physical access monitoring of the facility at [Assignment: organization-defined physical spaces containing one or more components of the system]. PE-6(4) ¶ 1
    Establish and maintain a cyber threat hunting capability to: RA-10a.
    Authorize, monitor, and control the use of such components within the system. SC-43b.
    Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]; and SI-3(8)(a)
    Monitor the system to detect: SI-4a.
    {inbound communications traffic} Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic; SI-4(4)(a)
    {inbound communications traffic} Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic; SI-4(4)(a)
    {inbound communications traffic} Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]. SI-4(4)(b)
    {inbound communications traffic} Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]. SI-4(4)(b)]
    Monitor and Evaluate Occurrences Detective
    Monitor systems for blended attacks and multiple component incidents. CC ID 01225
    [Establish and maintain a cyber threat hunting capability to: Search for indicators of compromise in organizational systems; and RA-10a.1.
    Monitor the system to detect: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and SI-4a.1.]
    Monitor and Evaluate Occurrences Detective
    Monitor systems for Denial of Service attacks. CC ID 01222
    [Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks]. SC-5(1) ¶ 1
    Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]. SC-5b.
    [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and SC-5a.]
    Monitor and Evaluate Occurrences Detective
    Monitor systems for unauthorized data transfers. CC ID 12971 Monitor and Evaluate Occurrences Preventive
    Address operational anomalies within the problem management system. CC ID 00589 Business Processes Detective
    Address operational anomalies within the incident management system. CC ID 11633 Audits and Risk Management Preventive
    Monitor systems for access to restricted data or restricted information. CC ID 04721 Monitor and Evaluate Occurrences Detective
    Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 Human Resources Management Detective
    Detect unauthorized access to systems. CC ID 06798
    [Monitor the system to detect: Unauthorized local, network, and remote connections; SI-4a.2.
    Monitor the system to detect: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and SI-4a.1.
    Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; SI-4b.
    Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system. SI-4(14) ¶ 1
    Provide an enforcement mechanism to prevent unauthorized access; and AC-3(12)(b)]
    Monitor and Evaluate Occurrences Detective
    Incorporate potential red flags into the organization's incident management system. CC ID 04652 Monitor and Evaluate Occurrences Detective
    Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 Audits and Risk Management Preventive
    Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430
    [{security implications} Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts]. SI-4(12) ¶ 1
    Notify [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events; and SI-4(7)(a)
    Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. SI-4g.
    Notify [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events; and SI-4(7)(a)
    Alert [Assignment: organization-defined personnel or roles] when the following system-generated indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators]. SI-4(5) ¶ 1]
    Monitor and Evaluate Occurrences Detective
    Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 Monitor and Evaluate Occurrences Detective
    Monitor systems for unauthorized mobile code. CC ID 10034
    [Prevent the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforce [Assignment: organization-defined actions] prior to executing the code. SC-18(4) ¶ 1
    Authorize, monitor, and control the use of mobile code within the system. SC-18b.
    Identify [Assignment: organization-defined unacceptable mobile code] and take [Assignment: organization-defined corrective actions]. SC-18(1) ¶ 1]
    Monitor and Evaluate Occurrences Preventive
    Update the intrusion detection capabilities and the incident response capabilities regularly. CC ID 04653 Technical Security Preventive
    Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658
    [Include system components that proactively seek to identify network-based malicious code or malicious websites. SC-35 Control]
    Technical Security Preventive
    Implement detonation chambers, where appropriate. CC ID 10670
    [Employ a detonation chamber capability within [Assignment: organization-defined system, system component, or location]. SC-44 Control]
    Technical Security Preventive
    Assign log management roles and responsibilities. CC ID 06311
    [Specify the permitted actions for each [Selection (one or more): system process; role; user] associated with the review, analysis, and reporting of audit record information. AU-6(7) ¶ 1]
    Establish Roles Preventive
    Document and communicate the log locations to the owning entity. CC ID 12047 Log Management Preventive
    Make logs available for review by the owning entity. CC ID 12046 Log Management Preventive
    Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638
    [Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; AU-2b.
    Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information. AU-12(4) ¶ 1
    Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time. AU-14(3) ¶ 1
    Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. AU-14b.]
    Log Management Detective
    Establish and maintain event logging procedures. CC ID 01335
    [Generate audit records containing the following additional information: [Assignment: organization-defined additional information]. AU-3(1) ¶ 1]
    Log Management Detective
    Document the event information to be logged in the event information log specification. CC ID 00639
    [{type of event} Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; AU-2a.
    Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; AU-2c.
    Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements]. AU-3(3) ¶ 1]
    Configuration Preventive
    Enable logging for all systems that meet a traceability criteria. CC ID 00640
    [Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]]. SI-7(8) ¶ 1]
    Log Management Detective
    Enable and configure logging on all network access controls. CC ID 01963 Configuration Preventive
    Analyze firewall logs for the correct capturing of data. CC ID 00549 Log Management Detective
    Synchronize system clocks to an accurate and universal time source on all devices that have logging enabled. CC ID 01340
    [Use internal system clocks to generate time stamps for audit records; and AU-8a.
    Synchronize the internal system clocks to the secondary authoritative time source if the primary authoritative time source is unavailable. SC-45(2)(b)
    Synchronize the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. SC-45(1)(b)
    Synchronize system clocks within and between systems and system components. SC-45 Control
    Identify a secondary authoritative time source that is in a different geographic region than the primary authoritative time source; and SC-45(2)(a)]
    Configuration Preventive
    Centralize network time servers to as few as practical. CC ID 06308 Configuration Preventive
    Disseminate and communicate information to customers about clock synchronization methods used by the organization, as necessary. CC ID 13044 Communicate Preventive
    Define the frequency to capture and log events. CC ID 06313 Log Management Preventive
    Include logging frequencies in the event logging procedures. CC ID 00642 Log Management Preventive
    Review and update the list of auditable events in the event logging procedures. CC ID 10097
    [Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and AU-12b.
    Review and update the event types selected for logging [Assignment: organization-defined frequency]. AU-2e.]
    Establish/Maintain Documentation Preventive
    Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643
    [{employs} Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. AU-6(1) ¶ 1
    Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and AU-2d.
    Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. AU-6(5) ¶ 1
    Provide and implement an audit record reduction and report generation capability that: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and AU-7a.
    {audit record analysis} {audit record reporting} Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. AU-6c.
    {audit record analysis} {audit record reporting} Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. AU-6c.
    {audit record analysis} {audit record reporting} Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. AU-6c.
    Correlate information from monitoring tools and mechanisms employed throughout the system. SI-4(16) ¶ 1
    {traffic patterns} Develop profiles representing common traffic and event patterns; and SI-4(13)(b)]
    Log Management Preventive
    Protect the event logs from failure. CC ID 06290
    [Take the following additional actions: [Assignment: organization-defined additional action]. AU-5b.
    Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements [Assignment: organization-defined alternate audit logging functionality]. AU-5(5) ¶ 1]
    Log Management Preventive
    Overwrite the oldest records when audit logging fails. CC ID 14308 Data and Information Management Preventive
    Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427
    [Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. AU-7(1) ¶ 1
    Provide and implement an audit record reduction and report generation capability that: Does not alter the original content or time ordering of audit records. AU-7b.
    Provide and implement an audit record reduction and report generation capability that: AU-7 Control
    Provide and implement an audit record reduction and report generation capability that: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and AU-7a.]
    Testing Preventive
    Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 Establish/Maintain Documentation Corrective
    Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424
    [Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. AU-6(4) ¶ 1
    Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. AU-6(4) ¶ 1
    Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. AU-6(3) ¶ 1
    Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness. AU-6(9) ¶ 1
    Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. AU-12(1) ¶ 1
    Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. AU-6(6) ¶ 1
    Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. AU-12(2) ¶ 1
    {physical activity} {information technology activity} Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. SI-4(17) ¶ 1]
    Audits and Risk Management Preventive
    Review and update event logs and audit logs, as necessary. CC ID 00596
    [Review historic audit logs to determine if a vulnerability identified in a [Assignment: organization-defined system] has been previously exploited within an [Assignment: organization-defined time period]. RA-5(8) ¶ 1
    Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; AU-6a.
    Provide and implement an audit record reduction and report generation capability that: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and AU-7a.
    Analyze communications traffic and event patterns for the system; SI-4(13)(a)
    Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: [Assignment: organization-defined interior points within the system]. SI-4(18) ¶ 1]
    Log Management Detective
    Eliminate false positives in event logs and audit logs. CC ID 07047
    [Use the traffic and event profiles in tuning system-monitoring devices. SI-4(13)(c)]
    Log Management Corrective
    Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207
    [Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; CA-2d.]
    Log Management Detective
    Identify cybersecurity events in event logs and audit logs. CC ID 13206 Technical Security Detective
    Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925
    [Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; AU-6a.]
    Investigate Corrective
    Reproduce the event log if a log failure is captured. CC ID 01426 Log Management Preventive
    Monitor and evaluate system performance. CC ID 00651
    [{performance testing} Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment [Assignment: organization-defined other forms of assessment]]. CA-2(2) ¶ 1]
    Monitor and Evaluate Occurrences Detective
    Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 Communicate Preventive
    Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 Communicate Preventive
    Monitor for and react to when suspicious activities are detected. CC ID 00586 Monitor and Evaluate Occurrences Detective
    Erase payment applications when suspicious activity is confirmed. CC ID 12193 Technical Security Corrective
    Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741 Establish/Maintain Documentation Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742 Monitor and Evaluate Occurrences Corrective
    Monitor and evaluate the effectiveness of detection tools. CC ID 13505 Investigate Detective
    Monitor and review retail payment activities, as necessary. CC ID 13541 Monitor and Evaluate Occurrences Detective
    Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 Investigate Detective
    Review retail payment service reports, as necessary. CC ID 13545 Investigate Detective
    Assess customer satisfaction. CC ID 00652 Testing Detective
    Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757
    [Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: PM-31 Control]
    Establish/Maintain Documentation Detective
    Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250
    [Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Correlation and analysis of information generated by control assessments and monitoring; CA-7e.
    Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Correlation and analysis of information generated by control assessments and monitoring; PM-31d.]
    Process or Activity Detective
    Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 Monitor and Evaluate Occurrences Detective
    Monitor for and report when a software configuration is updated. CC ID 06746 Monitor and Evaluate Occurrences Detective
    Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886
    [Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: [Assignment: organization-defined security responses]. CM-3(5) ¶ 1]
    Monitor and Evaluate Occurrences Detective
    Monitor for firmware updates absent authorization. CC ID 10675 Monitor and Evaluate Occurrences Detective
    Implement file integrity monitoring. CC ID 01205
    [Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. SA-10(1) ¶ 1
    Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and SI-7a.
    Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]. SI-7(1) ¶ 1
    Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [Assignment: organization-defined security-relevant changes to the system]. SI-7(7) ¶ 1
    Analyze detected events and anomalies; SI-4d.
    Employ centrally managed integrity verification tools. SI-7(3) ¶ 1]
    Monitor and Evaluate Occurrences Detective
    Identify unauthorized modifications during file integrity monitoring. CC ID 12096 Technical Security Detective
    Monitor for software configurations updates absent authorization. CC ID 10676 Monitor and Evaluate Occurrences Preventive
    Allow expected changes during file integrity monitoring. CC ID 12090 Technical Security Preventive
    Monitor for when documents are being updated absent authorization. CC ID 10677 Monitor and Evaluate Occurrences Preventive
    Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 Establish/Maintain Documentation Preventive
    Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045
    [{when unauthorized commands are detected} [Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command]. SI-3(8)(b)
    Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletionn> of audit information. AU-9b.]
    Process or Activity Preventive
    Monitor and evaluate user account activity. CC ID 07066
    [Monitor system accounts for [Assignment: organization-defined atypical usage]; and AC-2(12)(a)]
    Monitor and Evaluate Occurrences Detective
    Develop and maintain a usage profile for each user account. CC ID 07067 Technical Security Preventive
    Log account usage to determine dormant accounts. CC ID 12118 Log Management Detective
    Log account usage times. CC ID 07099 Log Management Detective
    Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 Monitor and Evaluate Occurrences Detective
    Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 Monitor and Evaluate Occurrences Detective
    Log account usage durations. CC ID 12117 Monitor and Evaluate Occurrences Detective
    Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 Communicate Detective
    Log Internet Protocol addresses used during logon. CC ID 07100 Log Management Detective
    Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 Monitor and Evaluate Occurrences Detective
    Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243
    [Report atypical usage of system accounts to [Assignment: organization-defined personnel or roles]. AC-2(12)(b)]
    Communicate Detective
    Establish and maintain a risk monitoring program. CC ID 00658
    [Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: CA-7 Control
    Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: CA-7 Control
    Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: CA-7(4) ¶ 1
    Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: Effectiveness monitoring; CA-7(4) ¶ 1(a)
    {performance testing} Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment [Assignment: organization-defined other forms of assessment]]. CA-2(2) ¶ 1
    Identify and document: Constraints affecting risk assessments, risk responses, and risk monitoring; PM-28a.2.
    Identify and document: Assumptions affecting risk assessments, risk responses, and risk monitoring; PM-28a.1.]
    Establish/Maintain Documentation Preventive
    Monitor the organization's exposure to threats, as necessary. CC ID 06494
    [Establish and maintain a cyber threat hunting capability to: Detect, track, and disrupt threats that evade existing controls; and RA-10a.2.
    Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. PM-16 Control]
    Monitor and Evaluate Occurrences Preventive
    Monitor and evaluate environmental threats. CC ID 13481 Monitor and Evaluate Occurrences Detective
    Implement a fraud detection system. CC ID 13081 Business Processes Preventive
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Process or Activity Corrective
    Monitor for new vulnerabilities. CC ID 06843
    [Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; RA-5a.]
    Monitor and Evaluate Occurrences Preventive
    Establish and maintain an overall compliance testing strategy. CC ID 00659 Establish/Maintain Documentation Preventive
    Establish and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 Testing Preventive
    Test compliance controls for proper functionality. CC ID 00660
    [Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and MA-2e.
    {security verification test} Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]]; SI-6b.
    {security functions} Verify the correct operation of [Assignment: organization-defined security and privacy functions]; SI-6a.]
    Testing Detective
    Establish, implement, and maintain a system security plan. CC ID 01922
    [{security plans} Develop security and privacy plans for the system that: PL-2a.
    {performance testing} Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment [Assignment: organization-defined other forms of assessment]]. CA-2(2) ¶ 1]
    Testing Preventive
    Include a description of the operational context in the system security plan. CC ID 14301
    [{security plans} Develop security and privacy plans for the system that: Describe the operational context of the system in terms of mission and business processes; PL-2a.3.]
    Establish/Maintain Documentation Preventive
    Review and update the system security plan, as necessary. CC ID 14287
    [{security plans} {privacy plans} Review the plans [Assignment: organization-defined frequency]; PL-2c.
    {security plans} {privacy plans} Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and PL-2d.]
    Establish/Maintain Documentation Corrective
    Include the results of the security categorization in the system security plan. CC ID 14281
    [Document the security categorization results, including supporting rationale, in the security plan for the system; and RA-2b.]
    Establish/Maintain Documentation Preventive
    Include the information types in the system security plan. CC ID 14696
    [{security plans} Develop security and privacy plans for the system that: Identify the information types processed, stored, and transmitted by the system; PL-2a.5]
    Establish/Maintain Documentation Preventive
    Include the security requirements in the system security plan. CC ID 14274
    [{security plans} {security requirements} Develop security and privacy plans for the system that: Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; PL-2a.12.
    {security plans} {security requirements} Develop security and privacy plans for the system that: Provide an overview of the security and privacy requirements for the system; PL-2a.10.
    {security plans} {security-related activities} Develop security and privacy plans for the system that: Include security- and privacy-related activities affecting the system that require planning and coordination with [Assignment: organization-defined individuals or groups]; and PL-2a.14.]
    Establish/Maintain Documentation Preventive
    Include threats in the system security plan. CC ID 14693
    [{security plans} Develop security and privacy plans for the system that: Describe any specific threats to the system that are of concern to the organization; PL-2a.7.]
    Establish/Maintain Documentation Preventive
    Include network diagrams in the system security plan. CC ID 14273
    [{security plans} Develop security and privacy plans for the system that: Describe the operational environment for the system and any dependencies on or connections to other systems or system components; PL-2a.9.
    {security plans} Develop security and privacy plans for the system that: Explicitly define the constituent system components; PL-2a.2.]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682
    [{security plans} Develop security and privacy plans for the system that: Identify the individuals that fulfill system roles and responsibilities; PL-2a.4.]
    Establish/Maintain Documentation Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676
    [{security plans} Develop security and privacy plans for the system that: Provide the results of a privacy risk assessment for systems processing personally identifiable information; PL-2a.8.
    {security assessment}Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Develop and implement a plan for ongoing security and privacy assessments; SA-11a.]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275
    [{security plans} {privacy plans} Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles]; PL-2b.]
    Communicate Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272
    [{security plans} Develop security and privacy plans for the system that: Describe the operational environment for the system and any dependencies on or connections to other systems or system components; PL-2a.9.]
    Establish/Maintain Documentation Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270
    [{security plans} Develop security and privacy plans for the system that: Provide the security categorization of the system, including supporting rationale; PL-2a.6.]
    Establish/Maintain Documentation Preventive
    Include the authorization boundary in the system security plan. CC ID 14257 Establish/Maintain Documentation Preventive
    Align the enterprise architecture with the system security plan. CC ID 14255
    [{security plans} Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. PL-8c.
    {security plans} Develop security and privacy plans for the system that: Are consistent with the organization's enterprise architecture; PL-2a.1.
    {security plans} {security architecture} Develop security and privacy plans for the system that: Include risk determinations for security and privacy architecture and design decisions; PL-2a.13.]
    Process or Activity Preventive
    Include security controls in the system security plan. CC ID 14239
    [{security plans} Develop security and privacy plans for the system that: Identify any relevant control baselines or overlays, if applicable; PL-2a.11.]
    Establish/Maintain Documentation Preventive
    Create specific test plans to test each system component. CC ID 00661
    [Develop a control assessment plan that describes the scope of the assessment including: CA-2b.
    Develop a control assessment plan that describes the scope of the assessment including: Controls and control enhancements under assessment; CA-2b.1.
    Test malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing known benign code into the system; and SI-3(6)(a)]
    Establish/Maintain Documentation Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299
    [Develop a control assessment plan that describes the scope of the assessment including: Assessment environment, assessment team, and assessment roles and responsibilities; CA-2b.3.]
    Establish/Maintain Documentation Preventive
    Include the assessment team in the test plan. CC ID 14297
    [Select the appropriate assessor or assessment team for the type of assessment to be conducted; CA-2a.
    Employ independent assessors or assessment teams to conduct control assessments. CA-2(1) ¶ 1
    Develop a control assessment plan that describes the scope of the assessment including: Assessment environment, assessment team, and assessment roles and responsibilities; CA-2b.3.]
    Establish/Maintain Documentation Preventive
    Include the scope in the test plans. CC ID 14293
    [Develop a control assessment plan that describes the scope of the assessment including: CA-2b.]
    Establish/Maintain Documentation Preventive
    Include the assessment environment in the test plan. CC ID 14271
    [Develop a control assessment plan that describes the scope of the assessment including: Assessment environment, assessment team, and assessment roles and responsibilities; CA-2b.3.]
    Establish/Maintain Documentation Preventive
    Approve the system security plan. CC ID 14241
    [{security plans} Develop security and privacy plans for the system that: Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. PL-2a.15.]
    Business Processes Preventive
    Adhere to the system security plan. CC ID 11640 Testing Detective
    Review the test plans for each system component. CC ID 00662
    [Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; CA-2c.]
    Establish/Maintain Documentation Preventive
    Validate all testing assumptions in the test plans. CC ID 00663 Testing Detective
    Document validated testing processes in the testing procedures. CC ID 06200 Establish/Maintain Documentation Preventive
    Require testing procedures to be complete. CC ID 00664 Testing Detective
    Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 Establish/Maintain Documentation Preventive
    Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 Testing Preventive
    Implement automated audit tools. CC ID 04882 Acquisition/Sale of Assets or Services Preventive
    Assign senior management to approve test plans. CC ID 13071 Human Resources Management Preventive
    Analyze system audit reports and determine the need to perform more tests. CC ID 00666 Testing Detective
    Monitor devices continuously for conformance with production specifications. CC ID 06201
    [{security compliance checks} Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection. CA-9(1) ¶ 1]
    Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain a testing program. CC ID 00654
    [{security training}{security monitoring}Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: Are erm_primary-verb">developed and maintained; and PM-14a.1.
    {performance testing} Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment [Assignment: organization-defined other forms of assessment]]. CA-2(2) ¶ 1
    {performance testing} Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment [Assignment: organization-defined other forms of assessment]]. CA-2(2) ¶ 1
    {testing plan}{training plan} Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. PM-14b.
    [security function} Implement automated mechanisms to support the management of distributed security and privacy function testing. SI-6(2) ¶ 1]
    Behavior Preventive
    Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: CA-1a.1.
    Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and CA-1a.1(b)]
    Establish/Maintain Documentation Preventive
    Review and update the security assessment and authorization policy. CC ID 14226
    [{assessment, authorization, and monitoring policy} Review and update the current assessment, authorization, and monitoring: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and CA-1c.1.]
    Establish/Maintain Documentation Corrective
    Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222
    [[Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the scope in the security assessment and authorization policy. CC ID 14220
    [[Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the purpose in the security assessment and authorization policy. CC ID 14219
    [[Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: CA-1a.1.]
    Communicate Preventive
    Include management commitment in the security assessment and authorization policy. CC ID 14189
    [[Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the security assessment and authorization policy. CC ID 14183
    [[Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179
    [[Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls; CA-1a.2.]
    Establish/Maintain Documentation Preventive
    Review and update the security assessment and authorization procedures, as necessary. CC ID 14228
    [{assessment, authorization, and monitoring procedures} Review and update the current assessment, authorization, and monitoring: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. CA-1c.2.
    {security authorization} Integrate the authorization processes into an organization-wide risk management program. PM-10c.]
    Establish/Maintain Documentation Corrective
    Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls; CA-1a.2.]
    Communicate Preventive
    Employ third parties to carry out testing programs, as necessary. CC ID 13178 Human Resources Management Preventive
    Define the test requirements for each testing program. CC ID 13177 Establish/Maintain Documentation Preventive
    Include mechanisms for emergency stops in the testing program. CC ID 14398 Establish/Maintain Documentation Preventive
    Define the test frequency for each testing program. CC ID 13176 Establish/Maintain Documentation Preventive
    Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 Communicate Preventive
    Establish and maintain a business line testing strategy. CC ID 13245 Establish/Maintain Documentation Preventive
    Include data recovery in the business continuity testing strategy. CC ID 13262 Establish/Maintain Documentation Preventive
    Include testing critical applications in the business continuity testing strategy. CC ID 13261 Establish/Maintain Documentation Preventive
    Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265 Testing Detective
    Include reconciling transaction data in the business continuity testing strategy. CC ID 13260 Establish/Maintain Documentation Preventive
    Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257 Establish/Maintain Documentation Preventive
    Include facilities in the business line testing strategy. CC ID 13253 Establish/Maintain Documentation Preventive
    Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252 Establish/Maintain Documentation Preventive
    Include electrical systems in the business line testing strategy. CC ID 13251 Establish/Maintain Documentation Preventive
    Include mechanical systems in the business line testing strategy. CC ID 13250 Establish/Maintain Documentation Preventive
    Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 Establish/Maintain Documentation Preventive
    Include emergency power supplies in the business line testing strategy. CC ID 13247 Establish/Maintain Documentation Preventive
    Include environmental controls in the business line testing strategy. CC ID 13246 Establish/Maintain Documentation Preventive
    Implement and comply with the testing program. CC ID 11870
    [Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Ongoing control assessments in accordance with the continuous monitoring strategy; CA-7c.
    Identify critical system components and functions by performing a criticality analysis for [Assignment: organization-defined systems, system components, or system services] at [Assignment: organization-defined decision points in the system development life cycle]. RA-9 Control]
    Testing Detective
    Conduct Red Team exercises, as necessary. CC ID 12131
    [Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: [Assignment: organization-defined red team exercises]. CA-8(2) ¶ 1]
    Technical Security Detective
    Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 Establish/Maintain Documentation Preventive
    Test security systems and associated security procedures, as necessary. CC ID 11901
    [Test intrusion-monitoring tools and mechanisms [Assignment: organization-defined frequency]. SI-4(9) ¶ 1
    {malicious code} Verify that the detection of the code and the associated incident reporting occur. SI-3(6)(b)
    {malicious code} Verify that the detection of the code and the associated incident reporting occur. SI-3(6)(b)]
    Technical Security Detective
    Test in scope systems for segregation of duties, as necessary. CC ID 13906 Testing Detective
    Scan organizational networks for rogue devices. CC ID 00536
    [{unauthorized software}{unauthorized firmware} Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and CM-8(3)(a)
    {not approved} Detect network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes]; and SI-4(22)(a)
    {unauthorized network access} [Selection (one or more): Audit; Alert [Assignment: organization-defined personnel or roles]] when detected. SI-4(22)(b)]
    Testing Detective
    Scan the network for wireless access points. CC ID 00370 Testing Detective
    Document the business need justification for authorized wireless access points. CC ID 12044 Establish/Maintain Documentation Preventive
    Scan wireless networks for rogue devices. CC ID 11623
    [Implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters. SC-40(3) ¶ 1]
    Technical Security Detective
    Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 Testing Detective
    Implement incident response procedures when rogue devices are discovered. CC ID 11880
    [Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; IR-4a.]
    Technical Security Corrective
    Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428
    [Take the following actions when unauthorized components are detected: [Selection (one or more): disable network access by such components; isolate the components; notify [Assignment: organization-defined personnel or roles]]. CM-8(3)(b)
    {unauthorized network access} [Selection (one or more): Audit; Alert [Assignment: organization-defined personnel or roles]] when detected. SI-4(22)(b)]
    Monitor and Evaluate Occurrences Corrective
    Deny network access to rogue devices until network access approval has been received. CC ID 11852
    [Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated. CA-3(7)(b)
    Implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters. SC-40(3) ¶ 1
    Prohibit the use or connection of unauthorized hardware components; CM-7(9)(b)]
    Configuration Preventive
    Isolate rogue devices after a rogue device has been detected. CC ID 07061
    [Take the following actions when unauthorized components are detected: [Selection (one or more): disable network access by such components; isolate the components; notify [Assignment: organization-defined personnel or roles]]. CM-8(3)(b)
    Take the following actions when unauthorized components are detected: [Selection (one or more): disable network access by such components; isolate the components; notify [Assignment: organization-defined personnel or roles]]. CM-8(3)(b)]
    Configuration Corrective
    Establish and maintain a port scan baseline for all in scope systems. CC ID 12134 Technical Security Detective
    Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a penetration test program. CC ID 01105 Behavior Preventive
    Align the penetration test program with industry standards. CC ID 12469
    [Require the developer of the system, system component, or system service to perform penetration testing: Under the following constraints: [Assignment: organization-defined constraints]. SA-11(5) ¶ 1(b)]
    Establish/Maintain Documentation Preventive
    Assign penetration testing to a qualified internal resource or external third party. CC ID 06429
    [{penetration agent} {penetration team} Employ an independent penetration testing agent or team to perform penetration testing on the system or system components. CA-8(1) ¶ 1]
    Establish Roles Preventive
    Establish and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 Testing Preventive
    Retain penetration test results according to internal policy. CC ID 10049 Records Management Preventive
    Retain penetration test remediation action records according to internal policy. CC ID 11629 Records Management Preventive
    Use dedicated user accounts when conducting penetration testing. CC ID 13728 Testing Detective
    Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 Testing Corrective
    Perform penetration tests, as necessary. CC ID 00655
    [{independent review}{penetration testing} Employ [Selection (one or more): organizational analysis, independent third-party analysis, organizational testing, independent third-party testing] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [Assignment: organization-defined supply chain elements, processes, and actors]. SR-6(1) ¶ 1
    Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined systems or system components]. CA-8 Control
    Require the developer of the system, system component, or system service to perform penetration testing: At the following level of rigor: [Assignment: organization-defined breadth and depth of testing]; and SA-11(5) ¶ 1(a)]
    Testing Detective
    Perform internal penetration tests, as necessary. CC ID 12471 Technical Security Detective
    Perform external penetration tests, as necessary. CC ID 12470
    [Employ a penetration testing process that includes [Assignment: organization-defined frequency] [Selection: announced; unannounced] attempts to bypass or circumvent controls associated with physical access points to the facility. CA-8(3) ¶ 1]
    Technical Security Detective
    Include coverage of all in scope systems during penetration testing. CC ID 11957 Testing Detective
    Test the system for broken access controls. CC ID 01319 Testing Detective
    Test the system for broken authentication and session management. CC ID 01320 Testing Detective
    Test the system for insecure communications. CC ID 00535 Testing Detective
    Test the system for cross-site scripting attacks. CC ID 01321 Testing Detective
    Test the system for buffer overflows. CC ID 01322 Testing Detective
    Test the system for injection flaws. CC ID 01323 Testing Detective
    Test the system for Denial of Service. CC ID 01326 Testing Detective
    Test the system for insecure configuration management. CC ID 01327 Testing Detective
    Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 Testing Detective
    Test the system for cross-site request forgery. CC ID 06296 Testing Detective
    Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 Technical Security Detective
    Perform penetration testing on segmentation controls, as necessary. CC ID 12498 Technical Security Detective
    Verify segmentation controls are operational and effective. CC ID 12545 Audits and Risk Management Detective
    Correct vulnerabilities and repeat penetration testing. CC ID 06860 Testing Detective
    Test the system for covert channels. CC ID 10652
    [{covert channel} Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and SC-31a.]
    Testing Detective
    Estimate the maximum bandwidth of any covert channels. CC ID 10653
    [{covert channel} Estimate the maximum bandwidth of those channels. SC-31b.
    Measure the bandwidth of [Assignment: organization-defined subset of identified covert channels] in the operational environment of the system. SC-31(3) ¶ 1]
    Technical Security Detective
    Reduce the maximum bandwidth of covert channels. CC ID 10655
    [{covert channel} Reduce the maximum bandwidth for identified covert [Selection (one or more); storage; timing] channels to [Assignment: organization-defined values]. SC-31(2) ¶ 1]
    Technical Security Corrective
    Test systems to determine which covert channels might be exploited. CC ID 10654
    [{exploitable channel} Test a subset of the identified covert channels to determine the channels that are exploitable. SC-31(1) ¶ 1]
    Testing Detective
    Establish and maintain a vulnerability assessment program. CC ID 11636
    [Define the breadth and depth of vulnerability scanning coverage. RA-5(3) ¶ 1
    Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Formatting checklists and test procedures; and RA-5b.2.
    Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; RA-5b.1.
    Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Measuring vulnerability impact; RA-5b.3.]
    Establish/Maintain Documentation Preventive
    Perform vulnerability scans, as necessary. CC ID 11637
    [Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; RA-5a.
    {performance testing} Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment [Assignment: organization-defined other forms of assessment]]. CA-2(2) ¶ 1
    Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to: Perform an automated vulnerability analysis using [Assignment: organization-defined tools]; SA-15(7) ¶ 1(a)]
    Technical Security Detective
    Repeat vulnerability scanning, as necessary. CC ID 11646 Testing Detective
    Identify and document security vulnerabilities. CC ID 11857
    [Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions]. RA-5(4) ¶ 1]
    Technical Security Detective
    Rank discovered vulnerabilities. CC ID 11940
    [Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to: Determine the exploitation potential for discovered vulnerabilities; SA-15(7) ¶ 1(b)]
    Investigate Detective
    Use dedicated user accounts when conducting vulnerability scans. CC ID 12098
    [Implement privileged access authorization to [Assignment: organization-defined system components] for [Assignment: organization-defined vulnerability scanning activities]. RA-5(5) ¶ 1]
    Technical Security Preventive
    Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638
    [Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis. CA-7(1) ¶ 1
    Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information. SA-11(3)(b)]
    Technical Security Detective
    Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 Establish/Maintain Documentation Preventive
    Maintain vulnerability scan reports as organizational records. CC ID 12092 Records Management Preventive
    Correlate vulnerability scan reports from the various systems. CC ID 10636
    [Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors. RA-5(10) ¶ 1]
    Technical Security Detective
    Perform internal vulnerability scans on the organization's systems. CC ID 00656 Testing Detective
    Perform vulnerability scans prior to installing payment applications. CC ID 12192 Technical Security Detective
    Implement scanning tools, as necessary. CC ID 14282
    [Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: RA-5b.]
    Technical Security Detective
    Update the vulnerability scanners' vulnerability list. CC ID 10634
    [Update the system vulnerabilities to be scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported]. RA-5(2) ¶ 1
    Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. RA-5f.]
    Configuration Corrective
    Repeat vulnerability scanning after an approved change occurs. CC ID 12468 Technical Security Detective
    Perform external vulnerability scans on the organization's systems. CC ID 11624 Technical Security Detective
    Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 Business Processes Preventive
    Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 Testing Preventive
    Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635
    [Compare the results of multiple vulnerability scans using [Assignment: organization-defined automated mechanisms]. RA-5(6) ¶ 1
    {vulnerability scan results} Analyze vulnerability scan reports and results from vulnerability monitoring; RA-5c.]
    Technical Security Detective
    Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748
    [Employ automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification. SI-7(2) ¶ 1
    {security verification test} Alert [Assignment: organization-defined personnel or roles] to failed security and privacy verification tests; and SI-6c.]
    Behavior Corrective
    Perform vulnerability assessments, as necessary. CC ID 11828
    [{performance testing} Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment [Assignment: organization-defined other forms of assessment]]. CA-2(2) ¶ 1]
    Technical Security Corrective
    Review applications for security vulnerabilities after the application is updated. CC ID 11938 Technical Security Detective
    Test the system for unvalidated input. CC ID 01318 Testing Detective
    Test the system for proper error handling. CC ID 01324 Testing Detective
    Test the system for insecure data storage. CC ID 01325
    [Perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified. SI-19(8) ¶ 1]
    Testing Detective
    Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 Testing Detective
    Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 Technical Security Preventive
    Test the system for insecure cryptographic storage. CC ID 11635 Technical Security Detective
    Perform self-tests on cryptographic modules within the system. CC ID 06537 Testing Detective
    Perform power-up tests on cryptographic modules within the system. CC ID 06538 Testing Detective
    Perform conditional tests on cryptographic modules within the system. CC ID 06539 Testing Detective
    Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 Configuration Detective
    Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639
    [Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to: Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]. SA-15(7) ¶ 1(d)]
    Technical Security Corrective
    Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 Configuration Corrective
    Recommend mitigation techniques based on penetration test results. CC ID 04881 Establish/Maintain Documentation Corrective
    Correct or mitigate vulnerabilities. CC ID 12497
    [Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; RA-5d.
    Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions]. RA-5(4) ¶ 1
    Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Correct flaws identified during testing and evaluation. SA-11e.]
    Technical Security Corrective
    Establish and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 Technical Security Corrective
    Monitor the usage and capacity of critical Information Technology assets. CC ID 00668 Monitor and Evaluate Occurrences Detective
    Monitor all outbound traffic from all systems. CC ID 12970
    [Analyze outbound communications traffic at the external interfaces to the system and selected [Assignment: organization-defined interior points within the system] to discover anomalies. SI-4(11) ¶ 1]
    Monitor and Evaluate Occurrences Preventive
    Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773
    [Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. AU-5(1) ¶ 1]
    Behavior Detective
    Monitor systems for errors and faults. CC ID 04544
    [Identify, report, and correct system flaws; SI-2a.
    Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components]; and SC-36(1)(a)]
    Monitor and Evaluate Occurrences Detective
    Report errors and faults to the appropriate personnel, as necessary. CC ID 14296
    [Identify, report, and correct system flaws; SI-2a.]
    Communicate Corrective
    Compare system performance metrics to organizational standards and industry benchmarks. CC ID 00667
    [Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data. CA-7(3) ¶ 1
    Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]. SI-2(3)(b)]
    Monitor and Evaluate Occurrences Detective
    Establish and maintain a compliance monitoring policy. CC ID 00671
    [Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: [Assignment: organization-defined actions]. CA-7(5) ¶ 1
    Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: Compliance monitoring; and CA-7(4) ¶ 1(b)
    Develop, monitor, and report on the results of information security and privacy measures of performance. PM-6 Control]
    Establish/Maintain Documentation Preventive
    Establish and maintain an approach for compliance monitoring. CC ID 01653 Establish/Maintain Documentation Preventive
    Establish and maintain risk management metrics. CC ID 01656 Establish/Maintain Documentation Preventive
    Report on the percentage of key Information Technology assets for which an assurance strategy is implemented. CC ID 01657 Actionable Reports or Measurements Detective
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Actionable Reports or Measurements Detective
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Actionable Reports or Measurements Detective
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Actionable Reports or Measurements Detective
    Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 Business Processes Preventive
    Identify information being used to support performance reviews for risk optimization. CC ID 12865 Audits and Risk Management Preventive
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726
    [Monitor policy compliance [Assignment: organization-defined frequency]. CM-11c.
    Enforce and monitor compliance with software installation policies using [Assignment: organization-defined automated mechanisms]. CM-11(3) ¶ 1]
    Monitor and Evaluate Occurrences Detective
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499
    [Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. SI-5d.]
    Establish/Maintain Documentation Preventive
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 Business Processes Detective
    Determine the causes of compliance violations. CC ID 12401 Investigate Corrective
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Establish/Maintain Documentation Preventive
    Determine if multiple compliance violations of the same type could occur. CC ID 12402 Investigate Detective
    Correct compliance violations. CC ID 13515 Process or Activity Corrective
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 Investigate Detective
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 Behavior Corrective
    Align disciplinary actions with the level of compliance violation. CC ID 12404 Human Resources Management Preventive
    Establish and maintain compliance program metrics. CC ID 11625 Monitor and Evaluate Occurrences Preventive
    Establish and maintain a security program metrics program. CC ID 01660 Establish/Maintain Documentation Preventive
    Report on the policies and controls that have been implemented by management. CC ID 01670 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 Establish/Maintain Documentation Preventive
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Actionable Reports or Measurements Detective
    Establish and maintain a key stakeholder metrics program. CC ID 01661 Establish/Maintain Documentation Preventive
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Actionable Reports or Measurements Detective
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 Establish/Maintain Documentation Preventive
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Actionable Reports or Measurements Detective
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Actionable Reports or Measurements Preventive
    Establish and maintain a Business Continuity metrics program. CC ID 01663
    [Develop a contingency plan for the system that: Provides recovery objectives, restoration priorities, and metrics; CP-2a.2.]
    Establish/Maintain Documentation Preventive
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Actionable Reports or Measurements Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Actionable Reports or Measurements Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Actionable Reports or Measurements Detective
    Establish and maintain an audit metrics program. CC ID 01664 Establish/Maintain Documentation Preventive
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Actionable Reports or Measurements Detective
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Actionable Reports or Measurements Detective
    Report on the percentage of audit findings that have been resolved. CC ID 01678 Actionable Reports or Measurements Detective
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 Actionable Reports or Measurements Detective
    Establish and maintain an Information Security metrics program. CC ID 01665 Establish/Maintain Documentation Preventive
    Establish and maintain a metrics policy. CC ID 01654 Establish/Maintain Documentation Preventive
    Establish and maintain a metrics standard and template. CC ID 02157
    [Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; CA-7a.
    Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; PM-31a.]
    Establish/Maintain Documentation Preventive
    Monitor compliance with the Quality Control system. CC ID 01023 Actionable Reports or Measurements Preventive
    Report on the percentage of complaints received about products or delivered services. CC ID 07199 Actionable Reports or Measurements Preventive
    Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 Establish/Maintain Documentation Preventive
    Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 Actionable Reports or Measurements Detective
    Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 Actionable Reports or Measurements Detective
    Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 Actionable Reports or Measurements Detective
    Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 Establish/Maintain Documentation Preventive
    Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 Actionable Reports or Measurements Detective
    Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 Actionable Reports or Measurements Detective
    Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 Actionable Reports or Measurements Detective
    Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 Actionable Reports or Measurements Detective
    Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 Actionable Reports or Measurements Detective
    Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 Actionable Reports or Measurements Detective
    Establish and maintain a role-based information access metrics program. CC ID 01668 Establish/Maintain Documentation Preventive
    Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 Actionable Reports or Measurements Detective
    Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 Actionable Reports or Measurements Detective
    Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 Actionable Reports or Measurements Detective
    Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 Actionable Reports or Measurements Detective
    Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 Establish/Maintain Documentation Preventive
    Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 Actionable Reports or Measurements Detective
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 Actionable Reports or Measurements Detective
    Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 Actionable Reports or Measurements Detective
    Report on the percentage of systems with approved System Security Plans. CC ID 02145 Actionable Reports or Measurements Detective
    Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 Establish/Maintain Documentation Preventive
    Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 Actionable Reports or Measurements Detective
    Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 Actionable Reports or Measurements Detective
    Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 Actionable Reports or Measurements Detective
    Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 Actionable Reports or Measurements Detective
    Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 Business Processes Preventive
    Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 Actionable Reports or Measurements Detective
    Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 Actionable Reports or Measurements Detective
    Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 Business Processes Preventive
    Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 Actionable Reports or Measurements Detective
    Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 Actionable Reports or Measurements Detective
    Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 Actionable Reports or Measurements Detective
    Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 Actionable Reports or Measurements Detective
    Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 Actionable Reports or Measurements Detective
    Establish and maintain a physical environment metrics program. CC ID 02063 Business Processes Preventive
    Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 Actionable Reports or Measurements Detective
    Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 Actionable Reports or Measurements Detective
    Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 Actionable Reports or Measurements Detective
    Report on the percentage of servers located in controlled access areas. CC ID 02067 Actionable Reports or Measurements Detective
    Establish and maintain a reporting methodology program. CC ID 02072 Business Processes Preventive
    Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 Business Processes Preventive
    Report on the percentage of unique active user identifiers. CC ID 02074 Actionable Reports or Measurements Detective
    Report on the percentage of systems and applications that perform password policy verification. CC ID 02086 Actionable Reports or Measurements Detective
    Report on the percentage of active user passwords that are set to expire. CC ID 02087 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a user account management metrics program. CC ID 02075 Business Processes Preventive
    Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 Actionable Reports or Measurements Detective
    Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 Actionable Reports or Measurements Detective
    Report on the percentage of systems with account lockout thresholds set. CC ID 02091 Actionable Reports or Measurements Detective
    Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 Actionable Reports or Measurements Detective
    Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 Actionable Reports or Measurements Detective
    Report on the percentage of users with access to shared accounts. CC ID 04573 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 Actionable Reports or Measurements Preventive
    Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 Actionable Reports or Measurements Detective
    Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 Actionable Reports or Measurements Detective
    Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 Actionable Reports or Measurements Detective
    Establish and maintain a Configuration Management metrics program. CC ID 02077 Business Processes Preventive
    Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 Actionable Reports or Measurements Detective
    Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 Actionable Reports or Measurements Detective
    Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 Actionable Reports or Measurements Detective
    Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 Actionable Reports or Measurements Detective
    Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 Actionable Reports or Measurements Detective
    Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 Actionable Reports or Measurements Detective
    Establish and maintain a Security Information and Event Management metrics program. CC ID 02078 Log Management Preventive
    Report on the percentage of systems for which event logging has been implemented. CC ID 02102 Log Management Detective
    Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 Log Management Detective
    Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 Log Management Detective
    Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 Actionable Reports or Measurements Detective
    Establish and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 Business Processes Preventive
    Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 Actionable Reports or Measurements Detective
    Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 Actionable Reports or Measurements Detective
    Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 Actionable Reports or Measurements Detective
    Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 Actionable Reports or Measurements Detective
    Establish and maintain a malicious code protection management metrics program. CC ID 02080 Business Processes Preventive
    Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 Actionable Reports or Measurements Detective
    Report on the percentage of servers that employ automated system security tools. CC ID 02111 Actionable Reports or Measurements Detective
    Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a software change management metrics program. CC ID 02081 Business Processes Preventive
    Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 Actionable Reports or Measurements Detective
    Report on the percentage of systems with all approved patches installed. CC ID 02113 Actionable Reports or Measurements Detective
    Report on the mean time from patch availability to patch installation. CC ID 02114 Actionable Reports or Measurements Detective
    Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 Actionable Reports or Measurements Detective
    Establish and maintain a network management and firewall management metrics program. CC ID 02082 Business Processes Preventive
    Establish and maintain a network activity baseline. CC ID 13188 Technical Security Detective
    Report on the percentage of systems configured according to the configuration standard. CC ID 02116 Actionable Reports or Measurements Detective
    Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 Business Processes Preventive
    Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 Actionable Reports or Measurements Detective
    Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 Actionable Reports or Measurements Detective
    Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 Actionable Reports or Measurements Detective
    Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 Actionable Reports or Measurements Detective
    Establish and maintain a backup management and recovery management metrics program. CC ID 02084 Business Processes Preventive
    Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 Actionable Reports or Measurements Detective
    Report on the percentage of backup media stored off site in secure storage. CC ID 02122 Actionable Reports or Measurements Detective
    Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 Actionable Reports or Measurements Detective
    Establish and maintain an incident management and vulnerability management metrics program. CC ID 02085
    [Develop an incident response plan that: Provides metrics for measuring the incident response capability within the organization; IR-8a.6.
    Use qualitative and quantitative data from testing to: Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format. IR-3(3) ¶ 1(c)]
    Business Processes Preventive
    Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 Actionable Reports or Measurements Detective
    Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 Actionable Reports or Measurements Detective
    Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 Actionable Reports or Measurements Detective
    Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 Actionable Reports or Measurements Detective
    Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 Actionable Reports or Measurements Detective
    Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140
    [Measure the time between flaw identification and flaw remediation; and SI-2(3)(a)]
    Actionable Reports or Measurements Detective
    Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 Actionable Reports or Measurements Detective
    Establish and maintain an Electronic Health Records measurement metrics program. CC ID 06221 Establish/Maintain Documentation Preventive
    Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 Actionable Reports or Measurements Preventive
    Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 Actionable Reports or Measurements Preventive
    Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 Actionable Reports or Measurements Preventive
    Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 Actionable Reports or Measurements Preventive
    Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 Actionable Reports or Measurements Preventive
    Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 Actionable Reports or Measurements Preventive
    Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 Actionable Reports or Measurements Preventive
    Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 Actionable Reports or Measurements Preventive
    Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 Actionable Reports or Measurements Preventive
    Provide transactional walkthrough procedures for external auditors. CC ID 00672 Testing Preventive
    Establish and maintain a log management program. CC ID 00673 Establish/Maintain Documentation Preventive
    Deploy log normalization tools, as necessary. CC ID 12141 Technical Security Preventive
    Restrict access to logs to a need to know basis. CC ID 01342
    [Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. AU-9(4) ¶ 1
    Authorize read-only access to audit information to [Assignment: organization-defined subset of privileged users or roles]. AU-9(6) ¶ 1]
    Log Management Preventive
    Restrict access to audit trails to a need to know basis. CC ID 11641 Technical Security Preventive
    Refrain from recording unnecessary restricted data in logs. CC ID 06318 Log Management Preventive
    Back up audit trails according to backup procedures. CC ID 11642
    [Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited. AU-9(2) ¶ 1]
    Systems Continuity Preventive
    Back up logs according to backup procedures. CC ID 01344 Log Management Preventive
    Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346
    [Store audit information on a component running a different operating system than the system or component being audited. AU-9(7) ¶ 1
    Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. AU-16 Control
    Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging. AU-4(1) ¶ 1]
    Log Management Preventive
    Identify hosts with logs that are not being stored. CC ID 06314 Log Management Preventive
    Identify hosts with logs that are being stored at the system level only. CC ID 06315 Log Management Preventive
    Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 Log Management Preventive
    Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 Log Management Preventive
    Protect logs from unauthorized activity. CC ID 01345
    [Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and AU-9a.]
    Log Management Preventive
    Perform testing and validating activities on all logs. CC ID 06322 Log Management Preventive
    Archive the audit trail in accordance with compliance requirements. CC ID 00674
    [Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved. AU-11(1) ¶ 1]
    Log Management Preventive
    Enforce dual authorization as a part of information flow control for logs. CC ID 10098
    [Enforce dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information]. AU-9(5) ¶ 1]
    Configuration Preventive
    Preserve the identity of individuals in audit trails. CC ID 10594
    [Preserve the identity of individuals in cross-organizational audit trails. AU-16(1) ¶ 1]
    Log Management Preventive
    Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 Establish/Maintain Documentation Preventive
    Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596
    [{cross-organizational audit sharing agreement} Provide cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements]. AU-16(2) ¶ 1]
    Audits and Risk Management Preventive
    Monitor the performance of the governance, risk, and compliance capability. CC ID 12857
    [Develop, monitor, and report on the results of information security and privacy measures of performance. PM-6 Control]
    Monitor and Evaluate Occurrences Preventive
    Create a corrective action plan to correct control deficiencies identified in an audit. CC ID 00675
    [Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using [Assignment: organization-defined automated mechanisms]. CA-5(1) ¶ 1
    Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Response actions to address results of the analysis of control assessment and monitoring information; and CA-7f.]
    Monitor and Evaluate Occurrences Detective
    Include the completion date in the corrective action plan. CC ID 13272 Establish/Maintain Documentation Preventive
    Include monitoring in the corrective action plan. CC ID 11645
    [Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. CA-5b.
    Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. PM-4b.]
    Monitor and Evaluate Occurrences Detective
    Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676
    [Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. CA-7g.
    Develop, monitor, and report on the results of information security and privacy measures of performance. PM-6 Control
    Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. PM-31f.
    {security verification tests} Report the results of security and privacy function verification to [Assignment: organization-defined personnel or roles]. SI-6(3) ¶ 1]
    Actionable Reports or Measurements Corrective
    Protect against misusing automated audit tools. CC ID 04547
    [Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and AU-9a.]
    Technical Security Preventive
    Evaluate the measurement process used for metrics. CC ID 06920
    [Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; CA-7d.
    Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; PM-31c.]
    Testing Detective
    Evaluate the information technology products used for metrics. CC ID 11644 Technical Security Detective
    Identify and communicate improvements in metrics reporting. CC ID 06921 Establish/Maintain Documentation Corrective
    Provide intelligence support to the organization, as necessary. CC ID 14020 Business Processes Preventive
    Establish and maintain a Technical Surveillance Countermeasures program. CC ID 11401 Technical Security Preventive
    Conduct a Technical Surveillance Countermeasures survey. CC ID 10637
    [Employ a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection (one or more): [Assignment: organization-defined frequency]; when the following events or indicators occur: [Assignment: organization-defined events or indicators]]. RA-6 Control]
    Testing Detective
    Coordinate multiple Technical Surveillance Countermeasure surveys, as necessary. CC ID 11454 Testing Detective
    Establish and implement cyber threat intelligence tools. CC ID 12696 Technical Security Preventive
    Leverage cyber threat intelligence when employing Technical Surveillance Countermeasures. CC ID 12697
    [{cyber threat hunting} Employ the threat hunting capability [Assignment: organization-defined frequency]. RA-10b.]
    Technical Security Preventive
    Communicate threat intelligence to interested personnel and affected parties. CC ID 14016
    [{incident response process} Incorporate the results from malicious code analysis into organizational incident response and flaw remediation processes. SI-3(10)(b)]
    Communicate Preventive
  • Operational and Systems Continuity
    169
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational and Systems Continuity CC ID 00731 IT Impact Zone IT Impact Zone
    Establish and maintain a business continuity program. CC ID 13210 Establish/Maintain Documentation Preventive
    Establish and maintain a business continuity policy. CC ID 12405
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: CP-1a.1.]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the business continuity policy. CC ID 14237
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the business continuity policy. CC ID 14235
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include management commitment in the business continuity policy. CC ID 14233
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the scope in the business continuity policy. CC ID 14231
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the business continuity policy. CC ID 14190
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the business continuity policy to interested personnel and affected parties, as necessary. CC ID 14198
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: CP-1a.1.]
    Communicate Preventive
    Review and update the business continuity policy, as necessary. CC ID 14192
    [{contingency planning policy} Review and update the current contingency planning: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and CP-1c.1.]
    Establish/Maintain Documentation Corrective
    Include the purpose in the business continuity policy. CC ID 14188
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Establish and maintain a continuity framework. CC ID 00732 Establish/Maintain Documentation Preventive
    Coordinate continuity planning with other business units responsible for related continuity plans. CC ID 01386
    [Coordinate contingency plan development with organizational elements responsible for related plans. CP-2(1) ¶ 1]
    Systems Continuity Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752
    [Develop a contingency plan for the system that: CP-2a.
    Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; CP-1a.2.
    Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; CP-2e.
    Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and CP-1a.1(b)
    Review the contingency plan for the system [Assignment: organization-defined frequency]; CP-2d.
    Develop a contingency plan for the system that: Addresses the sharing of contingency information; and CP-2a.6.
    Develop a contingency plan for the system that: Is reviewed and approved by [Assignment: organization-defined personnel or roles]; CP-2a.7.]
    Establish/Maintain Documentation Preventive
    Report changes in the continuity plan to senior management. CC ID 12757 Communicate Corrective
    Identify all stakeholders in the continuity plan. CC ID 13256 Establish/Maintain Documentation Preventive
    Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 Establish/Maintain Documentation Preventive
    Include identification procedures in the continuity plan, as necessary. CC ID 14372 Establish/Maintain Documentation Preventive
    Include the continuity strategy in the continuity plan. CC ID 13189 Establish/Maintain Documentation Preventive
    Document and use the lessons learned to update the continuity plan. CC ID 10037
    [Initiate corrective actions, if needed. CP-4c.
    Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and CP-2g.]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254
    [Develop a contingency plan for the system that: Addresses contingency roles, responsibilities, assigned individuals with contact information; CP-2a.3.]
    Establish/Maintain Documentation Preventive
    Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 Process or Activity Preventive
    Coordinate continuity planning with community organizations, as necessary. CC ID 13259 Process or Activity Preventive
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242
    [Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. CP-2(7) ¶ 1]
    Establish/Maintain Documentation Preventive
    Include incident management procedures in the continuity plan. CC ID 13244
    [Coordinate incident handling activities with contingency planning activities; IR-4b.]
    Establish/Maintain Documentation Preventive
    Include the use of virtual meeting tools in the continuity plan. CC ID 14390 Establish/Maintain Documentation Preventive
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 Establish/Maintain Documentation Preventive
    Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 Establish/Maintain Documentation Preventive
    Review and update the continuity procedures, as necessary. CC ID 14236
    [{contingency planning procedures} Review and update the current contingency planning: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. CP-1c.2.]
    Establish/Maintain Documentation Corrective
    Document the uninterrupted power requirements for all in scope systems. CC ID 06707 Establish/Maintain Documentation Preventive
    Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725
    [Provide an uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the system; transition of the system to long-term alternate power] in the event of a primary power source loss. PE-11 Control]
    Configuration Preventive
    Install a generator sized to support the facility. CC ID 06709
    [Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that can maintain minimally required operational capability in the event of an extended loss of the primary power source. PE-11(1) ¶ 1
    Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that is: PE-11(2) ¶ 1
    {refrain from relying on} Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that is: Not reliant on external power generation; and PE-11(2) ¶ 1(b)
    Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that is: Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source. PE-11(2) ¶ 1(c)
    {be self-contained} Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that is: Self-contained; PE-11(2) ¶ 1(a)]
    Configuration Preventive
    Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 Acquisition/Sale of Assets or Services Preventive
    Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 Establish/Maintain Documentation Preventive
    Include notifications to alternate facilities in the continuity plan. CC ID 13220 Establish/Maintain Documentation Preventive
    Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 Systems Continuity Preventive
    Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 Establish/Maintain Documentation Preventive
    Review and update the continuity plan call tree mechanism after a personnel status change. CC ID 01167 Testing Detective
    Establish and maintain damage assessment procedures. CC ID 01267 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a recovery plan. CC ID 13288 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 Communicate Preventive
    Implement the recovery plan. CC ID 13299
    [Implement transaction recovery for systems that are transaction-based. CP-10(2) ¶ 1]
    Process or Activity Preventive
    Include addressing backup failures in the recovery plan. CC ID 13298 Establish/Maintain Documentation Preventive
    Include procedures to verify completion of the data and program backup procedures in the recovery plan. CC ID 13297 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 Human Resources Management Preventive
    Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 Establish/Maintain Documentation Preventive
    Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 Establish/Maintain Documentation Preventive
    Include the criteria for activation in the recovery plan. CC ID 13293 Establish/Maintain Documentation Preventive
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 Establish/Maintain Documentation Preventive
    Determine the cause for the activation of the recovery plan. CC ID 13291 Investigate Detective
    Test the recovery plan, as necessary. CC ID 13290 Testing Detective
    Test the backup information, as necessary. CC ID 13303
    [Test backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity. CP-9(1) ¶ 1]
    Testing Detective
    Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 Establish/Maintain Documentation Detective
    Include restoration procedures in the continuity plan. CC ID 01169
    [{alternate processing site}{alternate storage site}{primary processing site}{primary storage site}{refrain from harming} Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites. CP-2(6) ¶ 1
    Develop a contingency plan for the system that: Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; CP-2a.5.
    Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure. CP-10 Control]
    Establish Roles Preventive
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166
    [Plan for the resumption of [Selection: all; essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation. CP-2(3) ¶ 1]
    Establish/Maintain Documentation Preventive
    Include the recovery plan in the continuity plan. CC ID 01377
    [Develop a contingency plan for the system that: Provides recovery objectives, restoration priorities, and metrics; CP-2a.2.]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Communicate Preventive
    Disseminate and communicate business functions across multiple facilities separated by geographic separation, as necessary. CC ID 10662 Systems Continuity Preventive
    Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663
    [Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components]. SC-36 Control]
    Systems Continuity Preventive
    Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation, as necessary. CC ID 10664
    [Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components]. SC-36 Control]
    Systems Continuity Preventive
    Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665
    [Employ the following out-of-band channels for the physical delivery or electronic transmission of [Assignment: organization-defined information, system components, or devices] to [Assignment: organization-defined individuals or systems]: [Assignment: organization-defined out-of-band channels]. SC-37 Control]
    Systems Continuity Corrective
    Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; CP-1a.2.]
    Communicate Preventive
    Establish and maintain organizational facility continuity plans. CC ID 02224 Establish/Maintain Documentation Preventive
    Install and maintain redundant power supplies for the Information Technology facility. CC ID 06355 Configuration Preventive
    Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439
    [Provide the capability of shutting off power to [Assignment: organization-defined system or individual system components] in emergency situations; PE-10a.
    Protect emergency power shutoff capability from unauthorized activation. PE-10c.
    Place emergency shutoff switches or devices in [Assignment: organization-defined location by system or system component] to facilitate access for authorized personnel; and PE-10b.]
    Physical and Environmental Protection Preventive
    Run primary power lines and secondary power lines via underground diverse path feeds to organizational facilities, as necessary. CC ID 06696
    [{physical separation} Employ redundant power cabling paths that are physically separated by [Assignment: organization-defined distance]. PE-9(1) ¶ 1]
    Configuration Preventive
    Install electro-magnetic shielding around all electrical cabling. CC ID 06358
    [Protect the system from information leakage due to electromagnetic signals emanations. PE-19 Control
    Protect system components, associated data communications, and networks in accordance with national Emissions Security policies and procedures based on the security category or classification of the information. PE-19(1) ¶ 1]
    Physical and Environmental Protection Preventive
    Establish and maintain system continuity plan strategies for all in scope systems. CC ID 00735 Establish/Maintain Documentation Preventive
    Define and prioritize critical business functions. CC ID 00736
    [Develop a contingency plan for the system that: Identifies essential mission and business functions and associated contingency requirements; CP-2a.1.
    Develop a contingency plan for the system that: Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; CP-2a.4.]
    Establish/Maintain Documentation Detective
    Review and prioritize the importance of each business unit. CC ID 01165 Systems Continuity Preventive
    Review and prioritize the importance of each business process. CC ID 11689 Establish/Maintain Documentation Preventive
    Document the mean time to failure for system components. CC ID 10684
    [Determine mean time to failure (MTTF) for the following system components in specific environments of operation: [Assignment: organization-defined system components]; and SI-13a.]
    Systems Continuity Preventive
    Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 Audits and Risk Management Preventive
    Establish and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 Establish/Maintain Documentation Preventive
    Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693
    [{mean time to failure} Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: [Assignment: organization-defined MTTF substitution criteria]. SI-13b.
    {substitute information system component} If system component failures are detected: Ensure that the standby components are successfully and transpa="term_secondary-verb">rently <span style="background-color:#B7D8ED;" class="term_primary-verb">installed within [Assignment: organization-defined time period]; and SI-13(4) ¶ 1(a)]
    Process or Activity Corrective
    Include the protection of personnel in the continuity plan. CC ID 06378 Establish/Maintain Documentation Preventive
    Establish and maintain a critical personnel list. CC ID 00739
    [Develop a contingency plan for the system that: Addresses contingency roles, responsibilities, assigned individuals with contact information; CP-2a.3.]
    Establish/Maintain Documentation Detective
    Identify alternate personnel for each person on the critical personnel list. CC ID 12771 Human Resources Management Preventive
    Define the triggering events for when to activate the pandemic plan. CC ID 06801 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a critical Information Technology resource list. CC ID 00740
    [Identify critical system assets supporting [Selection: all; essential] mission and business functions. CP-2(8) ¶ 1]
    Establish/Maintain Documentation Detective
    Define and maintain continuity Service Level Agreements for all critical Information Technology resources. CC ID 00741 Establish/Maintain Documentation Preventive
    Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 Establish/Maintain Documentation Preventive
    Include website continuity procedures in the continuity plan. CC ID 01380 Establish/Maintain Documentation Preventive
    Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579
    [Maintain a central resource webpage on the organization's principal public website that serves as a central source of information about the organization's privacy program and that: Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy; PM-20a.
    Maintain a central resource webpage on the organization's principal public website that serves as a central source of information about the organization's privacy program and that: Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices. PM-20c.
    Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and AC-22c.]
    Data and Information Management Preventive
    Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743 Establish/Maintain Documentation Detective
    Include Wide Area Network continuity procedures in the continuity plan. CC ID 01294
    [{alternate processing site}{alternate storage site}{primary site} Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. CP-8 Control]
    Establish/Maintain Documentation Preventive
    Include priority-of-service provisions in the telecommunications Service Level Agreements. CC ID 01396
    [{alternate processing site}{alternate storage site}{primary site} Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. CP-8 Control
    {primary telecommunications service agreements} Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and CP-8(1)(a)
    {primary telecommunications services} Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier. CP-8(1)(b)]
    Establish/Maintain Documentation Preventive
    Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers. CC ID 01397
    [Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. CP-8(2) ¶ 1]
    Testing Detective
    Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards. CC ID 01399
    [{primary telecommunications service provider} Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. CP-8(3) ¶ 1]
    Testing Detective
    Require telecommunications service providers to have adequate continuity plans. CC ID 01400
    [{primary telecommunications service provider} Require primary and alternate telecommunications service providers to have contingency plans; CP-8(4)(a)
    {primary telecommunications service provider} Require primary and alternate telecommunications service providers to have contingency plans; CP-8(4)(a)]
    Testing Detective
    Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374
    [Plan and prepare for circumstances that preclude returning to the primary processing site. CP-7(6) ¶ 1
    {primary processing sites} {primary storage site} Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites. CP-2(5) ¶ 1
    {primary processing sites} {primary storage site} Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites. CP-2(5) ¶ 1]
    Establish/Maintain Documentation Preventive
    Establish and maintain at-risk structure removal or relocation procedures. CC ID 01247 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 Physical and Environmental Protection Corrective
    Designate an alternate facility in the continuity plan. CC ID 00742
    [Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. CP-9(6) ¶ 1]
    Establish/Maintain Documentation Detective
    Separate the alternate facility from the primary facility through geographic separation. CC ID 01394
    [Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats. CP-7(1) ¶ 1]
    Physical and Environmental Protection Preventive
    Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs. CC ID 01391
    [{area-wide disaster} Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. CP-7(2) ¶ 1]
    Establish/Maintain Documentation Preventive
    Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 Systems Continuity Preventive
    Establish and maintain off-site electronic media storage facilities. CC ID 00957
    [Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and CP-6a.]
    Physical and Environmental Protection Preventive
    Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390
    [Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. CP-6(1) ¶ 1]
    Testing Detective
    Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392
    [{recovery time objectives} Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. CP-6(2) ¶ 1]
    Configuration Preventive
    Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393
    [{area-wide disaster} Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions. CP-6(3) ¶ 1]
    Establish/Maintain Documentation Preventive
    Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573
    [Ensure that the alternate storage site provides controls equivalent to that of the primary site. CP-6b.]
    Systems Continuity Detective
    Store backup media at an off-site electronic media storage facility. CC ID 01332
    [Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. CP-9(3) ¶ 1]
    Data and Information Management Preventive
    Transport backup media in lockable electronic media storage containers. CC ID 01264
    [Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. CP-9(5) ¶ 1]
    Data and Information Management Preventive
    Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289
    [Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. CP-9(3) ¶ 1]
    Systems Continuity Preventive
    Perform backup procedures for in scope systems. CC ID 11692
    [Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; CP-9a.
    Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; CP-9b.]
    Process or Activity Preventive
    Back up all records. CC ID 11974
    [Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and CP-9c.]
    Systems Continuity Preventive
    Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259
    [Develop a contingency plan for the system that: Provides recovery objectives, restoration priorities, and metrics; CP-2a.2.]
    Establish/Maintain Documentation Preventive
    Encrypt backup data. CC ID 00958
    [Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information]. CP-9(8) ¶ 1
    Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information]. CP-9(8) ¶ 1]
    Configuration Preventive
    Log the execution of each backup. CC ID 00956 Establish/Maintain Documentation Preventive
    Test backup media for media integrity and information integrity, as necessary. CC ID 01401 Testing Detective
    Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 Testing Detective
    Test each restored system for media integrity and information integrity. CC ID 01920 Testing Detective
    Include stakeholders when testing restored systems, as necessary. CC ID 13066 Testing Corrective
    Digitally sign disk images, as necessary. CC ID 06814 Establish/Maintain Documentation Preventive
    Include emergency communications procedures in the continuity plan. CC ID 00750
    [Provide the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations. CP-11 Control]
    Establish/Maintain Documentation Preventive
    Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 Establish/Maintain Documentation Preventive
    Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 Systems Continuity Preventive
    Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 Establish/Maintain Documentation Preventive
    Log important conversations conducted during emergencies with third parties. CC ID 12763 Log Management Preventive
    Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 Communicate Preventive
    Identify who can speak to the media in the emergency communications procedures. CC ID 12761 Communicate Corrective
    Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760
    [Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; CP-2b.]
    Establish/Maintain Documentation Preventive
    Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 Establish/Maintain Documentation Preventive
    Establish and maintain a pandemic plan. CC ID 13214 Establish/Maintain Documentation Preventive
    Include alternate work locations in the pandemic plan. CC ID 14376
    [Determine and document the [Assignment: organization-defined alternate work sites] allowed for use by employees; PE-17a.]
    Establish/Maintain Documentation Preventive
    Prepare the alternate facility for an emergency offsite relocation. CC ID 00744
    [{alternate processing site}{alternate storage site}{primary processing site}{primary storage site}{refrain from harming} Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites. CP-2(6) ¶ 1
    Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions. CP-7(4) ¶ 1
    {recovery time objectives} Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; CP-7a.]
    Systems Continuity Preventive
    Include coverage for alternate facilities for all offices in contingency arrangements. CC ID 00746 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Service Level Agreements for all alternate facilities. CC ID 00745
    [Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and CP-6a.
    Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). CP-7(3) ¶ 1
    {recovery time objectives} Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; CP-7a.
    Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and CP-7b.]
    Establish/Maintain Documentation Preventive
    Include that the shared service provider will not oversubscribe their services in the Service Level Agreement. CC ID 04892 Establish/Maintain Documentation Preventive
    Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement. CC ID 04893 Establish/Maintain Documentation Preventive
    Establish and maintain Memorandums Of Understanding for all alternate facilities. CC ID 11695 Establish/Maintain Documentation Preventive
    Configure the alternate facility to meet the least needed operational capabilities. CC ID 01395
    [Employ the following controls at alternate work sites: [Assignment: organization-defined controls]; PE-17b.
    Provide controls at the alternate processing site that are equivalent to those at the primary site. CP-7c.]
    Configuration Preventive
    Establish, implement, and maintain logical access controls at alternate facilities. CC ID 13227 Technical Security Preventive
    Establish, implement, and maintain physical access controls for alternate facilities. CC ID 13226 Physical and Environmental Protection Preventive
    Notify the primary facilities of any changes at the alternate facilities that could affect the continuity plan. CC ID 13225 Communicate Preventive
    Protect backup systems and restoration systems at the alternate facility. CC ID 04883
    [Protect system components used for recovery and reconstitution. CP-10(6) ¶ 1
    Synchronize the following duplicate systems or system components: [Assignment: organization-defined duplicate systems or system components]. SC-36(2) ¶ 1]
    Systems Continuity Preventive
    Review the alternate facility preparation procedures. CC ID 04884
    [Assess the effectiveness of controls at alternate work sites; and PE-17c.]
    Systems Continuity Detective
    Train personnel on the continuity plan. CC ID 00759
    [Provide contingency training to system users consistent with assigned roles and responsibilities: CP-3a.
    Provide contingency training to system users consistent with assigned roles and responsibilities: [Assignment: organization-defined frequency] thereafter; and CP-3a.3.
    Provide contingency training to system users consistent with assigned roles and responsibilities: When required by system changes; and CP-3a.2.
    Provide contingency training to system users consistent with assigned roles and responsibilities: Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; CP-3a.1.]
    Behavior Preventive
    Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387
    [Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment. CP-3(2) ¶ 1]
    Behavior Preventive
    Incorporate simulated events into the continuity plan training. CC ID 01402
    [Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. CP-3(1) ¶ 1]
    Behavior Preventive
    Include stay at home order training in the continuity plan training. CC ID 14382 Training Preventive
    Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 Training Preventive
    Include personal protection in continuity plan training. CC ID 14394 Training Preventive
    Test the continuity plan, as necessary. CC ID 00755
    [Test the contingency plan using [Assignment: organization-defined automated mechanisms]. CP-4(3) ¶ 1
    Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. CP-4a.]
    Testing Detective
    Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 Testing Preventive
    Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 Testing Preventive
    Validate the emergency communications procedures during continuity plan tests. CC ID 12777
    [Test alternate telecommunication services [Assignment: organization-defined frequency]. CP-8(5) ¶ 1]
    Testing Preventive
    Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 Testing Preventive
    Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 Testing Detective
    Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757
    [Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing. CP-9(2) ¶ 1
    Employ [Assignment: organization-defined mechanisms] to [Assignment: organization-defined system or system component] to disrupt and adversely affect the system or system component. CP-4(5) ¶ 1]
    Testing Detective
    Analyze system interdependence during continuity plan tests. CC ID 13082 Testing Detective
    Validate the evacuation plans during continuity plan tests. CC ID 12760 Testing Preventive
    Test the continuity plan at the alternate facility. CC ID 01174
    [Test the contingency plan at the alternate processing site: To familiarize contingency personnel with the facility and available resources; and CP-4(2) ¶ 1(a)
    Test the contingency plan at the alternate processing site: To evaluate the capabilities of the alternate processing site to support contingency operations. CP-4(2) ¶ 1(b)
    Test the contingency plan at the alternate processing site: CP-4(2) ¶ 1]
    Testing Detective
    Include predefined goals and realistic conditions during off-site testing. CC ID 01175 Establish/Maintain Documentation Preventive
    Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388
    [Coordinate contingency plan testing with organizational elements responsible for related plans. CP-4(1) ¶ 1]
    Testing Preventive
    Review all third party's continuity plan test results. CC ID 01365
    [{contingency training} Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency]. CP-8(4)(c)
    {telecommunications service providers} Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and CP-8(4)(b)]
    Testing Detective
    Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 Testing Detective
    Document the continuity plan test results and provide them to senior management. CC ID 06548
    [Review the contingency plan test results; and CP-4b.]
    Actionable Reports or Measurements Preventive
    Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 Testing Detective
    Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404
    [Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing. CP-4(4) ¶ 1]
    Testing Detective
    Review and update the business continuity plan testing program, as necessary. CC ID 12994 Process or Activity Corrective
    Conduct external audits of the Business Continuity Plan testing program. CC ID 13216 Testing Detective
    Implement the continuity plan, as necessary. CC ID 10604 Systems Continuity Corrective
    Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 Systems Continuity Corrective
    Execute fail-safe procedures when an emergency occurs. CC ID 07108
    [When [Assignment: organization-defined conditions] are detected, enter a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation]. CP-12 Control
    Implement the indicated fail-safe procedures when the indicated failures occur: [Assignment: organization-defined list of failure conditions and associated fail-safe procedures]. SI-17 Control
    {known-state} Fail to a [Assignment: organization-defined known system state] for the following failures on the indicated components while preserving [Assignment: organization-defined system state information] in failure: [Assignment: list of organization-defined types of system failures on organization-defined system components]. SC-24 Control
    Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system. SI-13(5) ¶ 1
    Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device. SC-7(18) ¶ 1]
    Systems Continuity Preventive
    Restore systems and environments to be operational. CC ID 13476
    [Provide the capability to restore system components within [Assignment: organization-defined restoration time periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components. CP-10(4) ¶ 1
    {mean time to failure} Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: [Assignment: organization-defined MTTF substitution criteria]. SI-13b.
    {manual activation} Manually initiate transfers between active and standby system components when the use of the active component reaches [Assignment: organization-defined percentage] of the mean time to failure. SI-13(3) ¶ 1]
    Systems Continuity Corrective
    Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605
    [{alternative security mechanism} Employ [Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised. CP-13 Control]
    Technical Security Preventive
  • Operational management
    597
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish and implement a capacity management plan. CC ID 11751 Establish/Maintain Documentation Preventive
    Align critical Information Technology resource availability planning with capacity planning. CC ID 01618 Business Processes Preventive
    Provide excess capacity or redundancy to limit any effects of a Denial of Service attack. CC ID 06754
    [Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks. SC-5(2) ¶ 1]
    Technical Security Preventive
    Implement network redundancy, as necessary. CC ID 13048 Systems Continuity Preventive
    Utilize resource capacity management controls. CC ID 00939 Testing Detective
    Perform system capacity testing. CC ID 01616
    [Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. CP-2(2) ¶ 1]
    Testing Detective
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Establish/Maintain Documentation Preventive
    Establish and maintain an internal control framework. CC ID 00820
    [Develops and disseminates an organization-wide information security program plan that: Provides an overview of the requirements for the security program and a description of the security program management controls and le="background-color:#F0BBBC;" class="term_primary-noun">common controls in place or planned for meeting those requirements; PM-1a.1.]
    Establish/Maintain Documentation Preventive
    Review the relevance of information supporting internal controls. CC ID 12420 Business Processes Detective
    Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437
    [Ensure that the authorizing official for the system, before commencing operations: Accepts the use of common controls inherited by the system; and CA-6c.1.]
    Establish Roles Preventive
    Assign resources to implement the internal control framework. CC ID 00816 Business Processes Preventive
    Assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 Establish Roles Preventive
    Establish and maintain a baseline of internal controls. CC ID 12415
    [Centrally manage [Assignment: organization-defined controls and related processes]. PL-9 Control
    Tailor the selected control baseline by applying specified tailoring actions. PL-11 Control
    Select a control baseline for the system. PL-10 Control]
    Business Processes Preventive
    Leverage actionable information to support internal controls. CC ID 12414 Business Processes Preventive
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 Establish/Maintain Documentation Preventive
    Include continuous service account management procedures in the internal control framework. CC ID 13860 Establish/Maintain Documentation Preventive
    Include threat assessment in the internal control framework. CC ID 01347 Establish/Maintain Documentation Preventive
    Automate threat assessments, as necessary. CC ID 06877 Configuration Preventive
    Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 Establish/Maintain Documentation Preventive
    Automate vulnerability management, as necessary. CC ID 11730 Configuration Preventive
    Include personnel security procedures in the internal control framework. CC ID 01349 Establish/Maintain Documentation Preventive
    Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358
    [Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; SI-4e.]
    Establish/Maintain Documentation Preventive
    Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 Establish/Maintain Documentation Preventive
    Include security information sharing procedures in the internal control framework. CC ID 06489
    [Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and RA-5e.
    {security practice} Establish and institutionalize contact with selected groups and associations within the security and privacy communities: To maintain currency with recommended security and privacy practices, techniques, and technologies; and PM-15b.
    Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. PM-16 Control]
    Establish/Maintain Documentation Preventive
    Share relevant security information with Special Interest Groups, as necessary. CC ID 11732
    [Establish and institutionalize contact with selected groups and associations within the security and privacy communities: PM-15 Control
    {security-related information} Establish and institutionalize contact with selected groups and associations within the security and privacy communities: To share current security and privacy information, including threats, vulnerabilities, and incidents. PM-15c.]
    Communicate Preventive
    Evaluate information sharing partners, as necessary. CC ID 12749 Process or Activity Preventive
    Include security incident response procedures in the internal control framework. CC ID 01359 Establish/Maintain Documentation Preventive
    Include incident response escalation procedures in the internal control framework. CC ID 11745 Establish/Maintain Documentation Preventive
    Include continuous user account management procedures in the internal control framework. CC ID 01360 Establish/Maintain Documentation Preventive
    Include emergency response procedures in the internal control framework. CC ID 06779 Establish/Maintain Documentation Detective
    Authorize and document all exceptions to the internal control framework. CC ID 06781 Establish/Maintain Documentation Preventive
    Review the internal control framework, as necessary. CC ID 01348 Establish/Maintain Documentation Detective
    Measure policy compliance when reviewing the internal control framework. CC ID 06442 Actionable Reports or Measurements Corrective
    Establish and maintain an information security program. CC ID 00812
    [Develop and disseminate an organization-wide information security program plan that: PM-1a.
    Develop and disseminate an organization-wide information security program plan that: Reflects the coordination among organizational entities responsible for information security; and PM-1a.3.]
    Establish/Maintain Documentation Preventive
    Include physical safeguards in the information security program. CC ID 12375 Establish/Maintain Documentation Preventive
    Include technical safeguards in the information security program. CC ID 12374 Establish/Maintain Documentation Preventive
    Include administrative safeguards in the information security program. CC ID 12373 Establish/Maintain Documentation Preventive
    Include system development in the information security program. CC ID 12389 Establish/Maintain Documentation Preventive
    Include system maintenance in the information security program. CC ID 12388
    [Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; MA-4b.]
    Establish/Maintain Documentation Preventive
    Include system acquisition in the information security program. CC ID 12387 Establish/Maintain Documentation Preventive
    Include access control in the information security program. CC ID 12386
    [{security plan for the information system} Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. AC-6(3) ¶ 1
    Document the rationale for remote access in the security plan for the system. AC-17(4)(b)]
    Establish/Maintain Documentation Preventive
    Review and approve access controls, as necessary. CC ID 13074 Process or Activity Detective
    Include operations management in the information security program. CC ID 12385 Establish/Maintain Documentation Preventive
    Include communication management in the information security program. CC ID 12384 Establish/Maintain Documentation Preventive
    Include environmental security in the information security program. CC ID 12383 Establish/Maintain Documentation Preventive
    Include physical security in the information security program. CC ID 12382 Establish/Maintain Documentation Preventive
    Include human resources security in the information security program. CC ID 12381 Establish/Maintain Documentation Preventive
    Include asset management in the information security program. CC ID 12380 Establish/Maintain Documentation Preventive
    Include a continuous monitoring program in the information security program. CC ID 14323
    [Ensure the accuracy, currency, and availability of monitoring results for the system using [Assignment: organization-defined automated mechanisms]. CA-7(6) ¶ 1]
    Establish/Maintain Documentation Preventive
    Include how the information security department is organized in the information security program. CC ID 12379 Establish/Maintain Documentation Preventive
    Include risk management in the information security program. CC ID 12378 Establish/Maintain Documentation Preventive
    Include mitigating supply chain risks in the information security program. CC ID 13352 Establish/Maintain Documentation Preventive
    Provide management direction and support for the information security program. CC ID 11999
    [Develops and disseminates an organization-wide information security program plan that: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; PM-1a.2.]
    Process or Activity Preventive
    Monitor and review the effectiveness of the information security program. CC ID 12744
    [Review and update the organization-wide information security program plan [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and PM-1b.]
    Monitor and Evaluate Occurrences Preventive
    Establish and maintain an information security policy. CC ID 11740
    [Develops and disseminates an organization-wide information security program plan that: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; PM-1a.1.]
    Establish/Maintain Documentation Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Business Processes Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Establish/Maintain Documentation Preventive
    Include information security objectives in the information security policy. CC ID 13493
    [{security requirements} Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; CA-9b.]
    Establish/Maintain Documentation Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Establish/Maintain Documentation Preventive
    Review and update the information security policy, as necessary. CC ID 11741 Establish/Maintain Documentation Corrective
    Review the information security procedures, as necessary. CC ID 12006 Business Processes Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737
    [Develops and disseminates an organization-wide information security program plan that: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; PM-1a.4.]
    Process or Activity Preventive
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304
    [{security attributes}{security policies} Require personnel to associate and maintain the association of [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security and privacy policies]. AC-16(6) ¶ 1]
    Establish/Maintain Documentation Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294
    [Develops and disseminates an organization-wide information security program plan that: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; PM-1a.2.]
    Establish/Maintain Documentation Preventive
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Establish Roles Preventive
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Human Resources Management Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885
    [Develops and disseminates an organization-wide information security program plan that: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; PM-1a.2.
    {security attributes} Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects. AC-16(10) ¶ 1]
    Establish/Maintain Documentation Preventive
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Human Resources Management Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 Communicate Preventive
    Establish and maintain a social media governance program. CC ID 06536 Establish/Maintain Documentation Preventive
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Business Processes Preventive
    Refrain from requiring users to disclose social media account usernames or passwords. CC ID 14009 Business Processes Preventive
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Behavior Preventive
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Establish/Maintain Documentation Preventive
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655
    [Include in the rules of behavior, restrictions on: Use of social media, social networking sites, and external sites/applications; PL-4(1) ¶ 1(a)]
    Establish/Maintain Documentation Preventive
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Establish/Maintain Documentation Preventive
    Establish and maintain operational control procedures. CC ID 00831
    [Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and PL-7a.]
    Establish/Maintain Documentation Preventive
    Include assigning and approving operations in operational control procedures. CC ID 06382 Establish/Maintain Documentation Preventive
    Include startup processes in operational control procedures. CC ID 00833 Establish/Maintain Documentation Preventive
    Review and update the operational control procedures, as necessary. CC ID 14278
    [{security plans} Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. PL-8c.]
    Establish/Maintain Documentation Corrective
    Establish and maintain a data processing run manual. CC ID 00832 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 Establish/Maintain Documentation Preventive
    Include information sharing procedures in standard operating procedures. CC ID 12974
    [Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information. PM-16(1) ¶ 1]
    Records Management Preventive
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Business Processes Preventive
    Update operating procedures that contribute to user errors. CC ID 06935 Establish/Maintain Documentation Corrective
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 Communicate Preventive
    Establish and maintain a job scheduling methodology. CC ID 00834 Establish/Maintain Documentation Preventive
    Establish and maintain a job schedule exceptions list. CC ID 00835 Establish/Maintain Documentation Preventive
    Establish and maintain a data processing continuity plan. CC ID 00836 Establish/Maintain Documentation Preventive
    Establish and maintain Voice over Internet Protocol operating procedures. CC ID 04583 Establish/Maintain Documentation Preventive
    Establish and maintain an Acceptable Use Policy. CC ID 01350
    [Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; PL-4a.
    Enforce [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined system accounts]. AC-2(11) ¶ 1
    Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and SC-43a.
    {malicious use} Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and SC-43a.]
    Establish/Maintain Documentation Preventive
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351
    [Authorize, monitor, and control the use of such components within the system. SC-43b.
    Authorize, monitor, and control the use of mobile code within the system. SC-18b.]
    Establish/Maintain Documentation Preventive
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894
    [Include in the rules of behavior, restrictions on: Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications. PL-4(1) ¶ 1(c)
    Include in the rules of behavior, restrictions on: Posting organizational information on public websites; and PL-4(1) ¶ 1(b)]
    Establish/Maintain Documentation Preventive
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Establish/Maintain Documentation Preventive
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Establish/Maintain Documentation Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355
    [Verify that the acquisition, development, and use of mobile code to be deployed in the system meets [Assignment: organization-defined mobile code requirements]. SC-18(2) ¶ 1
    Define acceptable and unacceptable mobile code and mobile code technologies; and SC-18a.]
    Establish/Maintain Documentation Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Establish/Maintain Documentation Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Establish/Maintain Documentation Preventive
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Technical Security Preventive
    Include prohibiting, copying, or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Establish/Maintain Documentation Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772
    [Prohibit the use of [Assignment: organization-defined network accessible storage devices] in external systems. AC-20(4) ¶ 1]
    Data and Information Management Preventive
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Establish/Maintain Documentation Preventive
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Establish/Maintain Documentation Preventive
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357
    [{appropriate authority}{approve} Use only General Services Administration-approved products and services for identity, credential, and access management. IA-5(15) ¶ 1]
    Establish/Maintain Documentation Preventive
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Establish/Maintain Documentation Preventive
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Establish/Maintain Documentation Corrective
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749
    [Enforce and monitor compliance with software installation policies using [Assignment: organization-defined automated mechanisms]. CM-11(3) ¶ 1
    Establish [Assignment: organization-defined policies] governing the installation of software by users; CM-11a.
    Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: [Assignment: organization-defined user-installed software]. CM-7(6) ¶ 1
    Allow user installation of software only with explicit privileged status. CM-11(2) ¶ 1
    Prevent the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. CM-14 Control
    Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and CM-11b.
    Establish the following restrictions on the use of open-source software: [Assignment: organization-defined restrictions]. CM-10(1) ¶ 1
    Require that the integrity of the following user-installed software be verified prior to execution: [Assignment: organization-defined user-installed software]. SI-7(12) ¶ 1]
    Establish/Maintain Documentation Preventive
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431
    [Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; PL-4a.]
    Communicate Preventive
    Review and update the acceptable use policy, as necessary. CC ID 14276
    [Review and update the rules of behavior [Assignment: organization-defined frequency]; and PL-4c.]
    Establish/Maintain Documentation Corrective
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661
    [Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; PL-4b.]
    Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663
    [Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [Selection (one or more): [Assignment: organization-defined frequency]; when the rules are revised or updated]. PL-4d.]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821
    [Use software and associated documentation in accordance with contract agreements and copyright laws; CM-10a.
    {unauthorized display}{unauthorized performance}{unauthorized reproduction} Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. CM-10c.]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 Business Processes Preventive
    Establish and maintain Intellectual Property Rights protection procedures. CC ID 11512 Establish/Maintain Documentation Preventive
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Establish/Maintain Documentation Preventive
    Include business use of personal e-mail in the e-mail policy. CC ID 14381 Establish/Maintain Documentation Preventive
    Identify the sender in all electronic messages. CC ID 13996 Data and Information Management Preventive
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603
    [{security plans} {privacy plans} {unauthorized modification} Protect the plans from unauthorized disclosure and modification. PL-2e.
    {unauthorized modification} Protect the supply chain risk management plan from unauthorized disclosure and modification. SR-2c.
    {unauthorized modification} Develop, document, and implement a configuration management plan for the system that: Protects the configuration management plan from unauthorized disclosure and modification. CM-9e.
    {unauthorized modification} Protect the incident response plan from unauthorized disclosure and modification. IR-8e.
    {unauthorized modification} Protect the information security program plan from unauthorized disclosure and modification. PM-1c.
    {unauthorized modification } Protect the contingency plan from unauthorized disclosure and modification. CP-2h.]
    Establish/Maintain Documentation Preventive
    Establish and maintain nondisclosure agreements. CC ID 04536
    [Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement]]; CA-3a.
    Verify that access to classified information requiring special protection is granted only to individuals who: Have read, understood, and signed a nondisclosure agreement. PS-6(2) ¶ 1(c)]
    Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Establish/Maintain Documentation Preventive
    Review nondisclosure agreements, as necessary. CC ID 12437 Human Resources Management Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818
    [{security testing}{security training}{security monitoring}{privacy training}{privacy monitoring} Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: Continue to be executed; and PM-14a.2.]
    Business Processes Preventive
    Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 Process or Activity Preventive
    Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 Process or Activity Preventive
    Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 Process or Activity Preventive
    Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 Process or Activity Preventive
    Analyze the Governance, Risk, and Compliance approach. CC ID 12816 Process or Activity Preventive
    Analyze the organizational culture. CC ID 12899 Process or Activity Preventive
    Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 Process or Activity Detective
    Include the organizational climate in the analysis of the organizational culture. CC ID 12921 Process or Activity Detective
    Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 Process or Activity Detective
    Include employee engagement in the analysis of the organizational culture. CC ID 12914 Behavior Preventive
    Include skill development in the analysis of the organizational culture. CC ID 12913 Behavior Preventive
    Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 Behavior Preventive
    Include employee loyalty in the analysis of the organizational culture. CC ID 12911 Behavior Preventive
    Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 Behavior Preventive
    Establish and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 Process or Activity Corrective
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [Develops and disseminates an organization-wide information security program plan that: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; PM-1a.2.]
    Establish/Maintain Documentation Preventive
    Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 Communicate Preventive
    Review systems for compliance with organizational information security policies. CC ID 12004
    [{security authorization} Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; PM-10a.]
    Business Processes Preventive
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815
    [Develop and disseminate an organization-wide information security program plan that: PM-1a.]
    Behavior Preventive
    Review and update the Governance, Risk, and Compliance framework, as necessary. CC ID 00817
    [Review and update the CONOPS [Assignment: organization-defined frequency]. PL-7b.]
    Establish/Maintain Documentation Corrective
    Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties, as necessary. CC ID 06955
    [Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; CP-2f.
    Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and IR-8d.]
    Behavior Preventive
    Establish and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 Establish/Maintain Documentation Preventive
    Implement the prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12791 Establish/Maintain Documentation Preventive
    Establish and maintain an Asset Management program. CC ID 06630 Business Processes Preventive
    Assign an information owner to organizational assets, as necessary. CC ID 12729
    [Bind the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and AU-10(1)(a)]
    Human Resources Management Preventive
    Establish and apply classification schemes for all systems and assets. CC ID 01902 Establish/Maintain Documentation Preventive
    Apply security controls to each level of the information classification standard. CC ID 01903
    [{security attributes} {privacy attributes} Determine the following permitted attribute values or ranges for each of the established attributes: [Assignment: organization-defined attribute values or ranges for established attributes]; AC-16d.]
    Systems Design, Build, and Implementation Preventive
    Establish and maintain the systems' confidentiality level. CC ID 01904 Establish/Maintain Documentation Preventive
    Define confidentiality controls. CC ID 01908 Establish/Maintain Documentation Preventive
    Establish and maintain the systems' availability level. CC ID 01905 Establish/Maintain Documentation Preventive
    Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 Process or Activity Preventive
    Define integrity controls. CC ID 01909
    [Employ [Assignment: organization-defined controls] and conduct [Assignment: organization-defined analysis] to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services. SR-4(4) ¶ 1
    Implement the following mechanisms to protect the integrity of boot firmware in [Assignment: organization-defined system components]: [Assignment: organization- defined mechanisms]. SI-7(10) ¶ 1]
    Establish/Maintain Documentation Preventive
    Establish and maintain the systems' integrity level. CC ID 01906
    [Employ [Assignment: organization-defined controls] and conduct [Assignment: organization-defined analysis] to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services. SR-4(4) ¶ 1
    Verify the integrity of the boot process of the following system components: [Assignment: organization-defined system components]. SI-7(9) ¶ 1]
    Establish/Maintain Documentation Preventive
    Define availability controls. CC ID 01911 Establish/Maintain Documentation Preventive
    Classify assets according to the Asset Classification Policy. CC ID 07186 Establish Roles Preventive
    Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185
    [Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. RA-2c.]
    Establish/Maintain Documentation Preventive
    Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184
    [{security attributes} Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components. AC-16(7) ¶ 1]
    Establish Roles Preventive
    Establish, implement, and maintain an asset inventory. CC ID 06631
    [Maintain records of the system components. PE-16b.
    Develop and document an inventory of system components that: Accurately reflects the system; CM-8a.1.
    Develop and document an inventory of system components that: CM-8a.
    Develop and document an inventory of system components that: Does not include duplicate accounting of components or components assigned to any other system; CM-8a.3.
    Review and update the system component inventory [Assignment: organization-defined frequency]. CM-8b.
    Update the inventory of system components as part of component installations, removals, and system updates. CM-8(1) ¶ 1
    Develop and document an inventory of system components that: Includes all components within the system; CM-8a.2.
    Provide a centralized repository for the inventory of system components. CM-8(7) ¶ 1
    Develop and document an inventory of system components that: Is at the level of granularity deemed necessary for tracking and reporting; and CM-8a.4.
    Develop and document an inventory of system components that: Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and CM-8a.5.]
    Business Processes Preventive
    Establish and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689
    [Establish, maintain, and update [Assignment: organization-defined frequency] an inventory of all systems, applications, and projects that process personally identifiable information. PM-5(1) ¶ 1
    {information system} Develop and update [Assignment: organization-defined frequency] an inventory of organizational systems. PM-5 Control]
    Establish/Maintain Documentation Preventive
    Link the authentication system to the asset inventory. CC ID 13718 Technical Security Preventive
    Include all account types in the Information Technology inventory. CC ID 13311 Establish/Maintain Documentation Preventive
    Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 Systems Design, Build, and Implementation Preventive
    Identify processes, Information Systems, and third parties that transmit, process, or store personal data. CC ID 06289 Data and Information Management Preventive
    Include each Information System's major applications in the Information Technology inventory. CC ID 01407 Establish/Maintain Documentation Preventive
    Categorize all major applications according to the business information they process. CC ID 07182 Establish/Maintain Documentation Preventive
    Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 Establish/Maintain Documentation Preventive
    Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 Establish/Maintain Documentation Preventive
    Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 Establish/Maintain Documentation Preventive
    Conduct environmental surveys. CC ID 00690 Physical and Environmental Protection Preventive
    Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 Establish/Maintain Documentation Preventive
    Establish and maintain a hardware asset inventory. CC ID 00691
    [Review and update the list of authorized hardware components [Assignment: organization-defined frequency]. CM-7(9)(c)
    Identify [Assignment: organization-defined hardware components authorized for system use]; CM-7(9)(a)]
    Establish/Maintain Documentation Preventive
    Include network equipment in the Information Technology inventory. CC ID 00693 Establish/Maintain Documentation Preventive
    Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 Establish/Maintain Documentation Preventive
    Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 Process or Activity Preventive
    Include software in the Information Technology inventory. CC ID 00692 Establish/Maintain Documentation Preventive
    Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a storage media inventory. CC ID 00694 Establish/Maintain Documentation Preventive
    Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 Establish/Maintain Documentation Preventive
    Add inventoried assets to the asset register database, as necessary. CC ID 07051 Establish/Maintain Documentation Preventive
    Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 Monitor and Evaluate Occurrences Corrective
    Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 Monitor and Evaluate Occurrences Corrective
    Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 Establish/Maintain Documentation Preventive
    Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054
    [Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms]. CM-8(2) ¶ 1]
    Technical Security Preventive
    Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 Human Resources Management Preventive
    Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 Technical Security Detective
    Record software license information for each asset in the asset inventory. CC ID 11736
    [Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and CM-10b.]
    Data and Information Management Preventive
    Record services for applicable assets in the asset inventory. CC ID 13733 Establish/Maintain Documentation Preventive
    Record protocols for applicable assets in the asset inventory. CC ID 13734 Establish/Maintain Documentation Preventive
    Record the software version in the asset inventory. CC ID 12196 Establish/Maintain Documentation Preventive
    Record the publisher for applicable assets in the asset inventory. CC ID 13725 Establish/Maintain Documentation Preventive
    Record the authentication system in the asset inventory. CC ID 13724 Establish/Maintain Documentation Preventive
    Tag unsupported assets in the asset inventory. CC ID 13723 Establish/Maintain Documentation Preventive
    Record the install date for applicable assets in the asset inventory. CC ID 13720 Establish/Maintain Documentation Preventive
    Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 Establish/Maintain Documentation Preventive
    Record the asset tag for physical assets in the asset inventory. CC ID 06632 Establish/Maintain Documentation Preventive
    Record the host name of applicable assets in the asset inventory. CC ID 13722 Establish/Maintain Documentation Preventive
    Record network ports for applicable assets in the asset inventory. CC ID 13730 Establish/Maintain Documentation Preventive
    Record the MAC address for applicable assets in the asset inventory. CC ID 13721 Establish/Maintain Documentation Preventive
    Record the operating system version for applicable assets in the asset inventory. CC ID 11748 Data and Information Management Preventive
    Record the operating system type for applicable assets in the asset inventory. CC ID 06633 Establish/Maintain Documentation Preventive
    Record the department associated with the asset in the asset inventory. CC ID 12084 Establish/Maintain Documentation Preventive
    Record the physical location for applicable assets in the asset inventory. CC ID 06634
    [Support the tracking of system components by geographic location using [Assignment: organization-defined automated mechanisms]. CM-8(8) ¶ 1
    Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored; CM-12a.
    Document changes to the location (i.e., system or system components) where the information is processed and stored. CM-12c.]
    Establish/Maintain Documentation Preventive
    Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 Establish/Maintain Documentation Preventive
    Record the firmware version for applicable assets in the asset inventory. CC ID 12195 Establish/Maintain Documentation Preventive
    Record the related business function for applicable assets in the asset inventory. CC ID 06636 Establish/Maintain Documentation Preventive
    Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 Establish/Maintain Documentation Preventive
    Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 Establish/Maintain Documentation Preventive
    Link the software asset inventory to the hardware asset inventory. CC ID 12085 Establish/Maintain Documentation Preventive
    Record the owner for applicable assets in the asset inventory. CC ID 06640
    [{be responsible}{be accountable} Include in the system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible and accountable for administering those components. CM-8(4) ¶ 1]
    Establish/Maintain Documentation Preventive
    Record all changes to assets in the asset inventory. CC ID 12190 Establish/Maintain Documentation Preventive
    Record cloud service derived data in the asset inventory. CC ID 13007 Establish/Maintain Documentation Preventive
    Include cloud service customer data in the asset inventory. CC ID 13006 Establish/Maintain Documentation Preventive
    Establish and maintain a software accountability policy. CC ID 00868
    [Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and CM-7(5)(b)]
    Establish/Maintain Documentation Preventive
    Establish and maintain software asset management procedures. CC ID 00895
    [Include within organizational systems the following platform independent applications: [Assignment: organization-defined platform-independent applications]. SC-27 Control]
    Establish/Maintain Documentation Preventive
    Establish and maintain software archives procedures. CC ID 00866 Establish/Maintain Documentation Preventive
    Establish and maintain software distribution procedures. CC ID 00894 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software documentation management procedures. CC ID 06395 Establish/Maintain Documentation Preventive
    Establish and maintain software license management procedures. CC ID 06639 Establish/Maintain Documentation Preventive
    Automate software license monitoring, as necessary. CC ID 07057 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a system redeployment program. CC ID 06276
    [Develop and implement [Assignment: organization-defined alternate controls] in the event a system component cannot be sanitized, removed, or disconnected from the system. MA-5(1)(b)
    {decommission} {substitute information system component} Take system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure. SI-13(1) ¶ 1]
    Establish/Maintain Documentation Preventive
    Test systems for malicious code prior to when the system will be redeployed. CC ID 06339
    [Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system. MA-4(3)(b)]
    Testing Detective
    Notify organizational unit leaders prior to when the system is redeployed or the system is disposed. CC ID 06400 Behavior Preventive
    Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401
    [Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods]. SR-12 Control]
    Data and Information Management Preventive
    Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 Acquisition/Sale of Assets or Services Preventive
    Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 Establish/Maintain Documentation Preventive
    Redeploy systems to other organizational units, as necessary. CC ID 11452 Establish/Maintain Documentation Preventive
    Establish and maintain a system preventive maintenance program. CC ID 00885
    [Restrict or prohibit field maintenance on [Assignment: organization-defined systems or system components] to [Assignment: organization-defined trusted maintenance facilities]. MA-7 Control]
    Establish/Maintain Documentation Preventive
    Establish and maintain maintenance reports. CC ID 11749
    [Include the following information in organizational maintenance records: [Assignment: organization-defined information]. MA-2f.
    Schedule, conduct, and document maintenance, repair, and replacement actions for the system using [Assignment: organization-defined automated mechanisms]; and MA-2(2)(a)
    Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed. MA-2(2)(b)]
    Establish/Maintain Documentation Preventive
    Establish and maintain system inspection reports. CC ID 06346 Establish/Maintain Documentation Preventive
    Review maintenance reports. CC ID 10612
    [Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; MA-2a.
    Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior. MA-4(1)(b)]
    Establish/Maintain Documentation Corrective
    Establish, implement, and maintain a system maintenance policy. CC ID 14032
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] maintenance policy that: MA-1a.1.
    [Selection (one or more): organization-level; mission/business process-level; system-level] maintenance policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and MA-1a.1(b)]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the system maintenance policy. CC ID 14217
    [[Selection (one or more): organization-level; mission/business process-level; system-level] maintenance policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include management commitment in the system maintenance policy. CC ID 14216
    [[Selection (one or more): organization-level; mission/business process-level; system-level] maintenance policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system maintenance policy. CC ID 14215
    [[Selection (one or more): organization-level; mission/business process-level; system-level] maintenance policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include the scope in the system maintenance policy. CC ID 14214
    [[Selection (one or more): organization-level; mission/business process-level; system-level] maintenance policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] maintenance policy that: MA-1a.1.]
    Communicate Preventive
    Review and update the system maintenance policy. CC ID 14193
    [{system maintenance policy} Review and update the current maintenance: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and MA-1c.1.]
    Establish/Maintain Documentation Corrective
    Include the purpose in the system maintenance policy. CC ID 14187
    [[Selection (one or more): organization-level; mission/business process-level; system-level] maintenance policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the system maintenance policy. CC ID 14181
    [[Selection (one or more): organization-level; mission/business process-level; system-level] maintenance policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and MA-1a.1(a)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain system maintenance procedures. CC ID 14059
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls; MA-1a.2.]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194
    [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls; MA-1a.2.]
    Communicate Preventive
    Review and update the system maintenance procedures, as necessary. CC ID 14178
    [{system maintenance procedures} Review and update the current maintenance: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. MA-1c.2.]
    Establish/Maintain Documentation Corrective
    Include a technology refresh plan in the system preventive maintenance program. CC ID 13061 Establish/Maintain Documentation Preventive
    Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389
    [Notify the following personnel or roles of the date and time of planned nonlocal maintenance: [Assignment: organization-defined personnel or roles]. MA-4(5)(b)
    Schedule, conduct, and document maintenance, repair, and replacement actions for the system using [Assignment: organization-defined automated mechanisms]; and MA-2(2)(a)]
    Physical and Environmental Protection Preventive
    Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388
    [Employ the following controls to ensure an adequate supply of [Assignment: organization-defined critical system components]: [Assignment: organization-defined controls]. SR-5(1) ¶ 1]
    Behavior Preventive
    Replace system components when third party support is no longer available. CC ID 10644
    [{is not available} Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or SA-22a.]
    Maintenance Preventive
    Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645
    [Provide the following options for alternative sources for continued support for unsupported components [Selection (one or more): in-house support; [Assignment: organization-defined support from external providers]]. SA-22b.]
    Maintenance Preventive
    Control and monitor all maintenance tools. CC ID 01432
    [{not contained} Prevent the removal of maintenance equipment containing organizational information by: Verifying that there is no organizational information contained on the equipment; MA-3(3) ¶ 1(a)
    Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; MA-4b.
    Prevent the removal of maintenance equipment containing organizational information by: Sanitizing or destroying the equipment; MA-3(3) ¶ 1(b)
    Monitor the use of maintenance tools that execute with increased privilege. MA-3(5) ¶ 1
    Inspect maintenance tools to ensure the latest software updates and patches are installed. MA-3(6) ¶ 1
    Restrict the use of maintenance tools to authorized personnel only. MA-3(4) ¶ 1
    Review previously approved system maintenance tools [Assignment: organization-defined frequency]. MA-3b.
    Approve, control, and monitor the use of system maintenance tools; and MA-3a.
    Approve, control, and monitor the use of system maintenance tools; and MA-3a.
    Prevent the removal of maintenance equipment containing organizational information by: Retaining the equipment within the facility; or MA-3(3) ¶ 1(c)]
    Physical and Environmental Protection Detective
    Obtain approval before removing maintenance tools from the facility. CC ID 14298
    [Prevent the removal of maintenance equipment containing organizational information by: Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility. MA-3(3) ¶ 1(d)]
    Business Processes Preventive
    Control remote maintenance according to the system's asset classification. CC ID 01433
    [Approve and monitor nonlocal maintenance and diagnostic activities; MA-4a.
    Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: [Assignment: organization-defined cryptographic mechanisms]. MA-4(6) ¶ 1
    {is comparable} Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or MA-4(3)(a)]
    Technical Security Preventive
    Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614
    [{logical separation} Separating the maintenance sessions from other network sessions with the system by either: Logically separated communications paths. MA-4(4) ¶ 1(b)(2)
    Protect nonlocal maintenance sessions by: Separating the maintenance sessions from other network sessions with the system by either: MA-4(4) ¶ 1(b)
    Establish [Assignment: organization-defined alternate communications paths] for system operations organizational command and control. SC-47 Control]
    Configuration Preventive
    Approve all remote maintenance sessions. CC ID 10615
    [Approve and monitor nonlocal maintenance and diagnostic activities; MA-4a.
    Require the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and MA-4(5)(a)]
    Technical Security Preventive
    Log the performance of all remote maintenance. CC ID 13202 Log Management Preventive
    Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083
    [Terminate session and network connections when nonlocal maintenance is