Authority Document - Unified Compliance

Back

North America > US National Institute of Standards and Technology

Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5

AD ID

0003241

AD STATUS

Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5

ORIGINATOR

US National Institute of Standards and Technology

TYPE

International or National Standard

AVAILABILITY

Free

SYNONYMS

NIST SP 800-53 R5

Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53

EFFECTIVE

2020-09-23

ADDED

The document as a whole was last reviewed and released on 2023-11-03T00:00:00-0700.

URL

Click here

AD ID

0003241

AD STATUS

Free

ORIGINATOR

US National Institute of Standards and Technology

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

NIST SP 800-53 R5

Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53

EFFECTIVE

2020-09-23

ADDED

The document as a whole was last reviewed and released on 2023-11-03T00:00:00-0700.

URL

Click here

Important Notice

This Authority Document In Depth Report is copyrighted - © 2023 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.

Common Controls and
mandates by Impact Zone 1270 Mandated Controls - bold
257 Implied Controls - italic 9507 Implementation

Number of Controls

11034 Total

Acquisition or sale of facilities, technology, and services

178

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Acquisition or sale of facilities, technology, and services CC ID 01123	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a product upgrade program. CC ID 12216	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain product update procedures. CC ID 12218 [Assess the system, system component, or system service prior to selection, acceptance, modification, or update. SR-5(2) ¶ 1]	Establish/Maintain Documentation	Preventive
Plan for selling facilities, technology, or services. CC ID 06893	Acquisition/Sale of Assets or Services	Preventive
Provide identification mechanisms for the organization's supply chain members. CC ID 12201 [Coordinate with the following external organizations for cross-organization management of identifiers: [Assignment: organization-defined external organizations]. IA-4(6) ¶ 1]	Business Processes	Preventive
Plan for acquiring facilities, technology, or services. CC ID 06892 [Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that class="term_secondary-verb">incorporates information security and privacy considerations; SA-3a.]	Acquisition/Sale of Assets or Services	Preventive
Involve all stakeholders in the acquisition process. CC ID 13169	Human Resources Management	Preventive
Perform a due diligence assessment on bidding suppliers prior to acquiring assets. CC ID 15714	Acquisition/Sale of Assets or Services	Preventive
Require third parties to disclose all known vulnerabilities in third party products and services. CC ID 15491	Communicate	Preventive
Allocate sufficient resources to protect Information Systems during capital planning. CC ID 01444 [Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and SA-2b. {information security resource} Make available for expenditure, the planned information security and privacy resources. PM-3c.]	Acquisition/Sale of Assets or Services	Preventive
Establish, implement, and maintain system acquisition contracts. CC ID 14758 [Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: SA-4 Control]	Establish/Maintain Documentation	Preventive
Include security requirements in system acquisition contracts. CC ID 01124 [{information security requirements} Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; SA-2a. {security strength requirements}Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Strength of mechanism requirements; SA-4b. Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Security and privacy documentation requirements; SA-4e. {security assurance requirements}Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Security and privacy assurance requirements; SA-4c. {privacy requirement} Include [Assignment: organization-defined Privacy Act requirements] in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function. SA-4(11) ¶ 1 Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: [Assignment: organization-defined systems engineering methods]; SA-4(3) ¶ 1(a) {security engineering method} Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: [Assignment: organization-defined [Selection (one or more): systems security; privacy] engineering methods]; and SA-4(3) ¶ 1(b) Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Security and privacy functional requirements; SA-4a. {security-related documentation}Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Requirements for protecting security and privacy documentation; SA-4f.]	Establish/Maintain Documentation	Preventive
Include operational requirements in system acquisition contracts. CC ID 00825	Establish/Maintain Documentation	Preventive
Provide suppliers with operational requirement information needed to define required service levels in system acquisition contracts. CC ID 06890	Establish/Maintain Documentation	Preventive
Include required service levels in system acquisition contracts. CC ID 11652	Establish/Maintain Documentation	Preventive
Include security controls in system acquisition contracts. CC ID 01125 [{security requirements} Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Controls needed to satisfy the security and privacy requirements. SA-4d.]	Establish/Maintain Documentation	Preventive
Include the cost effectiveness of security controls in system acquisition contracts. CC ID 11653	Technical Security	Detective
Obtain system documentation before acquiring products and services. CC ID 01445 [Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented. SA-4(1) ¶ 1 Obtain or develop administrator documentation for the system, system component, or system service that describes: SA-5a.]	Establish/Maintain Documentation	Preventive
Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309 [{security function}{security mechanisms}Obtain or develop administrator documentation for the system, system component, or system service that describes: Effective use and maintenance of security and privacy functions and mechanisms; and SA-5a.2.]	Establish/Maintain Documentation	Preventive
Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302 [{administrative function}Obtain or develop administrator documentation for the system, system component, or system service that describes: Known vulnerabilities regarding configuration and use of administrative or privileged functions; SA-5a.3.]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285 [Distribute documentation to [Assignment: organization-defined personnel or roles]. SA-5d.]	Communicate	Preventive
Document attempts to obtain system documentation. CC ID 14284 [Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take [Assignment: organization-defined actions] in response; and SA-5c.]	Process or Activity	Corrective
Obtain user documentation before acquiring products and services. CC ID 14283 [Obtain or develop user documentation for the system, system component, or system service that describes: SA-5b.]	Acquisition/Sale of Assets or Services	Preventive
Include instructions on how to use the security functions in the user documentation. CC ID 14314 [{security functions} Obtain or develop user documentation for the system, system component, or system service that describes: User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; SA-5b.1.]	Establish/Maintain Documentation	Preventive
Include security functions in the user documentation. CC ID 14313 [{security functions} Obtain or develop user documentation for the system, system component, or system service that describes: User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; SA-5b.1.]	Establish/Maintain Documentation	Preventive
Include user responsibilities for maintaining system security in the user documentation. CC ID 14312 [Obtain or develop user documentation for the system, system component, or system service that describes: User responsibilities in maintaining the security of the system, component, or service and privacy of individuals; SA-5b.3.]	Establish/Maintain Documentation	Preventive
Include a description of user interactions in the user documentation. CC ID 14311 [Obtain or develop user documentation for the system, system component, or system service that describes: Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and SA-5b.2.]	Establish/Maintain Documentation	Preventive
Require the information system developer to create a continuous monitoring plan. CC ID 14307 [Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization. SA-4(8) ¶ 1 {security tracking tool} Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process. SA-15(2) ¶ 1]	Establish/Maintain Documentation	Preventive
Provide a Configuration Management plan by the Information System developer for all newly acquired assets. CC ID 01446 [The organization requires the developer of the information system, system component, or information system service to: Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and SA-4(5) ¶ 1(a) The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: Secure configuration, installation, and operation of the system, component, or service; SA-5a.1. Require the developer of the system, system component, or system service to: Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation; disposal]; SA-10a. {external system service provider} Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [Assignment: organization-defined external system services]. SA-9(2) ¶ 1]	Testing	Detective
Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired assets. CC ID 01447 [Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: SA-11(2) ¶ 1 Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; SA-11(2) ¶ 1(a) Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; SA-11(2) ¶ 1(a) Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; SA-11(2) ¶ 1(a) Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; SA-11(2) ¶ 1(a) Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: Employs the following tools and methods: [Assignment: organization-defined tools and methods]; SA-11(2) ¶ 1(b) Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: Conducts the modeling and analyses at the following level of rigor: [Assignment: organization-defined breadth and depth of modeling and analyses]; and SA-11(2) ¶ 1(c) Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: Produces evidence that meets the following acceptance criteria: [Assignment: organization-defined acceptance criteria]. SA-11(2) ¶ 1(d) Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: [Assignment: organization-defined software development methods; testing, evaluation, assessment, verification, and validation methods; and quality control processes]. SA-4(3) ¶ 1(c) Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; SA-11c. Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; SA-11c. Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; SA-11b. Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results. SA-11(9) ¶ 1 Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results. SA-11(9) ¶ 1 {security assessment}Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Develop and implement a plan for ongoing security and privacy assessments; SA-11a. {security testing} Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: [Assignment: organization-defined breadth and depth of testing and evaluation]. SA-11(7) ¶ 1]	Testing	Detective
Include roles and responsibilities in system acquisition contracts. CC ID 14765 [Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and SA-4h.]	Establish/Maintain Documentation	Preventive
Include the acceptance criteria in system acquisition contracts. CC ID 14288 [Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Acceptance criteria. SA-4i.]	Acquisition/Sale of Assets or Services	Preventive
Include audit record generation capabilities in system acquisition contracts. CC ID 16427	Acquisition/Sale of Assets or Services	Preventive
Include a description of the development environment and operational environment in system acquisition contracts. CC ID 14256 [Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service: Description of the system development environment and environment in which the system is intended to operate; SA-4g.]	Acquisition/Sale of Assets or Services	Preventive
Identify and include alternatives to meeting the security requirements when acquiring assets. CC ID 01128	Acquisition/Sale of Assets or Services	Detective
Conduct an acquisition feasibility study prior to acquiring assets. CC ID 01129 [Assess the system, system component, or system service prior to selection, acceptance, modification, or update. SR-5(2) ¶ 1]	Acquisition/Sale of Assets or Services	Detective
Include a Business Impact Analysis in the acquisition feasibility study. CC ID 16231	Acquisition/Sale of Assets or Services	Preventive
Include environmental considerations in the acquisition feasibility study. CC ID 16224	Acquisition/Sale of Assets or Services	Preventive
Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. CC ID 01135 [Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and SA-9(1)(a)]	Testing	Detective
Refrain from implementing systems that are beyond the organization's risk acceptance level. CC ID 13054	Acquisition/Sale of Assets or Services	Preventive
Approve the risk assessment report of operational risks as a part of the acquisition feasibility study. CC ID 11666	Technical Security	Preventive
Establish test environments separate from the production environment to support feasibility testing before product acquisition. CC ID 01130	Configuration	Preventive
Establish test environments separate from the production environment to support integration testing before product acquisition. CC ID 11668	Testing	Detective
Analyze the proposed Information Architecture as it pertains to acquisition feasibility. CC ID 01132	Acquisition/Sale of Assets or Services	Detective
Establish, implement, and maintain a product and services acquisition strategy. CC ID 01133 [Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. SR-5 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a product and services acquisition program. CC ID 01136	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a product and services acquisition policy. CC ID 14028 [[Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and SA-1a.1(b) {system and services acquisition policy} Review and update the current system and services: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and SA-1c.1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: SA-1a.1.]	Establish/Maintain Documentation	Preventive
Include compliance requirements in the product and services acquisition policy. CC ID 14163 [[Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the product and services acquisition policy. CC ID 14162 [[Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include management commitment in the product and services acquisition policy. CC ID 14161 [[Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the product and services acquisition policy. CC ID 14160 [[Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include the scope in the product and services acquisition policy. CC ID 14159 [[Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include the purpose in the product and services acquisition policy. CC ID 14158 [[Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] system and services acquisition policy that: SA-1a.1.]	Communicate	Preventive
Establish, implement, and maintain product and services acquisition procedures. CC ID 14065 [{system and services acquisition procedures} Review and update the current system and services: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. SA-1c.2. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls; SA-1a.2.]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls; SA-1a.2.]	Communicate	Preventive
Establish, implement, and maintain acquisition approval requirements. CC ID 13704	Establish/Maintain Documentation	Preventive
Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706	Communicate	Preventive
Include preventive maintenance contracts in system acquisition contracts. CC ID 06658	Establish/Maintain Documentation	Preventive
Prohibit the use of Personal Electronic Devices, absent approval. CC ID 04599 [Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using [Assignment: organization-defined restrictions]. AC-20(3) ¶ 1]	Behavior	Detective
Sign a forfeiture statement acknowledging unapproved Personal Electronic Devices will be confiscated. CC ID 11667	Physical and Environmental Protection	Preventive
Include chain of custody procedures in the product and services acquisition program. CC ID 10058	Acquisition/Sale of Assets or Services	Preventive
Review and update the acquisition contracts, as necessary. CC ID 14279 [{security plans} Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. PL-8c.]	Acquisition/Sale of Assets or Services	Corrective
Establish, implement, and maintain a software product acquisition methodology. CC ID 01138 [Verify that the acquisition, development, and use of mobile code to be deployed in the system meets [Assignment: organization-defined mobile code requirements]. SC-18(2) ¶ 1]	Establish/Maintain Documentation	Preventive
Align the service management program with the Code of Conduct. CC ID 14211	Establish/Maintain Documentation	Preventive
Store source code documentation in escrow by an independent third party. CC ID 01139	Testing	Detective
Review software licensing agreements to ensure compliance. CC ID 01140	Establish/Maintain Documentation	Detective
Establish, implement, and maintain third party Software Maintenance Agreements. CC ID 01143	Establish/Maintain Documentation	Preventive
Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836 [{approve}{relevant authority} Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and SA-4(6)(a) {approved product list} Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. SA-4(10) ¶ 1 {external requirement}{information assurance product}{information technology product} Ensure that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures. SA-4(6)(b) {external requirement} Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and SA-4(7)(a) Obtain software and data employed during system component and service refreshes from the following trusted sources: [Assignment: organization-defined trusted sources]. SI-14(1) ¶ 1 Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: The device meets [Assignment: organization-defined strength of mechanism requirements]. IA-2(6) ¶ 1(b)]	Establish/Maintain Documentation	Preventive
Install software that originates from approved third parties. CC ID 12184	Technical Security	Preventive
Promote joint acquisition of products or services. CC ID 11453	Acquisition/Sale of Assets or Services	Preventive
Acquire products or services. CC ID 11450 [{be different} Require that [Assignment: organization-defined controls] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers. PL-8(2) ¶ 1]	Acquisition/Sale of Assets or Services	Preventive
Acquire products through suppliers, as necessary. CC ID 13171	Acquisition/Sale of Assets or Services	Preventive
Pay suppliers in a timely manner. CC ID 06891	Acquisition/Sale of Assets or Services	Preventive
Register new systems with the program office or other applicable stakeholder. CC ID 13986	Business Processes	Preventive
Refrain from accepting assets with questionable provenance. CC ID 12194	Business Processes	Preventive
Discourage the modification of vendor-supplied software. CC ID 12016	Process or Activity	Preventive
Refuse acquisition of products or services absent acquisition approval. CC ID 11451	Acquisition/Sale of Assets or Services	Preventive
Establish, implement, and maintain an anti-counterfeit program for acquiring new systems. CC ID 10641 [Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and SR-11a.]	Establish/Maintain Documentation	Detective
Establish, implement, and maintain an anti-counterfeit policy. CC ID 11499	Establish/Maintain Documentation	Detective
Include details and legal requirements in the anti-counterfeit policy. CC ID 11500	Establish/Maintain Documentation	Detective
Include notification procedures in the anti-counterfeit policy. CC ID 11501	Establish/Maintain Documentation	Detective
Include directions for the quarantine process in the anti-counterfeit policy. CC ID 11502	Establish/Maintain Documentation	Detective
Include evidence gathering procedures in the anti-counterfeit policy. CC ID 11503	Establish/Maintain Documentation	Detective
Include directions to not request the return of products that are found to be counterfeit in the anti-counterfeit policy. CC ID 11504	Establish/Maintain Documentation	Detective
Include counterfeit product quarantine procedures in the anti-counterfeit policy. CC ID 11505	Establish/Maintain Documentation	Detective
Include the counterfeit product reporting procedures in the anti-counterfeit policy. CC ID 11506	Establish/Maintain Documentation	Detective
Establish, implement, and maintain anti-counterfeit procedures. CC ID 11498	Establish/Maintain Documentation	Detective
Agree upon anti-counterfeit authentication tools to be used for counterfeit testing. CC ID 11566	Establish/Maintain Documentation	Detective
Scan for potential counterfeit parts and potential counterfeit components. CC ID 10643 [Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and SR-11a. Scan for counterfeit system components [Assignment: organization-defined frequency]. SR-11(3) ¶ 1]	Physical and Environmental Protection	Detective
Terminate employees that traffic counterfeit products. CC ID 11479	Physical and Environmental Protection	Detective
Seize counterfeit products. CC ID 11510 [Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and SR-11a.]	Physical and Environmental Protection	Detective
Conduct a visual examination of all parts and components as part of anti-counterfeit testing. CC ID 11567	Physical and Environmental Protection	Detective
Visually examine to verify all parts are received in a single shipment. CC ID 11569	Physical and Environmental Protection	Detective
Visually examine to verify all parts are marked with part identification codes. CC ID 11570	Physical and Environmental Protection	Detective
Visually examine to verify all parts of the same type are identical. CC ID 11571	Physical and Environmental Protection	Detective
Visually examine to verify all parts are packaged identically. CC ID 11572	Physical and Environmental Protection	Detective
Visually examine to verify all parts have maintained their physical placement in packaging relative to each other. CC ID 11573	Physical and Environmental Protection	Detective
Compare the packaging of parts being inspected to the supplier's packaging description. CC ID 11575	Physical and Environmental Protection	Detective
Visually examine to verify all parts have not been resurfaced or reshaped. CC ID 11578	Physical and Environmental Protection	Detective
Utilize a solvent test to verify parts have not been resurfaced or reshaped, as necessary. CC ID 11579	Physical and Environmental Protection	Detective
Compare potential counterfeit parts and potential counterfeit components to authentic parts and authentic components. CC ID 11568	Physical and Environmental Protection	Detective
Use a minimum of 3X optical magnification when comparing a potential counterfeit part and potential counterfeit component to an authentic part and authentic component. CC ID 11574	Physical and Environmental Protection	Detective
Compare the dimensions of a potential counterfeit part or potential counterfeit component to the authentic part's or authentic component's dimensions. CC ID 11576	Physical and Environmental Protection	Detective
Compare the specifications of the potential counterfeit parts and potential counterfeit components to the specifications for the authentic parts and authentic components. CC ID 11577	Physical and Environmental Protection	Detective
Conduct scanning acoustic microscopy inspections of all potential counterfeit parts and potential counterfeit components. CC ID 11580	Physical and Environmental Protection	Detective
Conduct scanning acoustic microscopy inspections of the top and bottom component package surfaces. CC ID 11581	Physical and Environmental Protection	Detective
Conduct scanning acoustic microscopy inspections of interior top scans of the die, die paddle, bond wires, and lead frames. CC ID 11582	Physical and Environmental Protection	Detective
Conduct scanning acoustic microscopy inspections to include overall calculations showing the percentage of die-voiding that is present. CC ID 11583	Physical and Environmental Protection	Detective
Conduct x-ray inspections of all potential counterfeit parts and potential counterfeit components. CC ID 11584	Physical and Environmental Protection	Detective
Conduct lead finish inspections of all potential counterfeit parts and potential counterfeit components. CC ID 11585	Physical and Environmental Protection	Detective
Conduct electrical testing inspections of all potential counterfeit parts and potential counterfeit components. CC ID 11586	Physical and Environmental Protection	Detective
Follow the applicable performance data sheet when conducting electrical testing inspections of all potential counterfeit parts and potential counterfeit components. CC ID 11587	Physical and Environmental Protection	Detective
Conduct pre-burn in electrical testing inspections and post-burn in electrical testing inspections of on all potential counterfeit parts and potential counterfeit components. CC ID 11588	Physical and Environmental Protection	Detective
Conduct destructive physical analysis on a representative sample of all potential counterfeit parts and potential counterfeit components. CC ID 11589	Physical and Environmental Protection	Detective
Create and distribute a counterfeit product report. CC ID 10642 [Report counterfeit system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. SR-11b.]	Communicate	Corrective
Include a detailed description of the counterfeit product in the counterfeit product report. CC ID 11481	Communicate	Corrective
Include the source of the counterfeit product in the counterfeit product report. CC ID 11482	Communicate	Corrective
Include the cost of the counterfeit product in the counterfeit product report. CC ID 11483	Communicate	Corrective
Include a description of the counterfeit indications in the counterfeit product report. CC ID 11484	Communicate	Corrective
Include product information about the counterfeit product in the counterfeit product report. CC ID 11491	Communicate	Corrective
Generalize the information about seized counterfeit products in the counterfeit product report. CC ID 11511	Communicate	Corrective
Disseminate and communicate the counterfeit product report to appropriate law enforcement authorities. CC ID 11490 [Report counterfeit system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. SR-11b.]	Communicate	Corrective
Disseminate and communicate the counterfeit product report to the supplier. CC ID 11494 [Report counterfeit system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. SR-11b.]	Communicate	Corrective
Request a counterfeit product investigation from the supplier as part of the counterfeit product report. CC ID 11495	Communicate	Corrective
Exclude the supplier's information in the counterfeit product report unless the supplier is a proven counterfeiter. CC ID 11507	Communicate	Corrective
Exclude the supplier's information in the counterfeit product report unless a subpoena requires it. CC ID 11508	Communicate	Corrective
Ban counterfeit products from all facilities. CC ID 11480	Business Processes	Preventive
Quarantine counterfeit materials and counterfeit products. CC ID 11485	Establish/Maintain Documentation	Detective
Quarantine counterfeit products and counterfeit materials for a period of time determined by counterfeit product quarantine procedures. CC ID 11565	Establish/Maintain Documentation	Detective
Release counterfeit products and counterfeit materials from quarantine only for evaluation. CC ID 11486	Establish/Maintain Documentation	Detective
Refrain from returning counterfeit products and counterfeit materials to the source. CC ID 11487	Establish/Maintain Documentation	Detective
Refrain from requesting the return of counterfeit products and counterfeit materials. CC ID 11488	Establish/Maintain Documentation	Detective
Notify interested personnel and affected parties regarding the status of a request to release counterfeit products or counterfeit materials. CC ID 11509	Establish/Maintain Documentation	Detective
Mark counterfeit products and counterfeit materials as being counterfeit. CC ID 11600	Establish/Maintain Documentation	Detective
Establish, implement, and maintain shipped counterfeit product procedures. CC ID 11492	Establish/Maintain Documentation	Detective
Refund or replace counterfeit products when notified they were shipped by the organization. CC ID 11493	Establish/Maintain Documentation	Detective
Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 [Assess the system, system component, or system service prior to selection, acceptance, modification, or update. SR-5(2) ¶ 1]	Establish/Maintain Documentation	Preventive
Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740	Testing	Detective
Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741	Testing	Detective
Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742	Testing	Detective
Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743	Testing	Detective
Test new software or upgraded software for security vulnerabilities. CC ID 01898	Testing	Detective
Test new software or upgraded software for compatibility with the current system. CC ID 11654	Testing	Detective
Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655	Testing	Detective
Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899 [Require the developer of the system, system component, or system service to enable integrity verification of hardware components. SA-10(3) ¶ 1]	Testing	Detective
Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744	Testing	Detective
Correct defective acquired goods or services. CC ID 06911	Acquisition/Sale of Assets or Services	Corrective
Authorize new assets prior to putting them into the production environment. CC ID 13530 [Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. SA-9(1)(b)]	Process or Activity	Preventive
Establish, implement, and maintain a consumer complaint management program. CC ID 04570 [{security practice} Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: PM-26 Control]	Business Processes	Preventive
Document consumer complaints. CC ID 13903	Business Processes	Preventive
Assess consumer complaints and litigation. CC ID 16521	Investigate	Preventive
Include how to access information from the dispute resolution body in the consumer complaint management program. CC ID 13816	Establish/Maintain Documentation	Preventive
Include any requirements for using information from the dispute resolution body in the consumer complaint management program. CC ID 13815	Establish/Maintain Documentation	Preventive
Post contact information in an easily seen location at facilities. CC ID 13812 [{complaint process}{include}{be accessible} Mechanisms that are easy to use and readily accessible by the public; PM-26a.]	Communicate	Preventive
Provide users a list of the available dispute resolution bodies. CC ID 13814	Communicate	Preventive
Post the dispute resolution body's contact information on the organization's website. CC ID 13811	Communicate	Preventive
Establish, implement, and maintain consumer complaint escalation procedures. CC ID 07208 [{complaint process}{include} Acknowledgement of receipt of complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]; and PM-26d.]	Establish/Maintain Documentation	Preventive
Report the analysis of consumer complaints to the Quality Management committee. CC ID 07209	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain notice and take-down procedures. CC ID 09963	Establish/Maintain Documentation	Preventive
Check communications for take-down requests. CC ID 09964	Monitor and Evaluate Occurrences	Preventive
Include complete information in the take-down request. CC ID 09965	Business Processes	Detective
Include the complainant's contact information in the take-down request. CC ID 09966	Business Processes	Detective
Include the identification of unlawful material or unlawful activities in the take-down request. CC ID 09967	Business Processes	Detective
Include the identification of the right that has allegedly been infringed in the take-down request. CC ID 09968	Business Processes	Detective
Include the remedial action required to be taken in respect of the complaint in the take-down request. CC ID 09969	Business Processes	Detective
Include a statement by the complainant that the information is true and correct in the take-down request. CC ID 09970	Business Processes	Preventive
Include a statement that the complainant is acting in good faith in the take-down request. CC ID 09971	Business Processes	Detective
Include the written signature or electronic signature of the complainant in the take-down request. CC ID 09972	Business Processes	Detective
Notify the complainant regarding any missing information in the take-down request. CC ID 09973	Behavior	Preventive
Analyze the digital content hosted by the organization for any electronic material associated with the take-down request. CC ID 09974	Business Processes	Detective
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria. CC ID 09975	Establish/Maintain Documentation	Preventive
Document any unlawful material hosted or stored by the organization meeting the take-down request criteria that has been removed prior to the take-down request. CC ID 09976	Establish/Maintain Documentation	Preventive
Include whether it is technically feasible to follow the requested remedial action in the take-down request. CC ID 09977	Establish/Maintain Documentation	Preventive
Remove all unlawful material associated with the take-down request that have not been removed and are feasible to remove. CC ID 09978	Business Processes	Preventive
Notify the complainant when all unlawful material associated with the take-down notice that can be removed, has been removed. CC ID 09979	Business Processes	Preventive
Process product return requests. CC ID 11598	Acquisition/Sale of Assets or Services	Corrective
Refrain from returning products absent a return request authorization. CC ID 11599	Acquisition/Sale of Assets or Services	Corrective

Audits and risk management

212

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain an audit program. CC ID 00684	Establish/Maintain Documentation	Preventive
Accept the attestation engagement when all preconditions are met. CC ID 13933	Business Processes	Preventive
Audit in scope audit items and compliance documents. CC ID 06730	Audits and Risk Management	Preventive
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980	Testing	Detective
Document test plans for auditing in scope controls. CC ID 06985	Testing	Detective
Determine the effectiveness of in scope controls. CC ID 06984 [Develop a control assessment plan that describes the scope of the assessment including: Assessment procedures to be used to determine control effectiveness; and CA-2b.2.]	Testing	Detective
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157	Audits and Risk Management	Detective
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156	Audits and Risk Management	Detective
Observe processes to determine the effectiveness of in scope controls. CC ID 12155 [Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and PM-11b. Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; PM-31b.]	Audits and Risk Management	Detective
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154	Audits and Risk Management	Detective
Review documentation to determine the effectiveness of in scope controls. CC ID 16522	Process or Activity	Preventive
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144	Audits and Risk Management	Detective
Establish and maintain organizational audit reports. CC ID 06731	Establish/Maintain Documentation	Preventive
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117	Establish/Maintain Documentation	Preventive
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 [{audit record review} Report findings to [Assignment: organization-defined personnel or roles]; and AU-6b.]	Log Management	Detective
Implement a corrective action plan in response to the audit report. CC ID 06777 [Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: Are <span style="background-color:#B7D8ED;" class="term_primary-verb">developed and maintained; PM-4a.1. {information security program}{privacy program} Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: PM-4a.]	Establish/Maintain Documentation	Corrective
Assign responsibility for remediation actions. CC ID 13622	Human Resources Management	Preventive
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250	Actionable Reports or Measurements	Corrective
Review management's response to issues raised in past audit reports. CC ID 01149	Audits and Risk Management	Detective
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a risk management program. CC ID 12051 [Review and update the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes. PM-9c.]	Establish/Maintain Documentation	Preventive
Include the scope of risk management activities in the risk management program. CC ID 13658	Establish/Maintain Documentation	Preventive
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336	Business Processes	Detective
Integrate the risk management program with the organization's business activities. CC ID 13661 [{be consistent} Implement the risk management strategy consistently across the organization; and PM-9b.]	Business Processes	Preventive
Integrate the risk management program into daily business decision-making. CC ID 13659 [Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; RA-3b.]	Business Processes	Preventive
Include managing mobile risks in the risk management program. CC ID 13535	Establish/Maintain Documentation	Preventive
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992	Audits and Risk Management	Preventive
Include regular updating in the risk management system. CC ID 14990	Business Processes	Preventive
Establish, implement, and maintain risk management strategies. CC ID 13209 [Develops a comprehensive strategy to manage: Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and PM-9a.1. Develops a comprehensive strategy to manage: Privacy risk to individuals resulting from the authorized processing of personally identifiable information; PM-9a.2.]	Establish/Maintain Documentation	Preventive
Include off-site storage of supplies in the risk management strategies. CC ID 13221	Establish/Maintain Documentation	Preventive
Include data quality in the risk management strategies. CC ID 15308	Data and Information Management	Preventive
Include the use of alternate service providers in the risk management strategies. CC ID 13217	Establish/Maintain Documentation	Preventive
Include minimizing service interruptions in the risk management strategies. CC ID 13215	Establish/Maintain Documentation	Preventive
Include off-site storage in the risk mitigation strategies. CC ID 13213	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Establish/Maintain Documentation	Preventive
Analyze the risk management strategy for addressing requirements. CC ID 12926	Audits and Risk Management	Detective
Analyze the risk management strategy for addressing threats. CC ID 12925 [{physical hazards} For existing facilities, consider the physical and environmental hazards in the organizational risk management strategy. PE-23b.]	Audits and Risk Management	Detective
Analyze the risk management strategy for addressing opportunities. CC ID 12924	Audits and Risk Management	Detective
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and PM-10b.]	Establish Roles	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Establish/Maintain Documentation	Preventive
Address past incidents in the risk assessment program. CC ID 12743	Audits and Risk Management	Preventive
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306	Human Resources Management	Detective
Include the need for risk assessments in the risk assessment program. CC ID 06447	Establish/Maintain Documentation	Preventive
Include the information flow of restricted data in the risk assessment program. CC ID 12339	Establish/Maintain Documentation	Preventive
Establish and maintain the factors and context for risk to the organization. CC ID 12230	Audits and Risk Management	Preventive
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786	Establish/Maintain Documentation	Preventive
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878	Business Processes	Preventive
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877	Business Processes	Preventive
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903	Business Processes	Preventive
Address cybersecurity risks in the risk assessment program. CC ID 13193	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830	Process or Activity	Preventive
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Establish/Maintain Documentation	Preventive
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Establish/Maintain Documentation	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Establish/Maintain Documentation	Preventive
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674	Establish/Maintain Documentation	Preventive
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Communicate	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Establish/Maintain Documentation	Preventive
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Establish/Maintain Documentation	Preventive
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635	Establish/Maintain Documentation	Preventive
Use the risk taxonomy when managing risk. CC ID 12280	Behavior	Preventive
Establish, implement, and maintain a risk assessment policy. CC ID 14026 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: RA-1a.1. {risk assessment policy} Review and update the current risk assessment: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and RA-1c.1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and RA-1a.1(b)]	Establish/Maintain Documentation	Preventive
Include compliance requirements in the risk assessment policy. CC ID 14121 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the risk assessment policy. CC ID 14120 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include management commitment in the risk assessment policy. CC ID 14119 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the risk assessment policy. CC ID 14118 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include the scope in the risk assessment policy. CC ID 14117 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include the purpose in the risk assessment policy. CC ID 14116 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] risk assessment policy that: RA-1a.1.]	Communicate	Preventive
Establish, implement, and maintain risk assessment procedures. CC ID 06446 [{risk assessment procedures} Review and update the current risk assessment: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. RA-1c.2. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; RA-1a.2. Identify and document: Constraints affecting risk assessments, risk responses, and risk monitoring; PM-28a.2.]	Establish/Maintain Documentation	Preventive
Analyze the organization's information security environment. CC ID 13122	Technical Security	Preventive
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472	Establish/Maintain Documentation	Preventive
Document cybersecurity risks. CC ID 12281	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that align with strategic objectives. CC ID 06474	Establish/Maintain Documentation	Preventive
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153	Human Resources Management	Preventive
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account information classification. CC ID 06477	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157	Audits and Risk Management	Preventive
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478	Establish/Maintain Documentation	Preventive
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account the target environment. CC ID 06479	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480	Establish/Maintain Documentation	Preventive
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 [Identify and document: Assumptions affecting risk assessments, risk responses, and risk monitoring; PM-28a.1.]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [Review and update risk framing considerations [Assignment: organization-defined frequency]. PM-28c.]	Establish/Maintain Documentation	Preventive
Document organizational risk criteria. CC ID 12277	Establish/Maintain Documentation	Preventive
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 [Identifying threats to and vulnerabilities in the system; RA-3a.1.]	Technical Security	Preventive
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056	Investigate	Detective
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 [Categorize the system and information it processes, stores, and transmits; RA-2a.]	Audits and Risk Management	Preventive
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698	Audits and Risk Management	Preventive
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600	Establish/Maintain Documentation	Preventive
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173	Audits and Risk Management	Preventive
Approve the threat and risk classification scheme. CC ID 15693	Business Processes	Preventive
Include language that is easy to understand in the risk assessment report. CC ID 06461	Establish/Maintain Documentation	Preventive
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448	Establish/Maintain Documentation	Preventive
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 [Use all-source intelligence to assist in the analysis of risk. RA-3(2) ¶ 1 Identify and document: Assumptions affecting risk assessments, risk responses, and risk monitoring; PM-28a.1.]	Establish/Maintain Documentation	Preventive
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450	Establish/Maintain Documentation	Preventive
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451	Establish/Maintain Documentation	Preventive
Automate as much of the risk assessment program, as necessary. CC ID 06459	Audits and Risk Management	Preventive
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; RA-1a.2. Distribute the results of risk framing activities to [Assignment: organization-defined personnel]; and PM-28b.]	Communicate	Preventive
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458	Establish/Maintain Documentation	Preventive
Perform risk assessments for all target environments, as necessary. CC ID 06452 [Conduct a risk assessment, including: RA-3a.]	Testing	Preventive
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Establish/Maintain Documentation	Preventive
Include physical assets in the scope of the risk assessment. CC ID 13075	Establish/Maintain Documentation	Preventive
Include the results of the risk assessment in the risk assessment report. CC ID 06481 [{security plans} Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; RA-3c. Produce a control assessment report that document the results of the assessment; and CA-2e.]	Establish/Maintain Documentation	Preventive
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 [Leverage the results of control assessments performed by [Assignment: organization-defined external organization] on [Assignment: organization-defined system] when the assessment meets [Assignment: organization-defined requirements]. CA-2(3) ¶ 1]	Audits and Risk Management	Preventive
Update the risk assessment upon discovery of a new threat. CC ID 00708	Establish/Maintain Documentation	Detective
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154	Audits and Risk Management	Preventive
Update the risk assessment upon changes to the risk profile. CC ID 11627 [Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. RA-3(1)(b) Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. RA-3f.]	Establish/Maintain Documentation	Detective
Review the risk to the audit function when the audit personnel status changes. CC ID 01153	Audits and Risk Management	Preventive
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Establish/Maintain Documentation	Preventive
Create a risk assessment report based on the risk assessment results. CC ID 15695	Establish/Maintain Documentation	Preventive
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 [Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and RA-3e. Provide the results of the control assessment to [Assignment: organization-defined individuals or roles]. CA-2f.]	Communicate	Preventive
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and Risk Management	Detective
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Communicate	Preventive
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453	Business Processes	Preventive
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718	Behavior	Preventive
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491	Investigate	Detective
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686	Audits and Risk Management	Preventive
Conduct a Business Impact Analysis, as necessary. CC ID 01147	Audits and Risk Management	Detective
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224	Establish/Maintain Documentation	Preventive
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264	Establish/Maintain Documentation	Preventive
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223	Establish/Maintain Documentation	Preventive
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222	Establish/Maintain Documentation	Preventive
Include pandemic risks in the Business Impact Analysis. CC ID 13219	Establish/Maintain Documentation	Preventive
Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300	Communicate	Preventive
Establish, implement, and maintain a risk register. CC ID 14828	Establish/Maintain Documentation	Preventive
Document organizational risk tolerance in a risk register. CC ID 09961 [Identify and document: Organizational risk tolerance; PM-28a.4.]	Establish/Maintain Documentation	Preventive
Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962	Business Processes	Preventive
Review the Business Impact Analysis, as necessary. CC ID 12774	Business Processes	Preventive
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]. RA-3(4) ¶ 1 Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; RA-3a.3. {unauthorized use} {unauthorized disclosure} {unauthorized modification} {unauthorized destruction} Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and RA-3a.2.]	Audits and Risk Management	Preventive
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [Identify and document: Priorities and trade-offs considered by the organization for managing risk; and PM-28a.3.]	Audits and Risk Management	Preventive
Identify the material risks in the risk assessment report. CC ID 06482	Audits and Risk Management	Preventive
Assess the potential level of business impact risk associated with each business process. CC ID 06463	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with the business environment. CC ID 06464	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465	Audits and Risk Management	Detective
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Investigate	Detective
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466	Audits and Risk Management	Detective
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with insider threats. CC ID 06468	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with external entities. CC ID 06469	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470	Actionable Reports or Measurements	Detective
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471	Audits and Risk Management	Detective
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706	Establish/Maintain Documentation	Preventive
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887	Investigate	Preventive
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483	Establish/Maintain Documentation	Preventive
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849	Behavior	Preventive
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704	Establish/Maintain Documentation	Detective
Document the results of the gap analysis. CC ID 16271	Establish/Maintain Documentation	Preventive
Prioritize and select controls based on the risk assessment findings. CC ID 00707	Audits and Risk Management	Preventive
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850	Process or Activity	Detective
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849	Process or Activity	Detective
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822	Audits and Risk Management	Preventive
Determine the effectiveness of risk control measures. CC ID 06601	Testing	Detective
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946	Audits and Risk Management	Preventive
Establish, implement, and maintain a risk treatment plan. CC ID 11983	Establish/Maintain Documentation	Preventive
Include the date of the risk assessment in the risk treatment plan. CC ID 16321	Establish/Maintain Documentation	Preventive
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320	Audits and Risk Management	Preventive
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835	Audits and Risk Management	Preventive
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834	Audits and Risk Management	Preventive
Include the risk treatment strategy in the risk treatment plan. CC ID 12159	Establish/Maintain Documentation	Preventive
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552	Establish/Maintain Documentation	Corrective
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982	Establish/Maintain Documentation	Preventive
Include change control processes in the risk treatment plan. CC ID 11981	Establish/Maintain Documentation	Preventive
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980	Establish/Maintain Documentation	Preventive
Include the implemented risk management controls in the risk treatment plan. CC ID 11979	Establish/Maintain Documentation	Preventive
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620	Establish/Maintain Documentation	Preventive
Include risk assessment results in the risk treatment plan. CC ID 11978 [{security plans} Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]]; RA-3c.]	Establish/Maintain Documentation	Preventive
Include a description of usage in the risk treatment plan. CC ID 11977	Establish/Maintain Documentation	Preventive
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 [Identify and document: Constraints affecting risk assessments, risk responses, and risk monitoring; PM-28a.2.]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694	Communicate	Preventive
Approve the risk treatment plan. CC ID 13495	Audits and Risk Management	Preventive
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457	Establish/Maintain Documentation	Preventive
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and CA-5a. {remedial action}Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and PM-4a.2. {information security program}{privacy program} Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: Are reported in accordance with established reporting requirements. PM-4a.3.]	Establish/Maintain Documentation	Corrective
Review and approve the risk assessment findings. CC ID 06485 [Review risk assessment results [Assignment: organization-defined frequency]; RA-3d.]	Establish/Maintain Documentation	Preventive
Include risk responses in the risk management program. CC ID 13195 [Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. RA-7 Control]	Establish/Maintain Documentation	Preventive
Document residual risk in a residual risk report. CC ID 13664	Establish/Maintain Documentation	Corrective
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672	Business Processes	Preventive
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220	Establish/Maintain Documentation	Preventive
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255	Establish/Maintain Documentation	Preventive
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356	Business Processes	Preventive
Analyze the impact of artificial intelligence systems on society. CC ID 16317	Audits and Risk Management	Detective
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316	Audits and Risk Management	Detective
Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991	Establish/Maintain Documentation	Preventive
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276	Establish/Maintain Documentation	Preventive
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582	Establish/Maintain Documentation	Preventive
Evaluate the cyber insurance market. CC ID 12695	Business Processes	Preventive
Evaluate the usefulness of cyber insurance to the organization. CC ID 12694	Business Processes	Preventive
Acquire cyber insurance, as necessary. CC ID 12693	Business Processes	Preventive
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: SR-1a.1. [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and SR-1a.1(b) {supply chain risk management policy} Review and update the current supply chain risk management: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and SR-1c.1 Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; PM-30a. {consistent approach} Implement the supply chain risk management strategy consistently across the organization; and PM-30b.]	Establish/Maintain Documentation	Preventive
Include compliance requirements in the supply chain risk management policy. CC ID 14711 [[Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SR-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 [[Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SR-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include management commitment in the supply chain risk management policy. CC ID 14709 [[Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SR-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 [[Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SR-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include the scope in the supply chain risk management policy. CC ID 14707 [[Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SR-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include the purpose in the supply chain risk management policy. CC ID 14706 [[Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and SR-1a.1(a)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] supply chain risk management policy that: SR-1a.1.]	Communicate	Preventive
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 [Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: [Assignment: organization-defined systems, system components, or system services]; SR-2a. Review and update the supply chain risk management plan [Assignment: organization-defined frequency] or as required, to address threat, organizational or environmental changes; and SR-2b.]	Establish/Maintain Documentation	Preventive
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619	Establish/Maintain Documentation	Preventive
Include dates in the supply chain risk management plan. CC ID 15617	Establish/Maintain Documentation	Preventive
Include implementation milestones in the supply chain risk management plan. CC ID 15615	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613	Establish/Maintain Documentation	Preventive
Include supply chain risk management procedures in the risk management program. CC ID 13190 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; SR-1a.2 Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel]; SR-3a. Assess supply chain risks associated with [Assignment: organization-defined systems, system components, and system services]; and RA-3(1)(a)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; SR-1a.2]	Communicate	Preventive
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199	Human Resources Management	Preventive
Analyze supply chain risk management procedures, as necessary. CC ID 13198 [{supply chain risk management procedure} Review and update the current supply chain risk management: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. SR-1c.2. Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency] or as required, to address organizational changes. PM-30c.]	Process or Activity	Detective
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792	Communicate	Preventive

Harmonization Methods and Manual of Style

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Harmonization Methods and Manual of Style CC ID 06095	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a matching program for external requirements and organizational records. CC ID 14764 [When a system or organization processes information for the purpose of conducting a matching program: Obtain approval from the Data Integrity Board to conduct the matching program; PT-8a. {annual basis} Conduct an annual review of all matching programs in which the agency has participated. PM-24b.]	Business Processes	Detective
Request proposals to conduct or participate in a matching program. CC ID 14757	Establish/Maintain Documentation	Preventive
Review proposals to conduct or participate in a matching program. CC ID 14763 [Review proposals to conduct or participate in a matching program; and PM-24a.]	Establish/Maintain Documentation	Detective

Human Resources management

227

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Human Resources management CC ID 00763	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [Establish a Data Integrity Board to: PM-24 Control]	Establish Roles	Preventive
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 [Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. PM-2 Control]	Establish Roles	Preventive
Establish, implement, and maintain a security operations center. CC ID 14762 [Establish and maintain a security operations center. IR-4(14) ¶ 1]	Human Resources Management	Preventive
Define the scope for the security operations center. CC ID 15713	Establish/Maintain Documentation	Preventive
Designate an alternate for each organizational leader. CC ID 12053	Human Resources Management	Preventive
Limit the activities performed as a proxy to an organizational leader. CC ID 12054	Behavior	Preventive
Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112	Human Resources Management	Preventive
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807	Establish Roles	Preventive
Establish and maintain board committees, as necessary. CC ID 14789	Human Resources Management	Preventive
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786	Establish/Maintain Documentation	Preventive
Assign oversight of C-level executives to the Board of Directors. CC ID 14784	Human Resources Management	Preventive
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782	Establish/Maintain Documentation	Preventive
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791	Establish/Maintain Documentation	Preventive
Assign oversight of the financial management program to the board of directors. CC ID 14781	Human Resources Management	Preventive
Assign senior management to the role of supporting Quality Management. CC ID 13692	Human Resources Management	Preventive
Assign senior management to the role of authorizing official. CC ID 14238 [Assign a senior official as the authorizing official for the system; CA-6a. Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems; CA-6b. Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization. CA-6(1) ¶ 1]	Establish Roles	Preventive
Assign members who are independent from management to the Board of Directors. CC ID 12395	Human Resources Management	Preventive
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662	Human Resources Management	Preventive
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991	Human Resources Management	Preventive
Rotate members of the board of directors, as necessary. CC ID 14803	Human Resources Management	Corrective
Define and assign board committees, as necessary. CC ID 14787	Human Resources Management	Preventive
Define and assign risk committees, as necessary. CC ID 14795	Human Resources Management	Preventive
Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802	Establish/Maintain Documentation	Preventive
Define and assign audit committees, as necessary. CC ID 14788	Human Resources Management	Preventive
Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796	Human Resources Management	Preventive
Define and assign compensation committees, as necessary. CC ID 14793	Human Resources Management	Preventive
Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808	Establish Roles	Preventive
Define and assign the network administrator's roles and responsibilities. CC ID 16363	Human Resources Management	Preventive
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809	Establish Roles	Preventive
Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525	Human Resources Management	Preventive
Define and assign the business unit manager's roles and responsibilities. CC ID 00810	Establish Roles	Preventive
Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887	Establish Roles	Preventive
Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 [Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization. PM-29b.]	Human Resources Management	Preventive
Define and assign roles and responsibilities for network management. CC ID 13128	Human Resources Management	Preventive
Define and assign the technology security leader's roles and responsibilities. CC ID 01897	Establish Roles	Preventive
Define and assign the security staff roles and responsibilities. CC ID 11750 [{information security roles and responsibilities} Define and document information security and privacy roles and responsibilities throughout the system development life cycle; SA-3b.]	Establish/Maintain Documentation	Preventive
Define and assign the authorized representatives roles and responsibilities. CC ID 15033	Human Resources Management	Preventive
Define and assign the property management leader's roles and responsibilities. CC ID 00669	Establish Roles	Preventive
Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697	Establish Roles	Preventive
Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 [{assign} Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program. PM-19 Control]	Establish Roles	Preventive
Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381	Establish Roles	Preventive
Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383	Establish/Maintain Documentation	Preventive
Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431	Establish Roles	Preventive
Establish and maintain an Information Technology steering committee. CC ID 12706	Human Resources Management	Preventive
Assign the Information Technology steering committee to report to senior management. CC ID 12731	Human Resources Management	Preventive
Convene the Information Technology steering committee, as necessary. CC ID 12730	Human Resources Management	Preventive
Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625	Human Resources Management	Preventive
Assign a contact person to all business units. CC ID 07144	Establish Roles	Preventive
Define and assign the assessment team's roles and responsibilities. CC ID 08890	Business Processes	Preventive
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143	Human Resources Management	Preventive
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152	Human Resources Management	Preventive
Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299	Human Resources Management	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267 [Define and document organizational oversight and user roles and responsibilities with regard to external system services; and SA-9b.]	Human Resources Management	Preventive
Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201	Human Resources Management	Preventive
Assign roles and responsibilities for physical security, as necessary. CC ID 13113	Establish Roles	Preventive
Document the use of external experts. CC ID 16263	Human Resources Management	Preventive
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [Establish a supply chain risk management team consisting of [Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: [Assignment: organization-defined supply chain risk management activities]. SR-2(1) ¶ 1 {information security process}{strategic planning process}{operational planning process} Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and PM-29a.]	Human Resources Management	Preventive
Include the management structure in the duties and responsibilities for risk management. CC ID 13665	Human Resources Management	Preventive
Assign the roles and responsibilities for the change control program. CC ID 13118 [Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element]. CM-3(4) ¶ 1 Require [Assignment: organization-defined security and privacy representatives] to be included in the [Assignment: organization-defined configuration change management and control process]. SA-10(7) ¶ 1]	Human Resources Management	Preventive
Identify and define all critical roles. CC ID 00777 [{publicly accessible information system} Designate individuals authorized to make information publicly accessible; AC-22a.]	Establish Roles	Preventive
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739	Establish Roles	Preventive
Assign responsibility for cyber threat intelligence. CC ID 12746	Human Resources Management	Preventive
Assign the role of security management to applicable controls. CC ID 06444	Establish Roles	Preventive
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112	Human Resources Management	Preventive
Define and assign the data processor's roles and responsibilities. CC ID 12607	Human Resources Management	Preventive
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677	Human Resources Management	Preventive
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617	Communicate	Preventive
Define and assign the data controller's roles and responsibilities. CC ID 00471 [Establish a Data Governance Body consisting of [Assignment: organization-defined roles] with [Assignment: organization-defined responsibilities]. PM-23 Control]	Establish Roles	Preventive
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources Management	Preventive
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources Management	Preventive
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources Management	Preventive
Assign the role of data controller to applicable controls. CC ID 00354	Establish Roles	Preventive
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources Management	Preventive
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Establish Roles	Preventive
Assign the role of Information Technology operations to applicable controls. CC ID 00682	Establish Roles	Preventive
Assign the role of logical access control to applicable controls. CC ID 00772	Establish Roles	Preventive
Assign the role of asset physical security to applicable controls. CC ID 00770	Establish Roles	Preventive
Assign the role of data custodian to applicable controls. CC ID 04789	Establish Roles	Preventive
Assign the role of the Quality Management committee to applicable controls. CC ID 00769	Establish Roles	Preventive
Assign interested personnel to the Quality Management committee. CC ID 07193	Establish Roles	Preventive
Assign the roles and responsibilities for the asset management system. CC ID 14368	Establish/Maintain Documentation	Preventive
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348	Establish Roles	Preventive
Assign the role of fire protection management to applicable controls. CC ID 04891	Establish Roles	Preventive
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894	Establish Roles	Preventive
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895	Establish Roles	Preventive
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723	Establish Roles	Preventive
Define and assign the roles and responsibilities of security guards. CC ID 12543	Human Resources Management	Preventive
Define and assign roles and responsibilities for dispute resolution. CC ID 13626	Human Resources Management	Preventive
Define and assign the roles for Legal Support Workers. CC ID 13711	Human Resources Management	Preventive
Establish, implement, and maintain a personnel management program. CC ID 14018	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personnel security program. CC ID 10628	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personnel security policy. CC ID 14025 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: PS-1a.1. {personnel security policy} Review and update the current personnel security: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and PS-1c.1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and PS-1a.1(b)]	Establish/Maintain Documentation	Preventive
Include compliance requirements in the personnel security policy. CC ID 14154 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the personnel security policy. CC ID 14114 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include management commitment in the personnel security policy. CC ID 14113 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the personnel security policy. CC ID 14112 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include the scope in the personnel security policy. CC ID 14111 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include the purpose in the personnel security policy. CC ID 14110 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PS-1a.1(a)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] personnel security policy that: PS-1a.1.]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain personnel security procedures. CC ID 14058 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls; PS-1a.2. {personnel security procedures} Review and update the current personnel security: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. PS-1c.2.]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls; PS-1a.2.]	Communicate	Preventive
Establish, implement, and maintain security clearance level criteria. CC ID 00780 [Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system. PS-3(1) ¶ 1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain staff position risk designations. CC ID 14280 [Review and update position risk designations [Assignment: organization-defined frequency]. PS-2c. Assign a risk designation to all organizational positions; PS-2a.]	Human Resources Management	Preventive
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782	Testing	Detective
Establish, implement, and maintain personnel screening procedures. CC ID 11700 [Establish screening criteria for individuals filling those positions; and PS-2b. Require that the developer of [Assignment: organization-defined system, system component, or system service]: Satisfies the following additional personnel screening criteria: [Assignment: organization-defined additional personnel screening criteria]. SA-21b.]	Establish/Maintain Documentation	Preventive
Perform a background check during personnel screening. CC ID 11758	Human Resources Management	Detective
Perform a personal identification check during personnel screening. CC ID 06721	Human Resources Management	Preventive
Perform a criminal records check during personnel screening. CC ID 06643	Establish/Maintain Documentation	Preventive
Include all residences in the criminal records check. CC ID 13306	Process or Activity	Preventive
Document any reasons a full criminal records check could not be performed. CC ID 13305	Establish/Maintain Documentation	Preventive
Perform a personal references check during personnel screening. CC ID 06645	Human Resources Management	Preventive
Perform a credit check during personnel screening. CC ID 06646	Human Resources Management	Preventive
Perform an academic records check during personnel screening. CC ID 06647	Establish/Maintain Documentation	Preventive
Perform a drug test during personnel screening. CC ID 06648	Testing	Preventive
Perform a resume check during personnel screening. CC ID 06659	Human Resources Management	Preventive
Perform a curriculum vitae check during personnel screening. CC ID 06660	Human Resources Management	Preventive
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720	Human Resources Management	Preventive
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445	Communicate	Preventive
Perform personnel screening procedures, as necessary. CC ID 11763 [Screen individuals prior to authorizing access to the system; and PS-3a. Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening]. PS-3b. Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection: Satisfy [Assignment: organization-defined additional personnel screening criteria]. PS-3(3) ¶ 1(b)]	Human Resources Management	Preventive
Identify and watch individuals that pose a risk to the organization. CC ID 10674 [Implement the following additional monitoring of individuals during [Assignment: organization-defined probationary period]: [Assignment: organization-defined additional monitoring]. SI-4(21) ¶ 1 Implement [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk. SI-4(19) ¶ 1]	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 [Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; PS-5b. Align account management processes with personnel termination and transfer processes. AC-2l.]	Establish/Maintain Documentation	Preventive
Terminate user accounts when notified that an individual is terminated. CC ID 11614	Technical Security	Corrective
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [Upon termination of individual employment: Terminate or revoke any authenticators and credentials associated with the individual; PS-4b.]	Technical Security	Corrective
Assign an owner of the personnel status change and termination procedures. CC ID 11805	Human Resources Management	Preventive
Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309 [Upon termination of individual employment: Disable system access within [Assignment: organization-defined time period]; PS-4a.]	Data and Information Management	Corrective
Notify the security manager, in writing, prior to an employee's job change. CC ID 12283	Human Resources Management	Preventive
Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677 [Use [Assignment: organization-defined automated mechanisms] to [Selection (one or more): notify [Assignment: organization-defined personnel or roles] of individual termination actions; disable access to system resources]. PS-4(2) ¶ 1 Notify account managers and [Assignment: organization-defined personnel or roles] within: [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; AC-2h.3. Notify account managers and [Assignment: organization-defined personnel or roles] within: [Assignment: organization-defined time period] when accounts are no longer required; AC-2h.1. Notify account managers and [Assignment: organization-defined personnel or roles] within: [Assignment: organization-defined time period] when users are terminated or transferred; and AC-2h.2. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. PS-5d.]	Behavior	Preventive
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 [Notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and PS-4(1)(a) Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and PS-6(3)(a)]	Communicate	Preventive
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992	Human Resources Management	Preventive
Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692	Human Resources Management	Corrective
Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676	Behavior	Preventive
Conduct exit interviews upon termination of employment. CC ID 14290 [Upon termination of individual employment: Conduct exit interviews that include a discussion of [Assignment: organization-defined information security topics]; PS-4c.]	Human Resources Management	Preventive
Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 [{post-employment requirements} Require individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information. PS-6(3)(b) Require terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process. PS-4(1)(b)]	Establish/Maintain Documentation	Preventive
Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449	Human Resources Management	Detective
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764	Establish Roles	Preventive
Document and communicate role descriptions to all applicable personnel. CC ID 00776 [{security roles and responsibilities} Incorporate security and privacy roles and responsibilities into organizational position descriptions. PS-9 Control]	Establish Roles	Detective
Implement segregation of duties in roles and responsibilities. CC ID 00774 [Define system access authorizations to support separation of duties. AC-5b. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and AC-5a.]	Testing	Detective
Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960	Technical Security	Preventive
Train all personnel and third parties, as necessary. CC ID 00785 [Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant types of information to which they have access on the system. PS-3(2) ¶ 1 Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware). SR-11(1) ¶ 1 Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): AT-2a. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; AC-22b.]	Behavior	Preventive
Establish, implement, and maintain an education methodology. CC ID 06671 [{security awareness} Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; AT-2b.]	Business Processes	Preventive
Support certification programs as viable training programs. CC ID 13268	Human Resources Management	Preventive
Include evidence of experience in applications for professional certification. CC ID 16193	Establish/Maintain Documentation	Preventive
Include supporting documentation in applications for professional certification. CC ID 16195	Establish/Maintain Documentation	Preventive
Submit applications for professional certification. CC ID 16192	Training	Preventive
Retrain all personnel, as necessary. CC ID 01362 [{security training} {privacy training} Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): When required by system changes or following [Assignment: organization-defined events]; AT-2a.2.]	Behavior	Preventive
Tailor training to meet published guidance on the subject being taught. CC ID 02217 [Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. AT-3(2) ¶ 1 Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. AT-3(1) ¶ 1 Provide literacy training on the advanced persistent threat. AT-2(5) ¶ 1 Provide literacy training on the cyber threat environment; and AT-2(6)(a) Establish and institutionalize contact with selected groups and associations within the security and privacy communities: To facilitate ongoing security and privacy education and training for organizational personnel; PM-15a.]	Behavior	Preventive
Tailor training to be taught at each person's level of responsibility. CC ID 06674 [{security training} Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: AT-3a. {security training} Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and AT-3a.1.]	Behavior	Preventive
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786	Behavior	Preventive
Document all training in a training record. CC ID 01423 [Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and AT-4a. {contingency training} Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency]. CP-8(4)(c)]	Establish/Maintain Documentation	Detective
Use automated mechanisms in the training environment, where appropriate. CC ID 06752 [Provide practical exercises in literacy training that simulate events and incidents. AT-2(1) ¶ 1 {security training} Provide practical exercises in security and privacy training that reinforce training objectives. AT-3(3) ¶ 1 {security training} Provide practical exercises in security and privacy training that reinforce training objectives. AT-3(3) ¶ 1 Provide an incident response training environment using [Assignment: organization-defined automated mechanisms]. IR-2(2) ¶ 1]	Behavior	Preventive
Conduct tests and evaluate training. CC ID 06672	Testing	Detective
Hire third parties to conduct training, as necessary. CC ID 13167	Human Resources Management	Preventive
Review the current published guidance and awareness and training programs. CC ID 01245 [Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and AT-4a. Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. CP-3b. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. IR-2b. Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and AT-3b.]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain training plans. CC ID 00828 [{security training}{security monitoring}Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: Are erm_primary-verb">developed and maintained; and PM-14a.1. Incorporate lessons learned from internal or external security or privacy incidents into role-based training. AT-3c. Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and AT-2c. {information security workforce development and improvement program} Establish a security and privacy workforce development and improvement program. PM-13 Control {testing plan}{training plan} Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. PM-14b. Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. CP-3b.]	Establish/Maintain Documentation	Preventive
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383	Training	Detective
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387	Training	Preventive
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386	Training	Preventive
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385	Training	Detective
Develop or acquire content to update the training plans. CC ID 12867	Training	Preventive
Designate training facilities in the training plan. CC ID 16200	Training	Preventive
Include portions of the visitor control program in the training plan. CC ID 13287	Establish/Maintain Documentation	Preventive
Include ethical culture in the training plan, as necessary. CC ID 12801	Human Resources Management	Preventive
Include in scope external requirements in the training plan, as necessary. CC ID 13041	Training	Preventive
Include duties and responsibilities in the training plan, as necessary. CC ID 12800	Human Resources Management	Preventive
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192	Training	Preventive
Include risk management in the training plan, as necessary. CC ID 13040	Training	Preventive
Conduct Archives and Records Management training. CC ID 00975	Behavior	Preventive
Conduct personal data processing training. CC ID 13757 [{security awareness} Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; AT-2b. Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls. AT-3(5) ¶ 1]	Training	Preventive
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758	Training	Preventive
Include the cloud service usage standard in the training plan. CC ID 13039	Training	Preventive
Establish, implement, and maintain a security awareness program. CC ID 11746	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security awareness and training policy. CC ID 14022 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] awareness and training policy that: AT-1a.1. [Selection (one or more): organization-level; mission/business process-level; system-level] awareness and training policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and AT-1a.1(b)]	Establish/Maintain Documentation	Preventive
Include compliance requirements in the security awareness and training policy. CC ID 14092 [[Selection (one or more): organization-level; mission/business process-level; system- level] awareness and training policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the security awareness and training policy. CC ID 14091 [[Selection (one or more): organization-level; mission/business process-level; system- level] awareness and training policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1(a)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security awareness and training procedures. CC ID 14054 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; AT-1a.2. {Security awareness and training procedures} Review and update the current awareness and training: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. AT-1c.2.]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; AT-1a.2.]	Communicate	Preventive
Include management commitment in the security awareness and training policy. CC ID 14049 [[Selection (one or more): organization-level; mission/business process-level; system- level] awareness and training policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the security awareness and training policy. CC ID 14048 [[Selection (one or more): organization-level; mission/business process-level; system- level] awareness and training policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include the scope in the security awareness and training policy. CC ID 14047 [[Selection (one or more): organization-level; mission/business process-level; system- level] awareness and training policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include the purpose in the security awareness and training policy. CC ID 14045 [[Selection (one or more): organization-level; mission/business process-level; system- level] awareness and training policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include configuration management procedures in the security awareness program. CC ID 13967	Establish/Maintain Documentation	Preventive
Include media protection in the security awareness program. CC ID 16368	Training	Preventive
Document security awareness requirements. CC ID 12146	Establish/Maintain Documentation	Preventive
Include safeguards for information systems in the security awareness program. CC ID 13046	Establish/Maintain Documentation	Preventive
Include security policies and security standards in the security awareness program. CC ID 13045	Establish/Maintain Documentation	Preventive
Include physical security in the security awareness program. CC ID 16369	Training	Preventive
Include mobile device security guidelines in the security awareness program. CC ID 11803	Establish/Maintain Documentation	Preventive
Include updates on emerging issues in the security awareness program. CC ID 13184	Training	Preventive
Include cybersecurity in the security awareness program. CC ID 13183	Training	Preventive
Include implications of non-compliance in the security awareness program. CC ID 16425	Training	Preventive
Include the acceptable use policy in the security awareness program. CC ID 15487	Training	Preventive
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802	Establish/Maintain Documentation	Preventive
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 [{security training}{privacy training} Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): As part of initial training for new users and [Assignment: organization-defined frequency] thereafter; and AT-2a.1.]	Establish/Maintain Documentation	Preventive
Include remote access in the security awareness program. CC ID 13892	Establish/Maintain Documentation	Preventive
Document the goals of the security awareness program. CC ID 12145	Establish/Maintain Documentation	Preventive
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150	Establish/Maintain Documentation	Preventive
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151	Human Resources Management	Preventive
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149	Human Resources Management	Preventive
Document the scope of the security awareness program. CC ID 12148	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security awareness baseline. CC ID 12147	Establish/Maintain Documentation	Preventive
Encourage interested personnel to obtain security certification. CC ID 11804	Human Resources Management	Preventive
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] awareness and training policy that: AT-1a.1.]	Behavior	Preventive
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [Provide literacy training on recognizing and reporting potential indicators of insider threat. AT-2(2) ¶ 1 Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using [Assignment: organization-defined indicators of malicious code]. AT-2(4) ¶ 1 Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining. AT-2(3) ¶ 1 Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining. AT-2(3) ¶ 1 Require personnel to report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and IR-6a.]	Behavior	Preventive
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Training	Preventive
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363	Establish/Maintain Documentation	Preventive
Monitor and measure the effectiveness of security awareness. CC ID 06262	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200	Establish/Maintain Documentation	Preventive
Conduct secure coding and development training for developers. CC ID 06822	Behavior	Corrective
Conduct tampering prevention training. CC ID 11875	Training	Preventive
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877	Training	Preventive
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876	Training	Preventive
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879	Training	Preventive
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878	Training	Preventive
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990	Training	Preventive
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658	Training	Preventive
Conduct crime prevention training. CC ID 06350	Behavior	Preventive
Analyze and evaluate training records to improve the training program. CC ID 06380 [Provide feedback on organizational training results to the following personnel [Assignment: organization-defined frequency]: [Assignment: organization-defined personnel]. AT-6 Control]	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain an occupational health and safety management system. CC ID 16201	Business Processes	Preventive
Establish, implement, and maintain an occupational health and safety policy. CC ID 00716	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a travel program for all personnel. CC ID 10597	Human Resources Management	Preventive
Issue devices with secure configurations to individuals traveling to locations deemed to be of risk. CC ID 10598 [Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and CM-2(7)(a)]	Configuration	Preventive
Scan devices for malicious code when an individual returns from locations deemed to be of risk. CC ID 10599 [Apply the following controls to the systems or components when the individuals return from travel: [Assignment: organization-defined controls]. CM-2(7)(b)]	Process or Activity	Detective
Establish, implement, and maintain a Code of Conduct. CC ID 04897	Establish/Maintain Documentation	Preventive
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [{information security program} {privacy program} Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and PS-8a. When a system or organization processes information for the purpose of conducting a matching program: Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and PT-8d.]	Behavior	Corrective
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 [Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. PS-8b.]	Communicate	Preventive
Establish, implement, and maintain an insider threat program. CC ID 10687 [Implement an insider threat program that includes a cross-discipline insider threat incident handling team. PM-12 Control]	Human Resources Management	Preventive

Leadership and high level objectives

154

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a reporting methodology program. CC ID 02072	Business Processes	Preventive
Establish, implement, and maintain communication protocols. CC ID 12245 [Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components. RA-5(11) ¶ 1]	Establish/Maintain Documentation	Preventive
Use secure communication protocols for telecommunications. CC ID 16458	Business Processes	Preventive
Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419	Establish/Maintain Documentation	Preventive
Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691	Process or Activity	Detective
Include external requirements in the organization's communication protocol. CC ID 12418	Establish/Maintain Documentation	Preventive
Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824	Communicate	Preventive
Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677	Process or Activity	Preventive
Identify barriers to stakeholder engagement. CC ID 15676	Process or Activity	Preventive
Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672	Communicate	Preventive
Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804	Communicate	Preventive
Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856	Process or Activity	Preventive
Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803	Communicate	Preventive
Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802	Communicate	Preventive
Route notifications, as necessary. CC ID 12832	Process or Activity	Preventive
Substantiate notifications, as necessary. CC ID 12831	Process or Activity	Preventive
Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860	Business Processes	Preventive
Prioritize notifications, as necessary. CC ID 12830	Process or Activity	Preventive
Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797	Actionable Reports or Measurements	Preventive
Disseminate and communicate internal controls with supply chain members. CC ID 12416	Communicate	Preventive
Establish and maintain the organization's survey method. CC ID 12869	Process or Activity	Preventive
Document the findings from surveys. CC ID 16309	Establish/Maintain Documentation	Preventive
Provide a consolidated view of information in the organization's survey method. CC ID 12894	Process or Activity	Preventive
Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 [Generate internal security alerts, advisories, and directives as deemed necessary; SI-5b. Broadcast security alert and advisory information throughout the organization using [Assignment: organization-defined automated mechanisms]. SI-5(1) ¶ 1]	Establish/Maintain Documentation	Preventive
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of performance variances in the notification system. CC ID 12929	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of account activity in the notification system. CC ID 15314	Monitor and Evaluate Occurrences	Preventive
Analyze organizational objectives, functions, and activities. CC ID 00598	Monitor and Evaluate Occurrences	Preventive
Analyze the business environment in which the organization operates. CC ID 12798 [Determine the current cyber threat environment on an ongoing basis using [Assignment: organization-defined means]. RA-3(3) ¶ 1]	Business Processes	Preventive
Identify the internal factors that may affect organizational objectives. CC ID 12957	Process or Activity	Preventive
Include key processes in the analysis of the internal business environment. CC ID 12947	Process or Activity	Preventive
Include existing information in the analysis of the internal business environment. CC ID 12943	Process or Activity	Preventive
Include resources in the analysis of the internal business environment. CC ID 12942	Process or Activity	Preventive
Include the operating plan in the analysis of the internal business environment. CC ID 12941	Process or Activity	Preventive
Include incentives in the analysis of the internal business environment. CC ID 12940	Process or Activity	Preventive
Include organizational structures in the analysis of the internal business environment. CC ID 12939	Process or Activity	Preventive
Include the strategic plan in the analysis of the internal business environment. CC ID 12937	Process or Activity	Preventive
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936	Process or Activity	Preventive
Align assets with business functions and the business environment. CC ID 13681	Business Processes	Preventive
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200	Communicate	Preventive
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863	Monitor and Evaluate Occurrences	Preventive
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain organizational objectives. CC ID 09959	Establish/Maintain Documentation	Preventive
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 [Review and revise the mission and business processes [Assignment: organization-defined frequency]. PM-11c.]	Establish/Maintain Documentation	Preventive
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839	Establish/Maintain Documentation	Preventive
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838	Establish/Maintain Documentation	Preventive
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808	Establish/Maintain Documentation	Preventive
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807	Establish/Maintain Documentation	Preventive
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590	Establish/Maintain Documentation	Preventive
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605	Establish/Maintain Documentation	Preventive
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585	Communicate	Preventive
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [{security plan} Document the selected and implemented supply chain processes and controls in [Selection: security and privacy plans; supply chain risk management plan; [Assignment: organization-defined document]]. SR-3c.]	Establish/Maintain Documentation	Preventive
Identify threats that could affect achieving organizational objectives. CC ID 12827	Business Processes	Preventive
Identify how opportunities, threats, and external requirements are trending. CC ID 12829	Process or Activity	Preventive
Identify relationships between opportunities, threats, and external requirements. CC ID 12805	Process or Activity	Preventive
Review the organization's approach to managing information security, as necessary. CC ID 12005	Business Processes	Preventive
Establish, implement, and maintain an information classification standard. CC ID 00601	Establish/Maintain Documentation	Preventive
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 [Use automated tools to identify [Assignment: organization-defined information by information type] on [Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy. CM-12(1) ¶ 1]	Data and Information Management	Preventive
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 [Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels. RA-2(1) ¶ 1]	Data and Information Management	Preventive
Establish, implement, and maintain a data classification scheme. CC ID 11628 [Attach data tags containing [Assignment: organization-defined permissible processing] to [Assignment: organization-defined elements of personally identifiable information]. PT-2(1) ¶ 1]	Establish/Maintain Documentation	Preventive
Take into account the characteristics of the geographical, behavioural and functional setting for all datasets. CC ID 15046	Data and Information Management	Preventive
Approve the data classification scheme. CC ID 13858	Establish/Maintain Documentation	Detective
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 [Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation. PM-7 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603	Establish/Maintain Documentation	Preventive
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 [Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. PM-8 Control]	Behavior	Preventive
Monitor regulatory trends to maintain compliance. CC ID 00604	Monitor and Evaluate Occurrences	Detective
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 [Receive system security alerts, advisories, and directives from [Assignment: organization- defined external organizations] on an ongoing basis; SI-5a.]	Technical Security	Detective
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 [Reflect current cyber threat information in system operations. AT-2(6)(b) Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and SI-5c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and SI-5c.]	Communicate	Preventive
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191	Communicate	Corrective
Establish, implement, and maintain a Quality Management framework. CC ID 07196	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Quality Management program. CC ID 07201 [Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process. SA-15(6) ¶ 1]	Establish/Maintain Documentation	Preventive
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045	Communicate	Preventive
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036	Communicate	Preventive
Include quality objectives in the Quality Management program. CC ID 13693	Establish/Maintain Documentation	Preventive
Correct errors and deficiencies in a timely manner. CC ID 13501 [Ensure that the facility undergoes [Assignment: organization-defined frequency] fire protection inspections by authorized and qualified inspectors and identified deficiencies are resolved within [Assignment: organization-defined time period]. PE-13(4) ¶ 1 Identify, report, and correct system flaws; SI-2a.]	Business Processes	Corrective
Include records management in the quality management system. CC ID 15055	Establish/Maintain Documentation	Preventive
Include risk management in the quality management system. CC ID 15054	Establish/Maintain Documentation	Preventive
Include data management procedures in the quality management system. CC ID 15052	Establish/Maintain Documentation	Preventive
Include a post-market monitoring system in the quality management system. CC ID 15027	Establish/Maintain Documentation	Preventive
Include operational roles and responsibilities in the quality management system. CC ID 15028	Establish/Maintain Documentation	Preventive
Include quality gates and testing milestones in the Quality Management program. CC ID 06825	Systems Design, Build, and Implementation	Preventive
Include resource management in the quality management system. CC ID 15026	Establish/Maintain Documentation	Preventive
Include communication protocols in the quality management system. CC ID 15025	Establish/Maintain Documentation	Preventive
Include incident reporting procedures in the quality management system. CC ID 15023	Establish/Maintain Documentation	Preventive
Include technical specifications in the quality management system. CC ID 15021	Establish/Maintain Documentation	Preventive
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203	Establish/Maintain Documentation	Preventive
Include program documentation standards in the Quality Management program. CC ID 01016	Establish/Maintain Documentation	Preventive
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206	Business Processes	Detective
Include program testing standards in the Quality Management program. CC ID 01017	Establish/Maintain Documentation	Preventive
Review and analyze any quality improvement goals that were missed. CC ID 07204	Business Processes	Detective
Include system testing standards in the Quality Management program. CC ID 01018	Establish/Maintain Documentation	Preventive
Include an issue tracking system in the Quality Management program. CC ID 06824 [The organization requires the developer of the information system, system component, or information system service to: Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. SA-10e. The organization requires the developer of the information system, system component, or information system service to: Implement a verifiable flaw remediation process; and SA-11d.]	Systems Design, Build, and Implementation	Preventive
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 [{security plans} Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. PL-8c. Define and document organizational oversight and user roles and responsibilities with regard to external system services; and SA-9b. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. SI-5d.]	Establish/Maintain Documentation	Preventive
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956	Establish/Maintain Documentation	Preventive
Include the effective date on all organizational policies. CC ID 06820 [Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that: Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes. PM-20(1) ¶ 1(c)]	Establish/Maintain Documentation	Preventive
Analyze organizational policies, as necessary. CC ID 14037	Establish/Maintain Documentation	Detective
Include threats in the organization’s policies, standards, and procedures. CC ID 12953	Establish/Maintain Documentation	Preventive
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824	Business Processes	Preventive
Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945	Establish/Maintain Documentation	Preventive
Establish and maintain an Authority Document list. CC ID 07113	Establish/Maintain Documentation	Preventive
Map in scope assets and in scope records to external requirements. CC ID 12189	Establish/Maintain Documentation	Detective
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [{applicable requirements} Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and PM-17a.]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901	Communicate	Preventive
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312	Establish/Maintain Documentation	Preventive
Classify controls according to their preventive, detective, or corrective status. CC ID 06436	Establish/Maintain Documentation	Preventive
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727	Establish/Maintain Documentation	Preventive
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Establish/Maintain Documentation	Preventive
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Establish/Maintain Documentation	Corrective
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the Statement on Internal Control CC ID 14774	Establish/Maintain Documentation	Preventive
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866	Establish/Maintain Documentation	Preventive
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Establish/Maintain Documentation	Preventive
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Establish/Maintain Documentation	Preventive
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867	Establish/Maintain Documentation	Detective
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956	Establish Roles	Preventive
Approve all compliance documents. CC ID 06286	Establish/Maintain Documentation	Preventive
Align the Authority Document list with external requirements. CC ID 06288	Establish/Maintain Documentation	Preventive
Assign the appropriate roles to all applicable compliance documents. CC ID 06284 [Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the und-color:#F0BBBC;" class="term_primary-noun">personally identifiable information processing and transparency policy and procedures; and PT-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and SR-1b. {planning procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the planning policy and procedures; and PL-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personnel security policy and procedures; and PS-1b. {physical and environmental protection procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and PE-1b. {risk assessment procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and RA-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and AC-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and AT-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and AU-1b. {Configuration Management procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and CM-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and CA-1b. {contingency planning procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and CP-1b. {identification and authentication procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and IA-1b. {incident response procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; and IR-1b. {maintenance procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the maintenance policy and procedures; and MA-1b. {system and communications protection procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and SC-1b. {media protection procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the media protection policy and procedures; and MP-1b. {system and information integrity procedures} Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and SI-1b.]	Establish Roles	Preventive
Identify and document the Designated Approval Authority for compliance documents. CC ID 07114	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a compliance exception standard. CC ID 01628	Establish/Maintain Documentation	Preventive
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Establish/Maintain Documentation	Preventive
Include all compliance exceptions in the compliance exception standard. CC ID 01630 [{information security program} Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; PM-3a. For systems that process personally identifiable information: Document each processing exception; and SC-7(24) ¶ 1(c)]	Establish/Maintain Documentation	Detective
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; SC-7(4)(d)]	Establish/Maintain Documentation	Preventive
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 [Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; SC-7(4)(e)]	Business Processes	Preventive
Include when exemptions expire in the compliance exception standard. CC ID 14330	Establish/Maintain Documentation	Preventive
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443	Establish Roles	Preventive
Include management of the exemption register in the compliance exception standard. CC ID 14328	Establish/Maintain Documentation	Preventive
Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282	Behavior	Preventive
Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 [{security plans} {privacy plans} Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles]; PL-2b. {security plans} {privacy plans} Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles]; PL-2b.]	Behavior	Preventive
Define the Information Assurance strategic roles and responsibilities. CC ID 00608	Establish Roles	Preventive
Establish and maintain a compliance oversight committee. CC ID 00765	Establish Roles	Detective
Address Information Security during the business planning processes. CC ID 06495 [Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and PM-11a.]	Data and Information Management	Preventive
Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a strategic plan. CC ID 12784	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a planning policy. CC ID 14673 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system- level] planning policy that: PL-1a.1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] planning policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and PL-1a.1(b) {planning policy} Review and update the current planning: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and PL-1c.1.]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain planning procedures. CC ID 14698 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the planning policy and the associated planning controls; PL-1a.2. {planning procedures} Review and update the current planning: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. PL-1c.2.]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the planning policy and the associated planning controls; PL-1a.2.]	Communicate	Preventive
Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system- level] planning policy that: PL-1a.1.]	Communicate	Preventive
Include compliance requirements in the planning policy. CC ID 14688 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the planning policy. CC ID 14687 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include management commitment in the planning policy. CC ID 14686 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the planning policy. CC ID 14685 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include the scope in the planning policy. CC ID 14684 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include the purpose in the planning policy. CC ID 14683 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and PL-1a.1(a)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 [{information security program} Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; PM-3a. {information security program}{applicable requirements} Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and PM-3b.]	Establish/Maintain Documentation	Preventive

Monitoring and measurement

526

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitoring and measurement CC ID 00636	IT Impact Zone	IT Impact Zone
Monitor the usage and capacity of critical assets. CC ID 14825	Monitor and Evaluate Occurrences	Detective
Monitor the usage and capacity of Information Technology assets. CC ID 00668	Monitor and Evaluate Occurrences	Detective
Monitor all outbound traffic from all systems. CC ID 12970 [Analyze outbound communications traffic at the external interfaces to the system and selected [Assignment: organization-defined interior points within the system] to discover anomalies. SI-4(11) ¶ 1]	Monitor and Evaluate Occurrences	Preventive
Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773 [Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. AU-5(1) ¶ 1]	Behavior	Detective
Monitor systems for errors and faults. CC ID 04544 [Identify, report, and correct system flaws; SI-2a. Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components]; and SC-36(1)(a)]	Monitor and Evaluate Occurrences	Detective
Report errors and faults to the appropriate personnel, as necessary. CC ID 14296 [Identify, report, and correct system flaws; SI-2a.]	Communicate	Corrective
Compare system performance metrics to organizational standards and industry benchmarks. CC ID 00667 [Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data. CA-7(3) ¶ 1 Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]. SI-2(3)(b)]	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain Security Control System monitoring and reporting procedures. CC ID 12506 [Provide and implement an audit record reduction and report generation capability that: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and AU-7a. Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; PM-31b. Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Response actions to address results of the analysis of control assessment and monitoring information; and PM-31e.]	Establish/Maintain Documentation	Preventive
Include detecting and reporting the failure of a change detection mechanism in the Security Control System monitoring and reporting procedures. CC ID 12525	Establish/Maintain Documentation	Preventive
Include detecting and reporting the failure of audit logging in the Security Control System monitoring and reporting procedures. CC ID 12513	Establish/Maintain Documentation	Preventive
Include detecting and reporting the failure of an anti-malware solution in the Security Control System monitoring and reporting procedures CC ID 12512	Establish/Maintain Documentation	Preventive
Include detecting and reporting the failure of a segmentation control in the Security Control System monitoring and reporting procedures. CC ID 12511	Establish/Maintain Documentation	Preventive
Include detecting and reporting the failure of a physical access control in the Security Control System monitoring and reporting procedures. CC ID 12510	Establish/Maintain Documentation	Preventive
Include detecting and reporting the failure of a logical access control in the Security Control System monitoring and reporting procedures. CC ID 12509	Establish/Maintain Documentation	Preventive
Include detecting and reporting the failure of an Intrusion Detection and Prevention System in the Security Control System monitoring and reporting procedures. CC ID 12508	Establish/Maintain Documentation	Preventive
Include detecting and reporting the failure of a security testing tool in the Security Control System monitoring and reporting procedures. CC ID 15488	Establish/Maintain Documentation	Preventive
Include detecting and reporting the failure of a firewall in the Security Control System monitoring and reporting procedures. CC ID 12507	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Responding to Failures in Security Controls procedures. CC ID 12514 [Take the following actions in response to identified faults, errors, or compromises: [Assignment: organization-defined actions]. SC-36(1)(b) {security policy} [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy]. AC-4(8)(b) {security policy} [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy]. AC-4(8)(b) {security policy} [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy]. AC-4(8)(b) {security policy} [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy]. AC-4(8)(b)]	Establish/Maintain Documentation	Preventive
Include resuming security system monitoring and logging operations in the Responding to Failures in Security Controls procedure. CC ID 12521	Establish/Maintain Documentation	Preventive
Include implementing mitigating controls to prevent the root cause of the failure of a security control in the Responding to Failures in Security Controls procedure. CC ID 12520	Establish/Maintain Documentation	Preventive
Include performing a risk assessment to determine whether further actions are required because of the failure of a security control in the Responding to Failures in Security Controls procedure. CC ID 12519	Establish/Maintain Documentation	Preventive
Include identification of the root cause of the failure of a security control in the Responding to Failures in Security Controls procedure. CC ID 15481	Establish/Maintain Documentation	Preventive
Include correcting security issues caused by the failure of a security control in the Responding to Failures in Security Controls procedure. CC ID 12518	Establish/Maintain Documentation	Preventive
Include documenting the duration of the failure of a security control in the Responding to Failures in Security Controls procedure. CC ID 12517	Establish/Maintain Documentation	Preventive
Include restoring security functions in the Responding to Failures in Security Controls procedure. CC ID 12515	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 [{security training}{security monitoring}Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: Are erm_primary-verb">developed and maintained; and PM-14a.1. Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]; and AU-14a. Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; CA-7b. Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; CA-7b. {testing plan}{training plan} Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. PM-14b. Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: PM-31 Control Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. AU-14b.]	Log Management	Detective
Establish, implement, and maintain an audit and accountability policy. CC ID 14035 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system- level] audit and accountability policy that: AU-1a.1. {audit and accountability policy} Review and update the current audit and accountability: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and AT-1c.1. {audit and accountability policy} Review and update the current audit and accountability: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and AU-1c.1. [Selection (one or more): organization-level; mission/business process-level; system-level] audit and accountability policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and AU-1a.1(b)]	Establish/Maintain Documentation	Preventive
Include compliance requirements in the audit and accountability policy. CC ID 14103 [[Selection (one or more): organization-level; mission/business process-level; system-level] audit and accountability policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the audit and accountability policy. CC ID 14102 [[Selection (one or more): organization-level; mission/business process-level; system-level] audit and accountability policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include the purpose in the audit and accountability policy. CC ID 14100 [[Selection (one or more): organization-level; mission/business process-level; system-level] audit and accountability policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the audit and accountability policy. CC ID 14098 [[Selection (one or more): organization-level; mission/business process-level; system-level] audit and accountability policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include management commitment in the audit and accountability policy. CC ID 14097 [[Selection (one or more): organization-level; mission/business process-level; system-level] audit and accountability policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include the scope in the audit and accountability policy. CC ID 14096 [[Selection (one or more): organization-level; mission/business process-level; system-level] audit and accountability policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.1(a)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system- level] audit and accountability policy that: AU-1a.1.]	Communicate	Preventive
Establish, implement, and maintain audit and accountability procedures. CC ID 14057 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; AU-1a.2. {audit and accountability procedure} Review and update the current audit and accountability: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. AU-1c.2.]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; AU-1a.2.]	Communicate	Preventive
Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]. AU-12(3) ¶ 1]	Log Management	Preventive
Review and approve the use of continuous security management systems. CC ID 13181	Process or Activity	Preventive
Protect continuous security management systems from unauthorized use. CC ID 13097	Configuration	Preventive
Monitor and evaluate system telemetry data. CC ID 14929	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain intrusion management operations. CC ID 00580 [Discover, collect, and distribute to [Assignment: organization-defined personnel or roles], indicators of compromise provided by [Assignment: organization-defined sources]. SI-4(24) ¶ 1]	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169	Establish/Maintain Documentation	Preventive
Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [Recognize [Assignment: organization-defined classes or types of intrusions] and initiate [Assignment: organization-defined response actions] using [Assignment: organization-defined automated mechanisms]. PE-6(2) ¶ 1 Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]; and SC-5(3)(a) Employ automated tools and mechanisms to support near real-time analysis of events. SI-4(2) ¶ 1 Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms. SI-4(3) ¶ 1 Implement the following host-based monitoring mechanisms at [Assignment: organization-defined system components]: [Assignment: organization-defined host-based monitoring mechanisms]. SI-4(23) ¶ 1 Invoke internal monitoring capabilities or deploy monitoring devices: SI-4c. Connect and configure individual intrusion detection tools into a system-wide intrusion detection system. SI-4(1) ¶ 1 Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices. SI-4(25) ¶ 1]	Configuration	Preventive
Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035 [Obtain legal opinion regarding system monitoring activities; and SI-4f.]	Behavior	Preventive
Do not intercept communications of any kind when providing a service to clients. CC ID 09985	Behavior	Preventive
Determine if honeypots should be installed, and if so, where the honeypots should be placed. CC ID 00582 [{security posture} Employ realistic, but misleading information in [Assignment: organization-defined system components] about its security state or posture. SC-30(4) ¶ 1 Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks. SC-26 Control]	Technical Security	Detective
Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Monitor physical access to the system in addition to the physical access monitoring of the facility at [Assignment: organization-defined physical spaces containing one or more components of the system]. PE-6(4) ¶ 1 Establish and maintain a cyber threat hunting capability to: RA-10a. Authorize, monitor, and control the use of such components within the system. SC-43b. Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]; and SI-3(8)(a) Monitor the system to detect: SI-4a. {inbound communications traffic} Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic; SI-4(4)(a) {inbound communications traffic} Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic; SI-4(4)(a) {inbound communications traffic} Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]. SI-4(4)(b) {inbound communications traffic} Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]. SI-4(4)(b)]	Monitor and Evaluate Occurrences	Detective
Monitor systems for blended attacks and multiple component incidents. CC ID 01225 [Establish and maintain a cyber threat hunting capability to: Search for indicators of compromise in organizational systems; and RA-10a.1. Monitor the system to detect: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and SI-4a.1.]	Monitor and Evaluate Occurrences	Detective
Monitor systems for Denial of Service attacks. CC ID 01222 [Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks]. SC-5(1) ¶ 1 Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]. SC-5b. [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and SC-5a.]	Monitor and Evaluate Occurrences	Detective
Monitor systems for unauthorized data transfers. CC ID 12971	Monitor and Evaluate Occurrences	Preventive
Address operational anomalies within the incident management system. CC ID 11633	Audits and Risk Management	Preventive
Monitor systems for access to restricted data or restricted information. CC ID 04721	Monitor and Evaluate Occurrences	Detective
Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950	Human Resources Management	Detective
Detect unauthorized access to systems. CC ID 06798 [Monitor the system to detect: Unauthorized local, network, and remote connections; SI-4a.2. Monitor the system to detect: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and SI-4a.1. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; SI-4b. Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system. SI-4(14) ¶ 1 Provide an enforcement mechanism to prevent unauthorized access; and AC-3(12)(b)]	Monitor and Evaluate Occurrences	Detective
Incorporate potential red flags into the organization's incident management system. CC ID 04652	Monitor and Evaluate Occurrences	Detective
Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634	Audits and Risk Management	Preventive
Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 [{security implications} Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts]. SI-4(12) ¶ 1 Notify [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events; and SI-4(7)(a) Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. SI-4g. Notify [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events; and SI-4(7)(a) Alert [Assignment: organization-defined personnel or roles] when the following system-generated indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators]. SI-4(5) ¶ 1]	Monitor and Evaluate Occurrences	Detective
Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808	Monitor and Evaluate Occurrences	Detective
Monitor systems for unauthorized mobile code. CC ID 10034 [Prevent the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforce [Assignment: organization-defined actions] prior to executing the code. SC-18(4) ¶ 1 Authorize, monitor, and control the use of mobile code within the system. SC-18b. Identify [Assignment: organization-defined unacceptable mobile code] and take [Assignment: organization-defined corrective actions]. SC-18(1) ¶ 1]	Monitor and Evaluate Occurrences	Preventive
Update the intrusion detection capabilities and the incident response capabilities regularly. CC ID 04653	Technical Security	Preventive
Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658 [Include system components that proactively seek to identify network-based malicious code or malicious websites. SC-35 Control]	Technical Security	Preventive
Implement detonation chambers, where appropriate. CC ID 10670 [Employ a detonation chamber capability within [Assignment: organization-defined system, system component, or location]. SC-44 Control]	Technical Security	Preventive
Define and assign log management roles and responsibilities. CC ID 06311 [Specify the permitted actions for each [Selection (one or more): system process; role; user] associated with the review, analysis, and reporting of audit record information. AU-6(7) ¶ 1]	Establish Roles	Preventive
Document and communicate the log locations to the owning entity. CC ID 12047	Log Management	Preventive
Make logs available for review by the owning entity. CC ID 12046	Log Management	Preventive
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 [Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; AU-2b. Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information. AU-12(4) ¶ 1 Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time. AU-14(3) ¶ 1 Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. AU-14b.]	Log Management	Detective
Establish, implement, and maintain an event logging policy. CC ID 15217	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain event logging procedures. CC ID 01335 [Generate audit records containing the following additional information: [Assignment: organization-defined additional information]. AU-3(1) ¶ 1]	Log Management	Detective
Include the system components that generate audit records in the event logging procedures. CC ID 16426	Data and Information Management	Preventive
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [{employs} Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. AU-6(1) ¶ 1 Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and AU-2d. Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. AU-6(5) ¶ 1 Provide and implement an audit record reduction and report generation capability that: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and AU-7a. {audit record analysis} {audit record reporting} Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. AU-6c. {audit record analysis} {audit record reporting} Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. AU-6c. {audit record analysis} {audit record reporting} Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. AU-6c. Correlate information from monitoring tools and mechanisms employed throughout the system. SI-4(16) ¶ 1 {traffic patterns} Develop profiles representing common traffic and event patterns; and SI-4(13)(b)]	Log Management	Preventive
Protect the event logs from failure. CC ID 06290 [Take the following additional actions: [Assignment: organization-defined additional action]. AU-5b. Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements [Assignment: organization-defined alternate audit logging functionality]. AU-5(5) ¶ 1]	Log Management	Preventive
Overwrite the oldest records when audit logging fails. CC ID 14308	Data and Information Management	Preventive
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 [Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. AU-7(1) ¶ 1 Provide and implement an audit record reduction and report generation capability that: Does not alter the original content or time ordering of audit records. AU-7b. Provide and implement an audit record reduction and report generation capability that: AU-7 Control Provide and implement an audit record reduction and report generation capability that: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and AU-7a.]	Testing	Preventive
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774	Establish/Maintain Documentation	Corrective
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 [Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. AU-6(4) ¶ 1 Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. AU-6(4) ¶ 1 Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. AU-6(3) ¶ 1 Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness. AU-6(9) ¶ 1 Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. AU-12(1) ¶ 1 Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. AU-6(6) ¶ 1 Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. AU-12(2) ¶ 1 {physical activity} {information technology activity} Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. SI-4(17) ¶ 1]	Audits and Risk Management	Preventive
Review and update event logs and audit logs, as necessary. CC ID 00596 [Review historic audit logs to determine if a vulnerability identified in a [Assignment: organization-defined system] has been previously exploited within an [Assignment: organization-defined time period]. RA-5(8) ¶ 1 Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; AU-6a. Provide and implement an audit record reduction and report generation capability that: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and AU-7a. Analyze communications traffic and event patterns for the system; SI-4(13)(a) Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: [Assignment: organization-defined interior points within the system]. SI-4(18) ¶ 1]	Log Management	Detective
Eliminate false positives in event logs and audit logs. CC ID 07047 [Use the traffic and event profiles in tuning system-monitoring devices. SI-4(13)(c)]	Log Management	Corrective
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 [Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; CA-2d.]	Log Management	Detective
Identify cybersecurity events in event logs and audit logs. CC ID 13206	Technical Security	Detective
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 [Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; AU-6a.]	Investigate	Corrective
Reproduce the event log if a log failure is captured. CC ID 01426	Log Management	Preventive
Document the event information to be logged in the event information log specification. CC ID 00639 [{type of event} Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; AU-2a. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; AU-2c. Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements]. AU-3(3) ¶ 1]	Configuration	Preventive
Enable logging for all systems that meet a traceability criteria. CC ID 00640 [Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]]. SI-7(8) ¶ 1]	Log Management	Detective
Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001	Configuration	Preventive
Enable and configure logging on all network access controls. CC ID 01963	Configuration	Preventive
Analyze firewall logs for the correct capturing of data. CC ID 00549	Log Management	Detective
Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [Use internal system clocks to generate time stamps for audit records; and AU-8a. Compare the internal system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and SC-45(1)(a) Synchronize the internal system clocks to the secondary authoritative time source if the primary authoritative time source is unavailable. SC-45(2)(b) Synchronize the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. SC-45(1)(b) Synchronize system clocks within and between systems and system components. SC-45 Control Identify a secondary authoritative time source that is in a different geographic region than the primary authoritative time source; and SC-45(2)(a)]	Configuration	Preventive
Centralize network time servers to as few as practical. CC ID 06308	Configuration	Preventive
Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044	Communicate	Preventive
Define the frequency to capture and log events. CC ID 06313	Log Management	Preventive
Include logging frequencies in the event logging procedures. CC ID 00642	Log Management	Preventive
Review and update the list of auditable events in the event logging procedures. CC ID 10097 [Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and AU-12b. Review and update the event types selected for logging [Assignment: organization-defined frequency]. AU-2e.]	Establish/Maintain Documentation	Preventive
Monitor and evaluate system performance. CC ID 00651 [{performance testing} Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment [Assignment: organization-defined other forms of assessment]]. CA-2(2) ¶ 1]	Monitor and Evaluate Occurrences	Detective
Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156	Communicate	Preventive
Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155	Communicate	Preventive
Monitor for and react to when suspicious activities are detected. CC ID 00586	Monitor and Evaluate Occurrences	Detective
Erase payment applications when suspicious activity is confirmed. CC ID 12193	Technical Security	Corrective
Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741	Establish/Maintain Documentation	Corrective
Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727	Monitor and Evaluate Occurrences	Corrective
Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728	Monitor and Evaluate Occurrences	Corrective
Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740	Monitor and Evaluate Occurrences	Corrective
Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729	Monitor and Evaluate Occurrences	Corrective
Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742	Monitor and Evaluate Occurrences	Corrective
Establish, implement, and maintain network monitoring operations. CC ID 16444	Monitor and Evaluate Occurrences	Preventive
Monitor and evaluate the effectiveness of detection tools. CC ID 13505	Investigate	Detective
Monitor and review retail payment activities, as necessary. CC ID 13541	Monitor and Evaluate Occurrences	Detective
Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546	Investigate	Detective
Review retail payment service reports, as necessary. CC ID 13545	Investigate	Detective
Assess customer satisfaction. CC ID 00652	Testing	Detective
Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 [Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: PM-31 Control]	Establish/Maintain Documentation	Detective
Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 [Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Correlation and analysis of information generated by control assessments and monitoring; CA-7e. Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Correlation and analysis of information generated by control assessments and monitoring; PM-31d.]	Process or Activity	Detective
Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058	Monitor and Evaluate Occurrences	Detective
Monitor for and report when a software configuration is updated. CC ID 06746	Monitor and Evaluate Occurrences	Detective
Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 [Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: [Assignment: organization-defined security responses]. CM-3(5) ¶ 1]	Monitor and Evaluate Occurrences	Detective
Monitor for firmware updates absent authorization. CC ID 10675	Monitor and Evaluate Occurrences	Detective
Implement file integrity monitoring. CC ID 01205 [Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. SA-10(1) ¶ 1 Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and SI-7a. Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]. SI-7(1) ¶ 1 Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [Assignment: organization-defined security-relevant changes to the system]. SI-7(7) ¶ 1 Analyze detected events and anomalies; SI-4d. Employ centrally managed integrity verification tools. SI-7(3) ¶ 1]	Monitor and Evaluate Occurrences	Detective
Identify unauthorized modifications during file integrity monitoring. CC ID 12096	Technical Security	Detective
Monitor for software configurations updates absent authorization. CC ID 10676	Monitor and Evaluate Occurrences	Preventive
Allow expected changes during file integrity monitoring. CC ID 12090	Technical Security	Preventive
Monitor for when documents are being updated absent authorization. CC ID 10677	Monitor and Evaluate Occurrences	Preventive
Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091	Establish/Maintain Documentation	Preventive
Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 [{when unauthorized commands are detected} [Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command]. SI-3(8)(b) Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletionn> of audit information. AU-9b.]	Process or Activity	Preventive
Monitor and evaluate user account activity. CC ID 07066 [Monitor system accounts for [Assignment: organization-defined atypical usage]; and AC-2(12)(a)]	Monitor and Evaluate Occurrences	Detective
Develop and maintain a usage profile for each user account. CC ID 07067	Technical Security	Preventive
Log account usage to determine dormant accounts. CC ID 12118	Log Management	Detective
Log account usage times. CC ID 07099	Log Management	Detective
Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068	Monitor and Evaluate Occurrences	Detective
Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069	Monitor and Evaluate Occurrences	Detective
Log account usage durations. CC ID 12117	Monitor and Evaluate Occurrences	Detective
Notify the appropriate personnel after identifying dormant accounts. CC ID 12125	Communicate	Detective
Log Internet Protocol addresses used during logon. CC ID 07100	Log Management	Detective
Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070	Monitor and Evaluate Occurrences	Detective
Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 [Report atypical usage of system accounts to [Assignment: organization-defined personnel or roles]. AC-2(12)(b)]	Communicate	Detective
Establish, implement, and maintain a risk monitoring program. CC ID 00658 [Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: CA-7 Control Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: CA-7 Control Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: CA-7(4) ¶ 1 Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: Effectiveness monitoring; CA-7(4) ¶ 1(a) {performance testing} Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment [Assignment: organization-defined other forms of assessment]]. CA-2(2) ¶ 1 Identify and document: Constraints affecting risk assessments, risk responses, and risk monitoring; PM-28a.2. Identify and document: Assumptions affecting risk assessments, risk responses, and risk monitoring; PM-28a.1.]	Establish/Maintain Documentation	Preventive
Monitor the organization's exposure to threats, as necessary. CC ID 06494 [Establish and maintain a cyber threat hunting capability to: Detect, track, and disrupt threats that evade existing controls; and RA-10a.2. Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. PM-16 Control]	Monitor and Evaluate Occurrences	Preventive
Monitor and evaluate environmental threats. CC ID 13481	Monitor and Evaluate Occurrences	Detective
Implement a fraud detection system. CC ID 13081	Business Processes	Preventive
Update or adjust fraud detection systems, as necessary. CC ID 13684	Process or Activity	Corrective
Monitor for new vulnerabilities. CC ID 06843 [Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; RA-5a.]	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a compliance testing strategy. CC ID 00659	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833	Testing	Preventive
Test compliance controls for proper functionality. CC ID 00660 [Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and MA-2e. {security verification test} Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]]; SI-6b. {security functions} Verify the correct operation of [Assignment: organization-defined security and privacy functions]; SI-6a.]	Testing	Detective
Establish, implement, and maintain a system security plan. CC ID 01922 [{security plans} {privacy plans} Review the plans [Assignment: organization-defined frequency]; PL-2c. {security plans} Develop security and privacy plans for the system that: PL-2a. {security plans} {privacy plans} Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and PL-2d. {performance testing} Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment [Assignment: organization-defined other forms of assessment]]. CA-2(2) ¶ 1]	Testing	Preventive
Include a system description in the system security plan. CC ID 16467	Establish/Maintain Documentation	Preventive
Include a description of the operational context in the system security plan. CC ID 14301 [{security plans} Develop security and privacy plans for the system that: Describe the operational context of the system in terms of mission and business processes; PL-2a.3.]	Establish/Maintain Documentation	Preventive
Include the results of the security categorization in the system security plan. CC ID 14281 [Document the security categorization results, including supporting rationale, in the security plan for the system; and RA-2b.]	Establish/Maintain Documentation	Preventive
Include the information types in the system security plan. CC ID 14696 [{security plans} Develop security and privacy plans for the system that: Identify the information types processed, stored, and transmitted by the system; PL-2a.5]	Establish/Maintain Documentation	Preventive
Include the security requirements in the system security plan. CC ID 14274 [{security plans} {security requirements} Develop security and privacy plans for the system that: Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; PL-2a.12. {security plans} {security requirements} Develop security and privacy plans for the system that: Provide an overview of the security and privacy requirements for the system; PL-2a.10. {security plans} {security-related activities} Develop security and privacy plans for the system that: Include security- and privacy-related activities affecting the system that require planning and coordination with [Assignment: organization-defined individuals or groups]; and PL-2a.14.]	Establish/Maintain Documentation	Preventive
Include threats in the system security plan. CC ID 14693 [{security plans} Develop security and privacy plans for the system that: Describe any specific threats to the system that are of concern to the organization; PL-2a.7.]	Establish/Maintain Documentation	Preventive
Include network diagrams in the system security plan. CC ID 14273 [{security plans} Develop security and privacy plans for the system that: Describe the operational environment for the system and any dependencies on or connections to other systems or system components; PL-2a.9. {security plans} Develop security and privacy plans for the system that: Explicitly define the constituent system components; PL-2a.2.]	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the system security plan. CC ID 14682 [{security plans} Develop security and privacy plans for the system that: Identify the individuals that fulfill system roles and responsibilities; PL-2a.4.]	Establish/Maintain Documentation	Preventive
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 [{security plans} Develop security and privacy plans for the system that: Provide the results of a privacy risk assessment for systems processing personally identifiable information; PL-2a.8. {security assessment}Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Develop and implement a plan for ongoing security and privacy assessments; SA-11a.]	Establish/Maintain Documentation	Preventive
Include remote access methods in the system security plan. CC ID 16441	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 [{security plans} {privacy plans} Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles]; PL-2b.]	Communicate	Preventive
Include a description of the operational environment in the system security plan. CC ID 14272 [{security plans} Develop security and privacy plans for the system that: Describe the operational environment for the system and any dependencies on or connections to other systems or system components; PL-2a.9.]	Establish/Maintain Documentation	Preventive
Include the security categorizations and rationale in the system security plan. CC ID 14270 [{security plans} Develop security and privacy plans for the system that: Provide the security categorization of the system, including supporting rationale; PL-2a.6.]	Establish/Maintain Documentation	Preventive
Include the authorization boundary in the system security plan. CC ID 14257	Establish/Maintain Documentation	Preventive
Align the enterprise architecture with the system security plan. CC ID 14255 [{security plans} Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. PL-8c. {security plans} Develop security and privacy plans for the system that: Are consistent with the organization's enterprise architecture; PL-2a.1. {security plans} {security architecture} Develop security and privacy plans for the system that: Include risk determinations for security and privacy architecture and design decisions; PL-2a.13.]	Process or Activity	Preventive
Include security controls in the system security plan. CC ID 14239 [{security plans} Develop security and privacy plans for the system that: Identify any relevant control baselines or overlays, if applicable; PL-2a.11.]	Establish/Maintain Documentation	Preventive
Create specific test plans to test each system component. CC ID 00661 [Develop a control assessment plan that describes the scope of the assessment including: CA-2b. Develop a control assessment plan that describes the scope of the assessment including: Controls and control enhancements under assessment; CA-2b.1. Test malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing known benign code into the system; and SI-3(6)(a)]	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities in the test plan. CC ID 14299 [Develop a control assessment plan that describes the scope of the assessment including: Assessment environment, assessment team, and assessment roles and responsibilities; CA-2b.3.]	Establish/Maintain Documentation	Preventive
Include the assessment team in the test plan. CC ID 14297 [Select the appropriate assessor or assessment team for the type of assessment to be conducted; CA-2a. Employ independent assessors or assessment teams to conduct control assessments. CA-2(1) ¶ 1 Develop a control assessment plan that describes the scope of the assessment including: Assessment environment, assessment team, and assessment roles and responsibilities; CA-2b.3.]	Establish/Maintain Documentation	Preventive
Include the scope in the test plans. CC ID 14293 [Develop a control assessment plan that describes the scope of the assessment including: CA-2b.]	Establish/Maintain Documentation	Preventive
Include the assessment environment in the test plan. CC ID 14271 [Develop a control assessment plan that describes the scope of the assessment including: Assessment environment, assessment team, and assessment roles and responsibilities; CA-2b.3.]	Establish/Maintain Documentation	Preventive
Approve the system security plan. CC ID 14241 [{security plans} Develop security and privacy plans for the system that: Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. PL-2a.15.]	Business Processes	Preventive
Adhere to the system security plan. CC ID 11640	Testing	Detective
Review the test plans for each system component. CC ID 00662 [Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; CA-2c.]	Establish/Maintain Documentation	Preventive
Validate all testing assumptions in the test plans. CC ID 00663	Testing	Detective
Document validated testing processes in the testing procedures. CC ID 06200	Establish/Maintain Documentation	Preventive
Require testing procedures to be complete. CC ID 00664	Testing	Detective
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827	Establish/Maintain Documentation	Preventive
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665	Testing	Preventive
Implement automated audit tools. CC ID 04882	Acquisition/Sale of Assets or Services	Preventive
Assign senior management to approve test plans. CC ID 13071	Human Resources Management	Preventive
Analyze system audit reports and determine the need to perform more tests. CC ID 00666	Testing	Detective
Monitor devices continuously for conformance with production specifications. CC ID 06201 [{security compliance checks} Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection. CA-9(1) ¶ 1]	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain a testing program. CC ID 00654 [{security training}{security monitoring}Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems: Are erm_primary-verb">developed and maintained; and PM-14a.1. Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Ongoing control assessments in accordance with the continuous monitoring strategy; CA-7c. {performance testing} Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment [Assignment: organization-defined other forms of assessment]]. CA-2(2) ¶ 1 {performance testing} Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment [Assignment: organization-defined other forms of assessment]]. CA-2(2) ¶ 1 {testing plan}{training plan} Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. PM-14b. [security function} Implement automated mechanisms to support the management of distributed security and privacy function testing. SI-6(2) ¶ 1 Identify critical system components and functions by performing a criticality analysis for [Assignment: organization-defined systems, system components, or system services] at [Assignment: organization-defined decision points in the system development life cycle]. RA-9 Control]	Behavior	Preventive
Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 [{assessment, authorization, and monitoring policy} Review and update the current assessment, authorization, and monitoring: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and CA-1c.1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: CA-1a.1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and CA-1a.1(b)]	Establish/Maintain Documentation	Preventive
Conduct Red Team exercises, as necessary. CC ID 12131 [Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: [Assignment: organization-defined red team exercises]. CA-8(2) ¶ 1]	Technical Security	Detective
Establish and maintain a scoring method for Red Team exercise results. CC ID 12136	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 [[Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include the scope in the security assessment and authorization policy. CC ID 14220 [[Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include the purpose in the security assessment and authorization policy. CC ID 14219 [[Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: CA-1a.1.]	Communicate	Preventive
Include management commitment in the security assessment and authorization policy. CC ID 14189 [[Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include compliance requirements in the security assessment and authorization policy. CC ID 14183 [[Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 [[Selection (one or more): organization-level; mission/business process-level; system-level] assessment, authorization, and monitoring policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CA-1a.1(a)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls; CA-1a.2. {assessment, authorization, and monitoring procedures} Review and update the current assessment, authorization, and monitoring: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. CA-1c.2. {security authorization} Integrate the authorization processes into an organization-wide risk management program. PM-10c.]	Establish/Maintain Documentation	Preventive
Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls; CA-1a.2.]	Communicate	Preventive
Test security systems and associated security procedures, as necessary. CC ID 11901 [Test intrusion-monitoring tools and mechanisms [Assignment: organization-defined frequency]. SI-4(9) ¶ 1 {malicious code} Verify that the detection of the code and the associated incident reporting occur. SI-3(6)(b) {malicious code} Verify that the detection of the code and the associated incident reporting occur. SI-3(6)(b)]	Technical Security	Detective
Employ third parties to carry out testing programs, as necessary. CC ID 13178	Human Resources Management	Preventive
Define the test requirements for each testing program. CC ID 13177	Establish/Maintain Documentation	Preventive
Test in scope systems for segregation of duties, as necessary. CC ID 13906	Testing	Detective
Include test requirements for the use of human subjects in the testing program. CC ID 16222	Testing	Preventive
Test the in scope system in accordance with its intended purpose. CC ID 14961	Testing	Preventive
Perform network testing in accordance with organizational standards. CC ID 16448	Testing	Preventive
Test user accounts in accordance with organizational standards. CC ID 16421	Testing	Preventive
Identify risk management measures when testing in scope systems. CC ID 14960	Process or Activity	Detective
Include mechanisms for emergency stops in the testing program. CC ID 14398	Establish/Maintain Documentation	Preventive
Scan organizational networks for rogue devices. CC ID 00536 [{unauthorized software}{unauthorized firmware} Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and CM-8(3)(a) {not approved} Detect network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes]; and SI-4(22)(a) {unauthorized network access} [Selection (one or more): Audit; Alert [Assignment: organization-defined personnel or roles]] when detected. SI-4(22)(b)]	Testing	Detective
Scan the network for wireless access points. CC ID 00370	Testing	Detective
Document the business need justification for authorized wireless access points. CC ID 12044	Establish/Maintain Documentation	Preventive
Scan wireless networks for rogue devices. CC ID 11623 [Implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters. SC-40(3) ¶ 1]	Technical Security	Detective
Test the wireless device scanner's ability to detect rogue devices. CC ID 06859	Testing	Detective
Implement incident response procedures when rogue devices are discovered. CC ID 11880 [Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; IR-4a.]	Technical Security	Corrective
Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 [Take the following actions when unauthorized components are detected: [Selection (one or more): disable network access by such components; isolate the components; notify [Assignment: organization-defined personnel or roles]]. CM-8(3)(b) {unauthorized network access} [Selection (one or more): Audit; Alert [Assignment: organization-defined personnel or roles]] when detected. SI-4(22)(b)]	Monitor and Evaluate Occurrences	Corrective
Deny network access to rogue devices until network access approval has been received. CC ID 11852 [Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated. CA-3(7)(b) Implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters. SC-40(3) ¶ 1 Prohibit the use or connection of unauthorized hardware components; CM-7(9)(b)]	Configuration	Preventive
Isolate rogue devices after a rogue device has been detected. CC ID 07061 [Take the following actions when unauthorized components are detected: [Selection (one or more): disable network access by such components; isolate the components; notify [Assignment: organization-defined personnel or roles]]. CM-8(3)(b) Take the following actions when unauthorized components are detected: [Selection (one or more): disable network access by such components; isolate the components; notify [Assignment: organization-defined personnel or roles]]. CM-8(3)(b)]	Configuration	Corrective
Establish, implement, and maintain conformity assessment procedures. CC ID 15032	Establish/Maintain Documentation	Preventive
Share conformity assessment results with affected parties and interested personnel. CC ID 15113	Communicate	Preventive
Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112	Communicate	Preventive
Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111	Communicate	Preventive
Create technical documentation assessment certificates in an official language. CC ID 15110	Establish/Maintain Documentation	Preventive
Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096	Testing	Preventive
Perform conformity assessments, as necessary. CC ID 15095	Testing	Detective
Define the test frequency for each testing program. CC ID 13176	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134	Technical Security	Detective
Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a penetration test program. CC ID 01105	Behavior	Preventive
Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871	Communicate	Preventive
Align the penetration test program with industry standards. CC ID 12469 [Require the developer of the system, system component, or system service to perform penetration testing: Under the following constraints: [Assignment: organization-defined constraints]. SA-11(5) ¶ 1(b)]	Establish/Maintain Documentation	Preventive
Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 [{penetration agent} {penetration team} Employ an independent penetration testing agent or team to perform penetration testing on the system or system components. CA-8(1) ¶ 1]	Establish Roles	Preventive
Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958	Testing	Preventive
Retain penetration test results according to internal policy. CC ID 10049	Records Management	Preventive
Retain penetration test remediation action records according to internal policy. CC ID 11629	Records Management	Preventive
Use dedicated user accounts when conducting penetration testing. CC ID 13728	Testing	Detective
Remove dedicated user accounts after penetration testing is concluded. CC ID 13729	Testing	Corrective
Perform penetration tests, as necessary. CC ID 00655 [{independent review}{penetration testing} Employ [Selection (one or more): organizational analysis, independent third-party analysis, organizational testing, independent third-party testing] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [Assignment: organization-defined supply chain elements, processes, and actors]. SR-6(1) ¶ 1 Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined systems or system components]. CA-8 Control Require the developer of the system, system component, or system service to perform penetration testing: At the following level of rigor: [Assignment: organization-defined breadth and depth of testing]; and SA-11(5) ¶ 1(a)]	Testing	Detective
Perform internal penetration tests, as necessary. CC ID 12471	Technical Security	Detective
Perform external penetration tests, as necessary. CC ID 12470 [Employ a penetration testing process that includes [Assignment: organization-defined frequency] [Selection: announced; unannounced] attempts to bypass or circumvent controls associated with physical access points to the facility. CA-8(3) ¶ 1]	Technical Security	Detective
Include coverage of all in scope systems during penetration testing. CC ID 11957	Testing	Detective
Test the system for broken access controls. CC ID 01319	Testing	Detective
Test the system for broken authentication and session management. CC ID 01320	Testing	Detective
Test the system for insecure communications. CC ID 00535	Testing	Detective
Test the system for cross-site scripting attacks. CC ID 01321	Testing	Detective
Test the system for buffer overflows. CC ID 01322	Testing	Detective
Test the system for injection flaws. CC ID 01323	Testing	Detective
Ensure protocols are free from injection flaws. CC ID 16401	Process or Activity	Preventive
Test the system for Denial of Service. CC ID 01326	Testing	Detective
Test the system for insecure configuration management. CC ID 01327	Testing	Detective
Perform network-layer penetration testing on all systems, as necessary. CC ID 01277	Testing	Detective
Test the system for cross-site request forgery. CC ID 06296	Testing	Detective
Perform application-layer penetration testing on all systems, as necessary. CC ID 11630	Technical Security	Detective
Perform penetration testing on segmentation controls, as necessary. CC ID 12498	Technical Security	Detective
Verify segmentation controls are operational and effective. CC ID 12545	Audits and Risk Management	Detective
Repeat penetration testing, as necessary. CC ID 06860	Testing	Detective
Test the system for covert channels. CC ID 10652 [{covert channel} Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and SC-31a.]	Testing	Detective
Estimate the maximum bandwidth of any covert channels. CC ID 10653 [{covert channel} Estimate the maximum bandwidth of those channels. SC-31b. Measure the bandwidth of [Assignment: organization-defined subset of identified covert channels] in the operational environment of the system. SC-31(3) ¶ 1]	Technical Security	Detective
Reduce the maximum bandwidth of covert channels. CC ID 10655 [{covert channel} Reduce the maximum bandwidth for identified covert [Selection (one or more); storage; timing] channels to [Assignment: organization-defined values]. SC-31(2) ¶ 1]	Technical Security	Corrective
Test systems to determine which covert channels might be exploited. CC ID 10654 [{exploitable channel} Test a subset of the identified covert channels to determine the channels that are exploitable. SC-31(1) ¶ 1]	Testing	Detective
Establish, implement, and maintain a business line testing strategy. CC ID 13245	Establish/Maintain Documentation	Preventive
Include facilities in the business line testing strategy. CC ID 13253	Establish/Maintain Documentation	Preventive
Include electrical systems in the business line testing strategy. CC ID 13251	Establish/Maintain Documentation	Preventive
Include mechanical systems in the business line testing strategy. CC ID 13250	Establish/Maintain Documentation	Preventive
Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248	Establish/Maintain Documentation	Preventive
Include emergency power supplies in the business line testing strategy. CC ID 13247	Establish/Maintain Documentation	Preventive
Include environmental controls in the business line testing strategy. CC ID 13246	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a vulnerability management program. CC ID 15721	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 [Define the breadth and depth of vulnerability scanning coverage. RA-5(3) ¶ 1 Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Formatting checklists and test procedures; and RA-5b.2. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; RA-5b.1. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Measuring vulnerability impact; RA-5b.3.]	Establish/Maintain Documentation	Preventive
Perform vulnerability scans, as necessary. CC ID 11637 [Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; RA-5a. {performance testing} Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment [Assignment: organization-defined other forms of assessment]]. CA-2(2) ¶ 1 Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to: Perform an automated vulnerability analysis using [Assignment: organization-defined tools]; SA-15(7) ¶ 1(a)]	Technical Security	Detective
Repeat vulnerability scanning, as necessary. CC ID 11646	Testing	Detective
Identify and document security vulnerabilities. CC ID 11857 [Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions]. RA-5(4) ¶ 1]	Technical Security	Detective
Rank discovered vulnerabilities. CC ID 11940 [Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to: Determine the exploitation potential for discovered vulnerabilities; SA-15(7) ¶ 1(b)]	Investigate	Detective
Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 [Implement privileged access authorization to [Assignment: organization-defined system components] for [Assignment: organization-defined vulnerability scanning activities]. RA-5(5) ¶ 1]	Technical Security	Preventive
Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 [Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis. CA-7(1) ¶ 1 Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information. SA-11(3)(b)]	Technical Security	Detective
Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097	Establish/Maintain Documentation	Preventive
Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418	Communicate	Preventive
Maintain vulnerability scan reports as organizational records. CC ID 12092	Records Management	Preventive
Correlate vulnerability scan reports from the various systems. CC ID 10636 [Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors. RA-5(10) ¶ 1]	Technical Security	Detective
Perform internal vulnerability scans, as necessary. CC ID 00656	Testing	Detective
Perform vulnerability scans prior to installing payment applications. CC ID 12192	Technical Security	Detective
Implement scanning tools, as necessary. CC ID 14282 [Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: RA-5b.]	Technical Security	Detective
Update the vulnerability scanners' vulnerability list. CC ID 10634 [Update the system vulnerabilities to be scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported]. RA-5(2) ¶ 1 Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. RA-5f.]	Configuration	Corrective
Repeat vulnerability scanning after an approved change occurs. CC ID 12468	Technical Security	Detective
Perform external vulnerability scans, as necessary. CC ID 11624	Technical Security	Detective
Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467	Business Processes	Preventive
Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039	Testing	Preventive
Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 [Compare the results of multiple vulnerability scans using [Assignment: organization-defined automated mechanisms]. RA-5(6) ¶ 1 {vulnerability scan results} Analyze vulnerability scan reports and results from vulnerability monitoring; RA-5c.]	Technical Security	Detective
Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 [Employ automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification. SI-7(2) ¶ 1 {security verification test} Alert [Assignment: organization-defined personnel or roles] to failed security and privacy verification tests; and SI-6c.]	Behavior	Corrective
Perform vulnerability assessments, as necessary. CC ID 11828 [{performance testing} Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment [Assignment: organization-defined other forms of assessment]]. CA-2(2) ¶ 1]	Technical Security	Corrective
Review applications for security vulnerabilities after the application is updated. CC ID 11938	Technical Security	Detective
Test the system for unvalidated input. CC ID 01318	Testing	Detective
Test the system for proper error handling. CC ID 01324	Testing	Detective
Test the system for insecure data storage. CC ID 01325 [Perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified. SI-19(8) ¶ 1]	Testing	Detective
Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297	Testing	Detective
Approve the vulnerability management program. CC ID 15722	Process or Activity	Preventive
Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723	Establish Roles	Preventive
Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111	Technical Security	Preventive
Test the system for insecure cryptographic storage. CC ID 11635	Technical Security	Detective
Perform self-tests on cryptographic modules within the system. CC ID 06537	Testing	Detective
Perform power-up tests on cryptographic modules within the system. CC ID 06538	Testing	Detective
Perform conditional tests on cryptographic modules within the system. CC ID 06539	Testing	Detective
Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130	Configuration	Detective
Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 [Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to: Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]. SA-15(7) ¶ 1(d)]	Technical Security	Corrective
Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188	Configuration	Corrective
Recommend mitigation techniques based on penetration test results. CC ID 04881	Establish/Maintain Documentation	Corrective
Correct or mitigate vulnerabilities. CC ID 12497 [Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; RA-5d. Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions]. RA-5(4) ¶ 1 Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Correct flaws identified during testing and evaluation. SA-11e.]	Technical Security	Corrective
Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859	Technical Security	Corrective
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: [Assignment: organization-defined actions]. CA-7(5) ¶ 1 Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: Compliance monitoring; and CA-7(4) ¶ 1(b) Develop, monitor, and report on the results of information security and privacy measures of performance. PM-6 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain risk management metrics. CC ID 01656	Establish/Maintain Documentation	Preventive
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657	Actionable Reports or Measurements	Detective
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658	Actionable Reports or Measurements	Detective
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659	Actionable Reports or Measurements	Detective
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571	Actionable Reports or Measurements	Detective
Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866	Business Processes	Preventive
Identify information being used to support performance reviews for risk optimization. CC ID 12865	Audits and Risk Management	Preventive
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [Monitor policy compliance [Assignment: organization-defined frequency]. CM-11c. Enforce and monitor compliance with software installation policies using [Assignment: organization-defined automated mechanisms]. CM-11(3) ¶ 1]	Monitor and Evaluate Occurrences	Detective
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. SI-5d.]	Establish/Maintain Documentation	Preventive
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063	Business Processes	Detective
Determine the causes of compliance violations. CC ID 12401	Investigate	Corrective
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935	Establish/Maintain Documentation	Preventive
Determine if multiple compliance violations of the same type could occur. CC ID 12402	Investigate	Detective
Correct compliance violations. CC ID 13515	Process or Activity	Corrective
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403	Investigate	Detective
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675	Behavior	Corrective
Align disciplinary actions with the level of compliance violation. CC ID 12404	Human Resources Management	Preventive
Establish, implement, and maintain compliance program metrics. CC ID 11625	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a security program metrics program. CC ID 01660	Establish/Maintain Documentation	Preventive
Report on the policies and controls that have been implemented by management. CC ID 01670	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a key management roles metrics standard. CC ID 11631	Establish/Maintain Documentation	Preventive
Report on the percentage of security management roles that have been assigned. CC ID 01671	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661	Establish/Maintain Documentation	Preventive
Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a supply chain member metrics program. CC ID 01662	Establish/Maintain Documentation	Preventive
Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675	Actionable Reports or Measurements	Detective
Report on the Service Level Agreement performance of supply chain members. CC ID 06838	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 [Develop a contingency plan for the system that: Provides recovery objectives, restoration priorities, and metrics; CP-2a.2.]	Establish/Maintain Documentation	Preventive
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676	Actionable Reports or Measurements	Detective
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057	Actionable Reports or Measurements	Detective
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an audit metrics program. CC ID 01664	Establish/Maintain Documentation	Preventive
Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677	Actionable Reports or Measurements	Detective
Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069	Actionable Reports or Measurements	Detective
Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632	Actionable Reports or Measurements	Detective
Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070	Actionable Reports or Measurements	Detective
Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678	Actionable Reports or Measurements	Detective
Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an Information Security metrics program. CC ID 01665	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a metrics standard and template. CC ID 02157 [Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; CA-7a. Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; PM-31a.]	Establish/Maintain Documentation	Preventive
Convert data into standard units before reporting metrics. CC ID 15507	Process or Activity	Corrective
Monitor compliance with the Quality Control system. CC ID 01023	Actionable Reports or Measurements	Preventive
Report on the percentage of complaints received about products or delivered services. CC ID 07199	Actionable Reports or Measurements	Preventive
Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a policies and controls metrics program. CC ID 01666	Establish/Maintain Documentation	Preventive
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679	Actionable Reports or Measurements	Detective
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680	Actionable Reports or Measurements	Detective
Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681	Actionable Reports or Measurements	Detective
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667	Establish/Maintain Documentation	Preventive
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685	Actionable Reports or Measurements	Detective
Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686	Actionable Reports or Measurements	Detective
Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687	Actionable Reports or Measurements	Detective
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688	Actionable Reports or Measurements	Detective
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691	Actionable Reports or Measurements	Detective
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a role-based information access metrics program. CC ID 01668	Establish/Maintain Documentation	Preventive
Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683	Actionable Reports or Measurements	Detective
Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684	Actionable Reports or Measurements	Detective
Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689	Actionable Reports or Measurements	Detective
Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690	Actionable Reports or Measurements	Detective
Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694	Establish/Maintain Documentation	Preventive
Report on the percentage of critical information assets and information-dependent functions. CC ID 02040	Actionable Reports or Measurements	Detective
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041	Actionable Reports or Measurements	Detective
Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042	Actionable Reports or Measurements	Detective
Report on the percentage of systems with approved System Security Plans. CC ID 02145	Actionable Reports or Measurements	Detective
Monitor the supply chain for Information Assurance effectiveness. CC ID 02043	Establish/Maintain Documentation	Preventive
Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044	Actionable Reports or Measurements	Detective
Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045	Actionable Reports or Measurements	Detective
Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046	Actionable Reports or Measurements	Detective
Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047	Actionable Reports or Measurements	Detective
Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048	Actionable Reports or Measurements	Detective
Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049	Actionable Reports or Measurements	Detective
Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052	Business Processes	Preventive
Report on the percentage of information assets that have been reviewed and classified. CC ID 02053	Actionable Reports or Measurements	Detective
Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054	Actionable Reports or Measurements	Detective
Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059	Business Processes	Preventive
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060	Actionable Reports or Measurements	Detective
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061	Actionable Reports or Measurements	Detective
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062	Actionable Reports or Measurements	Detective
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142	Actionable Reports or Measurements	Detective
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a physical environment metrics program. CC ID 02063	Business Processes	Preventive
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064	Actionable Reports or Measurements	Detective
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065	Actionable Reports or Measurements	Detective
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066	Actionable Reports or Measurements	Detective
Report on the percentage of servers located in controlled access areas. CC ID 02067	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a privacy metrics program. CC ID 15494	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain environmental management system performance metrics. CC ID 15191	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain waste management metrics. CC ID 16152	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain emissions management metrics. CC ID 16145	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073	Business Processes	Preventive
Report on the percentage of unique active user identifiers. CC ID 02074	Actionable Reports or Measurements	Detective
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086	Actionable Reports or Measurements	Detective
Report on the percentage of active user passwords that are set to expire. CC ID 02087	Actionable Reports or Measurements	Detective
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a user account management metrics program. CC ID 02075	Business Processes	Preventive
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089	Actionable Reports or Measurements	Detective
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090	Actionable Reports or Measurements	Detective
Report on the percentage of systems with account lockout thresholds set. CC ID 02091	Actionable Reports or Measurements	Detective
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092	Actionable Reports or Measurements	Detective
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093	Actionable Reports or Measurements	Detective
Report on the percentage of users with access to shared accounts. CC ID 04573	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076	Actionable Reports or Measurements	Preventive
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094	Actionable Reports or Measurements	Detective
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095	Actionable Reports or Measurements	Detective
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077	Business Processes	Preventive
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097	Actionable Reports or Measurements	Detective
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098	Actionable Reports or Measurements	Detective
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099	Actionable Reports or Measurements	Detective
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100	Actionable Reports or Measurements	Detective
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101	Actionable Reports or Measurements	Detective
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078	Log Management	Preventive
Report on the percentage of systems for which event logging has been implemented. CC ID 02102	Log Management	Detective
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103	Log Management	Detective
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104	Log Management	Detective
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079	Business Processes	Preventive
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106	Actionable Reports or Measurements	Detective
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107	Actionable Reports or Measurements	Detective
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108	Actionable Reports or Measurements	Detective
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080	Business Processes	Preventive
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110	Actionable Reports or Measurements	Detective
Report on the percentage of servers that employ automated system security tools. CC ID 02111	Actionable Reports or Measurements	Detective
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a software change management metrics program. CC ID 02081	Business Processes	Preventive
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152	Actionable Reports or Measurements	Detective
Report on the percentage of systems with all approved patches installed. CC ID 02113	Actionable Reports or Measurements	Detective
Report on the mean time from patch availability to patch installation. CC ID 02114	Actionable Reports or Measurements	Detective
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082	Business Processes	Preventive
Establish, implement, and maintain a network activity baseline. CC ID 13188	Technical Security	Detective
Report on the percentage of systems configured according to the configuration standard. CC ID 02116	Actionable Reports or Measurements	Detective
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083	Business Processes	Preventive
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117	Actionable Reports or Measurements	Detective
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118	Actionable Reports or Measurements	Detective
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119	Actionable Reports or Measurements	Detective
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574	Actionable Reports or Measurements	Detective
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084	Business Processes	Preventive
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120	Actionable Reports or Measurements	Detective
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121	Actionable Reports or Measurements	Detective
Report on the percentage of backup media stored off site in secure storage. CC ID 02122	Actionable Reports or Measurements	Detective
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 [Develop an incident response plan that: Provides metrics for measuring the incident response capability within the organization; IR-8a.6. Use qualitative and quantitative data from testing to: Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format. IR-3(3) ¶ 1(c)]	Business Processes	Preventive
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674	Actionable Reports or Measurements	Detective
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673	Actionable Reports or Measurements	Detective
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124	Actionable Reports or Measurements	Detective
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125	Actionable Reports or Measurements	Detective
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126	Actionable Reports or Measurements	Detective
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127	Actionable Reports or Measurements	Detective
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154	Actionable Reports or Measurements	Detective
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128	Actionable Reports or Measurements	Detective
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129	Actionable Reports or Measurements	Detective
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 [Measure the time between flaw identification and flaw remediation; and SI-2(3)(a)]	Actionable Reports or Measurements	Detective
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564	Actionable Reports or Measurements	Detective
Delay the reporting of incident management metrics, as necessary. CC ID 15501	Communicate	Preventive
Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221	Establish/Maintain Documentation	Preventive
Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223	Actionable Reports or Measurements	Preventive
Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229	Actionable Reports or Measurements	Preventive
Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230	Actionable Reports or Measurements	Preventive
Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231	Actionable Reports or Measurements	Preventive
Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232	Actionable Reports or Measurements	Preventive
Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234	Actionable Reports or Measurements	Preventive
Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235	Actionable Reports or Measurements	Preventive
Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236	Actionable Reports or Measurements	Preventive
Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237	Actionable Reports or Measurements	Preventive
Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238	Actionable Reports or Measurements	Preventive
Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain a log management program. CC ID 00673	Establish/Maintain Documentation	Preventive
Deploy log normalization tools, as necessary. CC ID 12141	Technical Security	Preventive
Restrict access to logs to authorized individuals. CC ID 01342 [Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. AU-9(4) ¶ 1 Authorize read-only access to audit information to [Assignment: organization-defined subset of privileged users or roles]. AU-9(6) ¶ 1]	Log Management	Preventive
Restrict access to audit trails to a need to know basis. CC ID 11641	Technical Security	Preventive
Refrain from recording unnecessary restricted data in logs. CC ID 06318	Log Management	Preventive
Back up audit trails according to backup procedures. CC ID 11642 [Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited. AU-9(2) ¶ 1]	Systems Continuity	Preventive
Back up logs according to backup procedures. CC ID 01344	Log Management	Preventive
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 [Store audit information on a component running a different operating system than the system or component being audited. AU-9(7) ¶ 1 Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. AU-16 Control Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging. AU-4(1) ¶ 1]	Log Management	Preventive
Identify hosts with logs that are not being stored. CC ID 06314	Log Management	Preventive
Identify hosts with logs that are being stored at the system level only. CC ID 06315	Log Management	Preventive
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316	Log Management	Preventive
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317	Log Management	Preventive
Protect logs from unauthorized activity. CC ID 01345 [Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and AU-9a.]	Log Management	Preventive
Perform testing and validating activities on all logs. CC ID 06322	Log Management	Preventive
Archive the audit trail in accordance with compliance requirements. CC ID 00674 [Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved. AU-11(1) ¶ 1]	Log Management	Preventive
Enforce dual authorization as a part of information flow control for logs. CC ID 10098 [Enforce dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information]. AU-9(5) ¶ 1]	Configuration	Preventive
Preserve the identity of individuals in audit trails. CC ID 10594 [Preserve the identity of individuals in cross-organizational audit trails. AU-16(1) ¶ 1]	Log Management	Preventive
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595	Establish/Maintain Documentation	Preventive
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 [{cross-organizational audit sharing agreement} Provide cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements]. AU-16(2) ¶ 1]	Audits and Risk Management	Preventive
Monitor the performance of the governance, risk, and compliance capability. CC ID 12857 [Develop, monitor, and report on the results of information security and privacy measures of performance. PM-6 Control]	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a corrective action plan. CC ID 00675 [Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using [Assignment: organization-defined automated mechanisms]. CA-5(1) ¶ 1 Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Response actions to address results of the analysis of control assessment and monitoring information; and CA-7f.]	Monitor and Evaluate Occurrences	Detective
Align corrective actions with the level of environmental impact. CC ID 15193	Business Processes	Preventive
Include risks and opportunities in the corrective action plan. CC ID 15178	Establish/Maintain Documentation	Preventive
Include environmental aspects in the corrective action plan. CC ID 15177	Establish/Maintain Documentation	Preventive
Include the completion date in the corrective action plan. CC ID 13272	Establish/Maintain Documentation	Preventive
Include monitoring in the corrective action plan. CC ID 11645 [Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. CA-5b. Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. PM-4b.]	Monitor and Evaluate Occurrences	Detective
Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. CA-7g. Develop, monitor, and report on the results of information security and privacy measures of performance. PM-6 Control Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. PM-31f. {security verification tests} Report the results of security and privacy function verification to [Assignment: organization-defined personnel or roles]. SI-6(3) ¶ 1]	Actionable Reports or Measurements	Corrective
Protect against misusing automated audit tools. CC ID 04547 [Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and AU-9a.]	Technical Security	Preventive
Evaluate the measurement process used for metrics. CC ID 06920 [Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; CA-7d. Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; PM-31c.]	Testing	Detective
Evaluate the information technology products used for metrics. CC ID 11644	Technical Security	Detective
Identify and communicate improvements in metrics reporting. CC ID 06921	Establish/Maintain Documentation	Corrective
Provide intelligence support to the organization, as necessary. CC ID 14020	Business Processes	Preventive
Establish, implement, and maintain a Technical Surveillance Countermeasures program. CC ID 11401	Technical Security	Preventive
Conduct a Technical Surveillance Countermeasures survey. CC ID 10637 [Employ a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection (one or more): [Assignment: organization-defined frequency]; when the following events or indicators occur: [Assignment: organization-defined events or indicators]]. RA-6 Control]	Testing	Detective
Coordinate multiple Technical Surveillance Countermeasure surveys, as necessary. CC ID 11454	Testing	Detective
Establish, implement, and maintain cyber threat intelligence tools. CC ID 12696	Technical Security	Preventive
Leverage cyber threat intelligence when employing Technical Surveillance Countermeasures. CC ID 12697 [{cyber threat hunting} Employ the threat hunting capability [Assignment: organization-defined frequency]. RA-10b.]	Technical Security	Preventive
Communicate threat intelligence to interested personnel and affected parties. CC ID 14016 [{incident response process} Incorporate the results from malicious code analysis into organizational incident response and flaw remediation processes. SI-3(10)(b)]	Communicate	Preventive

Operational and Systems Continuity

188

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational and Systems Continuity CC ID 00731	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a business continuity program. CC ID 13210	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a business continuity policy. CC ID 12405 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: CP-1a.1. {contingency planning policy} Review and update the current contingency planning: Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and CP-1c.1.]	Establish/Maintain Documentation	Preventive
Include compliance requirements in the business continuity policy. CC ID 14237 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the business continuity policy. CC ID 14235 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include management commitment in the business continuity policy. CC ID 14233 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include the scope in the business continuity policy. CC ID 14231 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1(a)]	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the business continuity policy. CC ID 14190 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1(a)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: CP-1a.1.]	Communicate	Preventive
Include the purpose in the business continuity policy. CC ID 14188 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CP-1a.1(a)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a continuity framework. CC ID 00732	Establish/Maintain Documentation	Preventive
Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 [Coordinate contingency plan development with organizational elements responsible for related plans. CP-2(1) ¶ 1]	Systems Continuity	Preventive
Establish, implement, and maintain a continuity plan. CC ID 00752 [Develop a contingency plan for the system that: CP-2a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; CP-1a.2. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; CP-2e. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Selection (one or more): organization-level; mission/business process-level; system-level] contingency planning policy that: Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and CP-1a.1(b) Review the contingency plan for the system [Assignment: organization-defined frequency]; CP-2d. Develop a contingency plan for the system that: Addresses the sharing of contingency information; and CP-2a.6. Develop a contingency plan for the system that: Is reviewed and approved by [Assignment: organization-defined personnel or roles]; CP-2a.7.]	Establish/Maintain Documentation	Preventive
Report changes in the continuity plan to senior management. CC ID 12757	Communicate	Corrective
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373	Systems Continuity	Corrective
Identify all stakeholders in the continuity plan. CC ID 13256	Establish/Maintain Documentation	Preventive
Maintain normal security levels when an emergency occurs. CC ID 06377	Systems Continuity	Preventive
Execute fail-safe procedures when an emergency occurs. CC ID 07108 [When [Assignment: organization-defined conditions] are detected, enter a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation]. CP-12 Control Implement the indicated fail-safe procedures when the indicated failures occur: [Assignment: organization-defined list of failure conditions and associated fail-safe procedures]. SI-17 Control {known-state} Fail to a [Assignment: organization-defined known system state] for the following failures on the indicated components while preserving [Assignment: organization-defined system state information] in failure: [Assignment: list of organization-defined types of system failures on organization-defined system components]. SC-24 Control Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system. SI-13(5) ¶ 1 Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device. SC-7(18) ¶ 1]	Systems Continuity	Preventive
Lead or manage business continuity and system continuity, as necessary. CC ID 12240	Human Resources Management	Preventive
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234	Establish/Maintain Documentation	Preventive
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993	Establish/Maintain Documentation	Preventive
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992	Human Resources Management	Preventive
Include the in scope system's location in the continuity plan. CC ID 16246	Systems Continuity	Preventive
Include the system description in the continuity plan. CC ID 16241	Systems Continuity	Preventive
Establish, implement, and maintain redundant systems. CC ID 16354	Configuration	Preventive
Include identification procedures in the continuity plan, as necessary. CC ID 14372	Establish/Maintain Documentation	Preventive
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093	Behavior	Preventive
Restore systems and environments to be operational. CC ID 13476 [Provide the capability to restore system components within [Assignment: organization-defined restoration time periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components. CP-10(4) ¶ 1 {mean time to failure} Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: [Assignment: organization-defined MTTF substitution criteria]. SI-13b. {manual activation} Manually initiate transfers between active and standby system components when the use of the active component reaches [Assignment: organization-defined percentage] of the mean time to failure. SI-13(3) ¶ 1]	Systems Continuity	Corrective
Include the continuity strategy in the continuity plan. CC ID 13189	Establish/Maintain Documentation	Preventive
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 [{alternative security mechanism} Employ [Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised. CP-13 Control]	Technical Security	Preventive
Document and use the lessons learned to update the continuity plan. CC ID 10037 [Initiate corrective actions, if needed. CP-4c. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and CP-2g.]	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [Develop a contingency plan for the system that: Addresses contingency roles, responsibilities, assigned individuals with contact information; CP-2a.3.]	Establish/Maintain Documentation	Preventive
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258	Process or Activity	Preventive
Monitor and evaluate business continuity management system performance. CC ID 12410	Monitor and Evaluate Occurrences	Detective
Record business continuity management system performance for posterity. CC ID 12411	Monitor and Evaluate Occurrences	Preventive
Coordinate continuity planning with community organizations, as necessary. CC ID 13259	Process or Activity	Preventive
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 [Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. CP-2(7) ¶ 1]	Establish/Maintain Documentation	Preventive
Include incident management procedures in the continuity plan. CC ID 13244 [Coordinate incident handling activities with contingency planning activities; IR-4b.]	Establish/Maintain Documentation	Preventive
Include the use of virtual meeting tools in the continuity plan. CC ID 14390	Establish/Maintain Documentation	Preventive
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057	Establish/Maintain Documentation	Preventive
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233	Establish Roles	Preventive
Establish, implement, and maintain the continuity procedures. CC ID 14236 [{contingency planning procedures} Review and update the current contingency planning: Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. CP-1c.2.]	Establish/Maintain Documentation	Corrective
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 [Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; CP-1a.2.]	Communicate	Preventive
Document the uninterrupted power requirements for all in scope systems. CC ID 06707	Establish/Maintain Documentation	Preventive
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 [Provide an uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the system; transition of the system to long-term alternate power] in the event of a primary power source loss. PE-11 Control]	Configuration	Preventive
Install a generator sized to support the facility. CC ID 06709 [Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that can maintain minimally required operational capability in the event of an extended loss of the primary power source. PE-11(1) ¶ 1 Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that is: PE-11(2) ¶ 1 {refrain from relying on} Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that is: Not reliant on external power generation; and PE-11(2) ¶ 1(b) Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that is: Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source. PE-11(2) ¶ 1(c) {be self-contained} Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that is: Self-contained; PE-11(2) ¶ 1(a)]	Configuration	Preventive
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376	Acquisition/Sale of Assets or Services	Preventive
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371	Establish/Maintain Documentation	Preventive
Include notifications to alternate facilities in the continuity plan. CC ID 13220	Establish/Maintain Documentation	Preventive
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778	Systems Continuity	Preventive
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the organization's call tree. CC ID 01167	Testing	Detective
Establish, implement, and maintain damage assessment procedures. CC ID 01267	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a recovery plan. CC ID 13288 [Implement transaction recovery for systems that are transaction-based. CP-10(2) ¶ 1]	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Communicate	Preventive
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Establish/Maintain Documentation	Preventive
Include addressing backup failures in the recovery plan. CC ID 13298	Establish/Maintain Documentation	Preventive
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Human Resources Management	Preventive
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Establish/Maintain Documentation	Preventive
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Establish/Maintain Documentation	Preventive
Include the criteria for activation in the recovery plan. CC ID 13293	Establish/Maintain Documentation	Preventive
Include escalation procedures in the recovery plan. CC ID 16248	Establish/Maintain Documentation	Preventive
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Establish/Maintain Documentation	Preventive
Determine the cause for the activation of the recovery plan. CC ID 13291	Investigate	Detective
Test the recovery plan, as necessary. CC ID 13290	Testing	Detective
Test the backup information, as necessary. CC ID 13303 [Test backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity. CP-9(1) ¶ 1]	Testing	Detective
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Establish/Maintain Documentation	Detective
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Communicate	Preventive
Include restoration procedures in the continuity plan. CC ID 01169 [{alternate processing site}{alternate storage site}{primary processing site}{primary storage site}{refrain from harming} Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites. CP-2(6) ¶ 1 Develop a contingency plan for the system that: Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; CP-2a.5. Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure. CP-10 Control]	Establish Roles	Preventive
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 [Plan for the resumption of [Selection: all; essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation. CP-2(3) ¶ 1]	Establish/Maintain Documentation	Preventive
Include the recovery plan in the continuity plan. CC ID 01377 [Develop a contingency plan for the system that: Provides recovery objectives, restoration priorities, and metrics; CP-2a.2.]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758	Communicate	Preventive
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662	Systems Continuity	Preventive
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 [Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components]. SC-36 Control]	Systems Continuity	Preventive
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 [Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components]. SC-36 Control]	Systems Continuity	Preventive
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 [Employ the following out-of-band channels for the physical delivery or electronic transmission of [Assignment: organization-defined information, system components, or devices] to [Assignment: organization-defined individuals or systems]: [Assignment: organization-defined out-of-band channels]. SC-37 Control]	Systems Continuity	Corrective
Establish, implement, and maintain organizational facility continuity plans. CC ID 02224	Establish/Maintain Documentation	Preventive
Install and maintain redundant power supplies for critical facilities. CC ID 06355	Configuration	Preventive
Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 [Provide the capability of shutting off power to [Assignment: organization-defined system or individual system components] in emergency situations; PE-10a. Protect emergency power shutoff capability from unauthorized activation. PE-10c. Place emergency shutoff switches or devices in [Assignment: organization-defined location by system or system component] to facilitate access for authorized personnel; and PE-10b.]	Physical and Environmental Protection	Preventive
Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 [{physical separation} Employ redundant power cabling paths that are physically separated by [Assignment: organization-defined distance]. PE-9(1) ¶ 1]	Configuration	Preventive
Install electro-magnetic shielding around all electrical cabling. CC ID 06358 [Protect the system from information leakage due to electromagnetic signals emanations. PE-19 Control Protect system components, associated data communications, and networks in accordance with national Emissions Security policies and procedures based on the security category or classification of the information. PE-19(1) ¶ 1]	Physical and Environmental Protection	Preventive
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Establish/Maintain Documentation	Preventive
Define and prioritize critical business functions. CC ID 00736 [Develop a contingency plan for the system that: Identifies essential mission and business functions and associated contingency requirements; CP-2a.1. Develop a contingency plan for the system that: Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; CP-2a.4.]	Establish/Maintain Documentation	Detective
Review and prioritize the importance of each business unit. CC ID 01165	Systems Continuity	Preventive
Review and prioritize the importance of each business process. CC ID 11689	Establish/Maintain Documentation	Preventive
Document the mean time to failure for system components. CC ID 10684 [Determine mean time to failure (MTTF) for the following system components in specific environments of operation: [Assignment: organization-defined system components]; and SI-13a.]	Systems Continuity	Preventive
Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759	Audits and Risk Management	Preventive
Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688	Establish/Maintain Documentation	Preventive
Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 [{mean time to failure} Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: [Assignment: organization-defined MTTF substitution criteria]. SI-13b. {substitute information system component} If system component failures are detected: Ensure that the standby components are successfully and transpa="term_secondary-verb">rently <span style="background-color:#B7D8ED;" class="term_primary-verb">installed within [Assignment: organization-defined time period]; and SI-13(4) ¶ 1(a)]	Process or Activity	Corrective
Include the protection of personnel in the continuity plan. CC ID 06378	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a critical personnel list. CC ID 00739 [Develop a contingency plan for the system that: Addresses contingency roles, responsibilities, assigned individuals with contact information; CP-2a.3.]	Establish/Maintain Documentation	Detective
Identify alternate personnel for each person on the critical personnel list. CC ID 12771	Human Resources Management	Preventive
Define the triggering events for when to activate the pandemic plan. CC ID 06801	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a critical resource list. CC ID 00740 [Identify critical system assets supporting [Selection: all; essential] mission and business functions. CP-2(8) ¶ 1]	Establish/Maintain Documentation	Detective
Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741	Establish/Maintain Documentation	Preventive
Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890	Establish/Maintain Documentation	Preventive
Include website continuity procedures in the continuity plan. CC ID 01380	Establish/Maintain Documentation	Preventive
Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 [Maintain a central resource webpage on the organization's principal public website that serves as a central source of information about the organization's privacy program and that: Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy; PM-20a. Maintain a central resource webpage on the organization's principal public website that serves as a central source of information about the organization's privacy program and that: Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices. PM-20c. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and AC-22c.]	Data and Information Management	Preventive
Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743	Establish/Maintain Documentation	Detective
Include Wide Area Network continuity procedures in the continuity plan. CC ID 01294 [{alternate processing site}{alternate storage site}{primary site} Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. CP-8 Control]	Establish/Maintain Documentation	Preventive
Include priority-of-service provisions in the telecommunications Service Level Agreements. CC ID 01396 [{alternate processing site}{alternate storage site}{primary site} Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. CP-8 Control {primary telecommunications service agreements} Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and CP-8(1)(a) {primary telecommunications services} Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier. CP-8(1)(b)]	Establish/Maintain Documentation	Preventive
Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers. CC ID 01397 [Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. CP-8(2) ¶ 1]	Testing	Detective
Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards. CC ID 01399 [{primary telecommunications service provider} Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. CP-8(3) ¶ 1]	Testing	Detective
Require telecommunications service providers to have adequate continuity plans. CC ID 01400 [{primary telecommunications service provider} Require primary and alternate telecommunications service providers to have contingency plans; CP-8(4)(a) {primary telecommunications service provider} Require primary and alternate telecommunications service providers to have contingency plans; CP-8(4)(a)]	Testing	Detective
Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374 [Plan and prepare for circumstances that preclude returning to the primary processing site. CP-7(6) ¶ 1 {primary processing sites} {primary storage site} Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites. CP-2(5) ¶ 1 {primary processing sites} {primary storage site} Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites. CP-2(5) ¶ 1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248	Physical and Environmental Protection	Corrective
Designate an alternate facility in the continuity plan. CC ID 00742 [Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. CP-9(6) ¶ 1]	Establish/Maintain Documentation	Detective
Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 [Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats. CP-7(1) ¶ 1]	Physical and Environmental Protection	Preventive
Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs. CC ID 01391 [{area-wide disaster} Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. CP-7(2) ¶ 1]	Establish/Maintain Documentation	Preventive
Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258	Systems Continuity	Preventive
Establish and maintain off-site electronic media storage facilities. CC ID 00957 [Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and CP-6a.]	Physical and Environmental Protection	Preventive
Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 [Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. CP-6(1) ¶ 1]	Testing	Detective
Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 [{recovery time objectives} Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. CP-6(2) ¶ 1]	Configuration	Preventive
Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 [{area-wide disaster} Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions. CP-6(3) ¶ 1]	Establish/Maintain Documentation	Preventive
Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 [Ensure that the alternate storage site provides controls equivalent to that of the primary site. CP-6b.]	Systems Continuity	Detective
Store backup media at an off-site electronic media storage facility. CC ID 01332 [Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. CP-9(3) ¶ 1]	Data and Information Management	Preventive
Transport backup media in lockable electronic media storage containers. CC ID 01264 [Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. CP-9(5) ¶ 1]	Data and Information Management	Preventive
Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 [Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. CP-9(3) ¶ 1]	Systems Continuity	Preventive
Perform backup procedures for in scope systems. CC ID 11692 [Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; CP-9a. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; CP-9b.]	Process or Activity	Preventive
Perform full backups in accordance with organizational standards. CC ID 16376	Data and Information Management	Preventive
Perform incremental backups in accordance with organizational standards. CC ID 16375	Data and Information Management	Preventive
Back up all records. CC ID 11974 [Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and CP-9c.]	Systems Continuity	Preventive
Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374	Data and Information Management	Preventive
Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 [Develop a contingency plan for the system that: Provides recovery objectives, restoration priorities, and metrics; CP-2a.2.]	Establish/Maintain Documentation	Preventive
Encrypt backup data. CC ID 00958 [Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information]. CP-9(8) ¶ 1 Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information]. CP-9(8) ¶ 1]	Configuration	Preventive
Log the execution of each backup. CC ID 00956	Establish/Maintain Documentation	Preventive
Test backup media for media integrity and information integrity, as necessary. CC ID 01401	Testing	Detective
Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375	Testing	Detective
Test each restored system for media integrity and information integrity. CC ID 01920	Testing	Detective
Include stakeholders when testing restored systems, as necessary. CC ID 13066	Testing	Corrective
Digitally sign disk images, as necessary. CC ID 06814	Establish/Maintain Documentation	Preventive
Include emergency communications procedures in the continuity plan. CC ID 00750 [Provide the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations. CP-11 Control]	Establish/Maintain Documentation	Preventive
Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249	Establish/Maintain Documentation	Preventive
Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266	Systems Continuity	Preventive
Maintain contact information for key third parties in a readily accessible manner. CC ID 12764	Establish/Maintain Documentation	Preventive
Log important conversations conducted during emergencies with third parties. CC ID 12763	Log Management	Preventive
Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762	Communicate	Preventive
Identify who can speak to the media in the emergency communications procedures. CC ID 12761	Communicate	Corrective
Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 [Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; CP-2b.]	Establish/Maintain Documentation	Preventive
Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a pandemic plan. CC ID 13214	Establish/Maintain Documentation	Preventive
Include alternate work locations in the pandemic plan. CC ID 14376 [Determine and document the [Assignment: organization-defined alternate work sites] allowed for use by employees; PE-17a.]	Establish/Maintain Documentation	Preventive
Prepare the alternate facility for an emergency offsite relocation. CC ID 00744 [{alternate processing site}{alternate storage site}{primary processing site}{primary storage site}{refrain from harming} Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites. CP-2(6) ¶ 1 Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions. CP-7(4) ¶ 1 {recovery time objectives} Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; CP-7a.]	Systems Continuity	Preventive
Include coverage for alternate facilities for all offices in contingency arrangements. CC ID 00746	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Service Level Agreements for all alternate facilities. CC ID 00745 [Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and CP-6a. Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). CP-7(3) ¶ 1 {recovery time objectives} Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; CP-7a. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and CP-7b.]	Establish/Maintain Documentation	Preventive
Include recovery time in Service Level Agreements for all alternate facilities. CC ID 16331	Establish/Maintain Documentation	Preventive
Include priority-of-service provisions in Service Level Agreements for all alternate facilities. CC ID 16330	Establish/Maintain Documentation	Preventive
Include backup media transportation in Service Level Agreements for alternate facilities. CC ID 16329	Establish/Maintain Documentation	Preventive
Include transportation services in Service Level Agreements for alternate facilities. CC ID 16328	Establish/Maintain Documentation	Preventive
Include that the shared service provider will not oversubscribe their services in the Service Level Agreement. CC ID 04892	Establish/Maintain Documentation	Preventive
Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement. CC ID 04893	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Memorandums Of Understanding for all alternate facilities. CC ID 11695	Establish/Maintain Documentation	Preventive
Configure the alternate facility to meet the least needed operational capabilities. CC ID 01395 [Employ the following controls at alternate work sites: [Assignment: organization-defined controls]; PE-17b. Provide controls at the alternate processing site that are equivalent to those at the primary site. CP-7c.]	Configuration	Preventive
Establish, implement, and maintain logical access controls at alternate facilities. CC ID 13227	Technical Security	Preventive
Establish, implement, and maintain physical access controls for alternate facilities. CC ID 13226	Physical and Environmental Protection	Preventive
Notify the primary facilities of any changes at the alternate facilities that could affect the continuity plan. CC ID 13225	Communicate	Preventive
Protect backup systems and restoration systems at the alternate facility. CC ID 04883 [Protect system components used for recovery and reconstitution. CP-10(6) ¶ 1 Synchronize the following duplicate systems or system components: [Assignment: organization-defined duplicate systems or system components]. SC-36(2) ¶ 1]	Systems Continuity	Preventive
Review the alternate facility preparation procedures. CC ID 04884 [Assess the effectiveness of controls at alternate work sites; and PE-17c.]	Systems Continuity	Detective
Train personnel on the continuity plan. CC ID 00759 [Provide contingency training to system users consistent with assigned roles and responsibilities: CP-3a. Provide contingency training to system users consistent with assigned roles and responsibilities: [Assignment: organization-defined frequency] thereafter; and CP-3a.3. Provide contingency training to system users consistent with assigned roles and responsibilities: When required by system changes; and CP-3a.2. Provide contingency training to system users consistent with assigned roles and responsibilities: Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; CP-3a.1.]	Behavior	Preventive
Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 [Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment. CP-3(2) ¶ 1]	Behavior	Preventive
Incorporate simulated events into the continuity plan training. CC ID 01402 [Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. CP-3(1) ¶ 1]	Behavior	Preventive
Include cross-team coordination in continuity plan training. CC ID 16235	Training	Preventive
Include stay at home order training in the continuity plan training. CC ID 14382	Training	Preventive
Include avoiding unnecessary travel in the stay at home order training. CC ID 14388	Training	Preventive
Include personal protection in continuity plan training. CC ID 14394	Training	Preventive
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829	Testing	Preventive
Test the continuity plan, as necessary. CC ID 00755 [Test the contingency plan using [Assignment: organization-defined automated mechanisms]. CP-4(3) ¶ 1 Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. CP-4a.]	Testing	Detective
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767	Testing	Preventive
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766	Testing	Preventive
Validate the emergency communications procedures during continuity plan tests. CC ID 12777 [Test alternate telecommunication services [Assignment: organization-defined frequency]. CP-8(5) ¶ 1]	Testing	Preventive
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769	Testing	Preventive
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793	Testing	Detective
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 [Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing. CP-9(2) ¶ 1 Employ [Assignment: organization-defined mechanisms] to [Assignment: organization-defined system or system component] to disrupt and adversely affect the system or system component. CP-4(5) ¶ 1]	Testing	Detective
Analyze system interdependence during continuity plan tests. CC ID 13082	Testing	Detective
Validate the evacuation plans during continuity plan tests. CC ID 12760	Testing	Preventive
Test the continuity plan at the alternate facility. CC ID 01174 [Test the contingency plan at the alternate processing site: To familiarize contingency personnel with the facility and available resources; and CP-4(2) ¶ 1(a) Test the contingency plan at the alternate processing site: To evaluate the capabilities of the alternate processing site to support contingency operations. CP-4(2) ¶ 1(b) Test the contingency plan at the alternate processing site: CP-4(2) ¶ 1]	Testing	Detective
Include predefined goals and realistic conditions during off-site testing. CC ID 01175	Establish/Maintain Documentation	Preventive
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 [Coordinate contingency plan testing with organizational elements responsible for related plans. CP-4(1) ¶ 1]	Testing	Preventive
Review all third party's continuity plan test results. CC ID 01365 [{contingency training} Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency]. CP-8(4)(c) {telecommunications service providers} Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and CP-8(4)(b)]	Testing	Detective
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389	Testing	Detective
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [Review the contingency plan test results; and CP-4b.]	Actionable Reports or Measurements	Preventive
Approve the continuity plan test results. CC ID 15718	Systems Continuity	Preventive
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553	Testing	Detective
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 [Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing. CP-4(4) ¶ 1]	Testing	Detective

Operational management

663

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational management CC ID 00805	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a capacity management plan. CC ID 11751	Establish/Maintain Documentation	Preventive
Align critical Information Technology resource availability planning with capacity planning. CC ID 01618	Business Processes	Preventive
Limit any effects of a Denial of Service attack. CC ID 06754 [Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks. SC-5(2) ¶ 1]	Technical Security	Preventive
Implement network redundancy, as necessary. CC ID 13048	Systems Continuity	Preventive
Utilize resource capacity management controls. CC ID 00939	Testing	Detective
Perform system capacity testing. CC ID 01616 [Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. CP-2(2) ¶ 1]	Testing	Detective
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Review and update the CONOPS [Assignment: organization-defined frequency]. PL-7b.]	Establish/Maintain Documentation	Preventive
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266	Establish/Maintain Documentation	Preventive
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 [Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; CP-2f. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and IR-8d.]	Behavior	Preventive
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283	Establish/Maintain Documentation	Preventive
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861	Acquisition/Sale of Assets or Services	Preventive
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853	Establish/Maintain Documentation	Preventive
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915	Process or Activity	Preventive
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895	Process or Activity	Preventive
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809	Audits and Risk Management	Preventive
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523	Human Resources Management	Preventive
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524	Human Resources Management	Preventive
Establish, implement, and maintain a compliance policy. CC ID 14807	Establish/Maintain Documentation	Preventive
Include the standard of conduct and accountability in the compliance policy. CC ID 14813	Establish/Maintain Documentation	Preventive
Include the scope in the compliance policy. CC ID 14812	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the compliance policy. CC ID 14811	Establish/Maintain Documentation	Preventive
Include a commitment to continual improvement in the compliance policy. CC ID 14810	Establish/Maintain Documentation	Preventive
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809	Communicate	Preventive
Include management commitment in the compliance policy. CC ID 14808	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a governance policy. CC ID 15587	Establish/Maintain Documentation	Preventive
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625	Communicate	Preventive
Include a commitment to continuous improvement in the governance policy. CC ID 15595	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the governance policy. CC ID 15594	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a positive information control environment. CC ID 00813	Business Processes	Preventive
Make compliance and governance decisions in a timely manner. CC ID 06490	Behavior	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820 [Develops and disseminates an organization-wide information security program plan that: Provides an overview of the requirements for the security program and a description of the security program management controls and le="background-color:#F0BBBC;" class="term_primary-noun">common controls in place or planned for meeting those requirements; PM-1a.1.]	Establish/Maintain Documentation	Preventive
Define the scope for the internal control framework. CC ID 16325	Business Processes	Preventive
Review the relevance of information supporting internal controls. CC ID 12420	Business Processes	Detective
Measure policy compliance when reviewing the internal control framework. CC ID 06442	Actionable Reports or Measurements	Corrective
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 [Ensure that the authorizing official for the system, before commencing operations: Accepts the use of common controls inherited by the system; and CA-6c.1.]	Establish Roles	Preventive
Assign resources to implement the internal control framework. CC ID 00816	Business Processes	Preventive
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146	Establish Roles	Preventive
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [Centrally manage [Assignment: organization-defined controls and related processes]. PL-9 Control Tailor the selected control baseline by applying specified tailoring actions. PL-11 Control Select a control baseline for the system. PL-10 Control]	Business Processes	Preventive
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Establish/Maintain Documentation	Preventive
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Establish/Maintain Documentation	Preventive
Leverage actionable information to support internal controls. CC ID 12414	Business Processes	Preventive
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819	Establish/Maintain Documentation	Preventive
Include continuous service account management procedures in the internal control framework. CC ID 13860	Establish/Maintain Documentation	Preventive
Include threat assessment in the internal control framework. CC ID 01347	Establish/Maintain Documentation	Preventive
Automate threat assessments, as necessary. CC ID 06877	Configuration	Preventive
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102	Establish/Maintain Documentation	Preventive
Automate vulnerability management, as necessary. CC ID 11730	Configuration	Preventive
Include personnel security procedures in the internal control framework. CC ID 01349	Establish/Maintain Documentation	Preventive
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 [Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; SI-4e.]	Establish/Maintain Documentation	Preventive
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205	Establish/Maintain Documentation	Preventive
Include security information sharing procedures in the internal control framework. CC ID 06489 [Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and RA-5e. {security practice} Establish and institutionalize contact with selected groups and associations within the security and privacy communities: To maintain currency with recommended security and privacy practices, techniques, and technologies; and PM-15b. Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. PM-16 Control]	Establish/Maintain Documentation	Preventive
Share security information with interested personnel and affected parties. CC ID 11732 [Establish and institutionalize contact with selected groups and associations within the security and privacy communities: PM-15 Control {security-related information} Establish and institutionalize contact with selected groups and associations within the security and privacy communities: To share current security and privacy information, including threats, vulnerabilities, and incidents. PM-15c.]	Communicate	Preventive
Evaluate information sharing partners, as necessary. CC ID 12749	Process or Activity	Preventive
Include security incident response procedures in the internal control framework. CC ID 01359	Establish/Maintain Documentation	Preventive
Include incident response escalation procedures in the internal control framework. CC ID 11745	Establish/Maintain Documentation	Preventive
Include continuous user account management procedures in the internal control framework. CC ID 01360	Establish/Maintain Documentation	Preventive
Include emergency response procedures in the internal control framework. CC ID 06779	Establish/Maintain Documentation	Detective
Authorize and document all exceptions to the internal control framework. CC ID 06781	Establish/Maintain Documentation	Preventive
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229	Communicate	Preventive
Establish, implement, and maintain an information security program. CC ID 00812 [Develop and disseminate an organization-wide information security program plan that: PM-1a. Develop and disseminate an organization-wide information security program plan that: Reflects the coordination among organizational entities responsible for information security; and PM-1a.3.]	Establish/Maintain Documentation	Preventive
Include physical safeguards in the information security program. CC ID 12375	Establish/Maintain Documentation	Preventive
Include technical safeguards in the information security program. CC ID 12374	Establish/Maintain Documentation	Preventive
Include administrative safeguards in the information security program. CC ID 12373	Establish/Maintain Documentation	Preventive
Include system development in the information security program. CC ID 12389	Establish/Maintain Documentation	Preventive
Include system maintenance in the information security program. CC ID 12388 [Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; MA-4b.]	Establish/Maintain Documentation	Preventive
Include system acquisition in the information security program. CC ID 12387	Establish/Maintain Documentation	Preventive
Include access control in the information security program. CC ID 12386 [{security plan for the information system} Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. AC-6(3) ¶ 1 Document the rationale for remote access in the security plan for the system. AC-17(4)(b)]	Establish/Maintain Documentation	Preventive
Review and approve access controls, as necessary. CC ID 13074	Process or Activity	Detective
Include operations management in the information security program. CC ID 12385	Establish/Maintain Documentation	Preventive
Include communication management in the information security program. CC ID 12384	Establish/Maintain Documentation	Preventive
Include environmental security in the information security program. CC ID 12383	Establish/Maintain Documentation	Preventive
Include physical security in the information security program. CC ID 12382	Establish/Maintain Documentation	Preventive
Include human resources security in the information security program. CC ID 12381	Establish/Maintain Documentation	Preventive
Include asset management in the information security program. CC ID 12380	Establish/Maintain Documentation	Preventive
Include a continuous monitoring program in the information security program. CC ID 14323 [Ensure the accuracy, currency, and availability of monitoring results for the system using [Assignment: organization-defined automated mechanisms]. CA-7(6) ¶ 1]	Establish/Maintain Documentation	Preventive
Include change management procedures in the continuous monitoring plan. CC ID 16227	Establish/Maintain Documentation	Preventive
include recovery procedures in the continuous monitoring plan. CC ID 16226	Establish/Maintain Documentation	Preventive
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Establish/Maintain Documentation	Preventive
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Establish/Maintain Documentation	Preventive
Include how the information security department is organized in the information security program. CC ID 12379	Establish/Maintain Documentation	Preventive
Include risk management in the information security program. CC ID 12378	Establish/Maintain Documentation	Preventive
Include mitigating supply chain risks in the information security program. CC ID 13352	Establish/Maintain Documentation	Preventive
Provide management direction and support for the information security program. CC ID 11999 [Develops and disseminates an organization-wide information security program plan that: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; PM-1a.2.]	Process or Activity	Preventive
Monitor and review the effectiveness of the information security program. CC ID 12744 [Review and update the organization-wide information security program plan [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and PM-1b.]	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740 [Develops and disseminates an organization-wide information security program plan that: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; PM-1a.1.]	Establish/Maintain Documentation	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Business Processes	Preventive
Include business processes in the information security policy. CC ID 16326	Establish/Maintain Documentation	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Establish/Maintain Documentation	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Establish/Maintain Documentation	Preventive
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Establish/Maintain Documentation	Preventive
Include information security objectives in the information security policy. CC ID 13493 [{security requirements} Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; CA-9b.]	Establish/Maintain Documentation	Preventive
Include the use of Cloud Services in the information security policy. CC ID 13146	Establish/Maintain Documentation	Preventive
Approve the information security policy at the organization's management level or higher. CC ID 11737 [Develops and disseminates an organization-wide information security program plan that: Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; PM-1a.4.]	Process or Activity	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006	Business Processes	Preventive
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 [Develops and disseminates an organization-wide information security program plan that: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; PM-1a.2.]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Communicate	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 [{security attributes}{security policies} Require personnel to associate and maintain the association of [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security and privacy policies]. AC-16(6) ¶ 1]	Establish/Maintain Documentation	Preventive
Define thresholds for approving information security activities in the information security program. CC ID 15702	Process or Activity	Preventive
Assign ownership of the information security program to the appropriate role. CC ID 00814	Establish Roles	Preventive
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884	Human Resources Management	Preventive
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 [Develops and disseminates an organization-wide information security program plan that: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; PM-1a.2. {security attributes} Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects. AC-16(10) ¶ 1]	Establish/Maintain Documentation	Preventive
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883	Human Resources Management	Preventive
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739	Communicate	Preventive
Establish, implement, and maintain a social media governance program. CC ID 06536	Establish/Maintain Documentation	Preventive
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Business Processes	Preventive
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Business Processes	Preventive
Refrain from accepting instant messages from unknown senders. CC ID 12537	Behavior	Preventive
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578	Establish/Maintain Documentation	Preventive
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 [Include in the rules of behavior, restrictions on: Use of social media, social networking sites, and external sites/applications; PL-4(1) ¶ 1(a)]	Establish/Maintain Documentation	Preventive
Include contributive content sites in the social media acceptable use policy. CC ID 06656	Establish/Maintain Documentation	Preventive
Perform social network analysis, as necessary. CC ID 14864	Investigate	Detective
Establish, implement, and maintain operational control procedures. CC ID 00831 [Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and PL-7a. {security plans} Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. PL-8c.]	Establish/Maintain Documentation	Preventive
Include assigning and approving operations in operational control procedures. CC ID 06382	Establish/Maintain Documentation	Preventive
Include startup processes in operational control procedures. CC ID 00833	Establish/Maintain Documentation	Preventive
Establish and maintain a data processing run manual. CC ID 00832	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Establish/Maintain Documentation	Preventive
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Process or Activity	Preventive
Include metrics in the standard operating procedures manual. CC ID 14988	Establish/Maintain Documentation	Preventive
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Establish/Maintain Documentation	Preventive
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Establish/Maintain Documentation	Preventive
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Establish/Maintain Documentation	Preventive
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Establish/Maintain Documentation	Preventive
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Establish/Maintain Documentation	Preventive
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Establish/Maintain Documentation	Preventive
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Establish/Maintain Documentation	Preventive
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Establish/Maintain Documentation	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Establish/Maintain Documentation	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965	Establish/Maintain Documentation	Preventive
Include contact details in the standard operating procedures manual. CC ID 14962	Establish/Maintain Documentation	Preventive
Include information sharing procedures in standard operating procedures. CC ID 12974 [Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information. PM-16(1) ¶ 1]	Records Management	Preventive
Establish, implement, and maintain information sharing agreements. CC ID 15645	Business Processes	Preventive
Provide support for information sharing activities. CC ID 15644	Process or Activity	Preventive
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Business Processes	Preventive
Update operating procedures that contribute to user errors. CC ID 06935	Establish/Maintain Documentation	Corrective
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Communicate	Preventive
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Establish/Maintain Documentation	Preventive
Establish and maintain a job schedule exceptions list. CC ID 00835	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; PL-4a. Review and update the rules of behavior [Assignment: organization-defined frequency]; and PL-4c. Enforce [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined system accounts]. AC-2(11) ¶ 1 Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and SC-43a. {malicious use} Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and SC-43a.]	Establish/Maintain Documentation	Preventive
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 [Authorize, monitor, and control the use of such components within the system. SC-43b. Authorize, monitor, and control the use of mobile code within the system. SC-18b.]	Establish/Maintain Documentation	Preventive
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 [Include in the rules of behavior, restrictions on: Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications. PL-4(1) ¶ 1(c) Include in the rules of behavior, restrictions on: Posting organizational information on public websites; and PL-4(1) ¶ 1(b)]	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Establish/Maintain Documentation	Preventive
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Establish/Maintain Documentation	Preventive
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Establish/Maintain Documentation	Preventive
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Establish/Maintain Documentation	Preventive
Include asset tags in the Acceptable Use Policy. CC ID 01354	Establish/Maintain Documentation	Preventive
Specify the owner of applicable assets in the Acceptable Use Policy CC ID 15699	Establish/Maintain Documentation	Preventive
Include asset use policies in the Acceptable Use Policy. CC ID 01355 [Verify that the acquisition, development, and use of mobile code to be deployed in the system meets [Assignment: organization-defined mobile code requirements]. SC-18(2) ¶ 1 Define acceptable and unacceptable mobile code and mobile code technologies; and SC-18a.]	Establish/Maintain Documentation	Preventive
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Establish/Maintain Documentation	Preventive
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Establish/Maintain Documentation	Preventive
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Technical Security	Preventive
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Establish/Maintain Documentation	Preventive
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 [Prohibit the use of [Assignment: organization-defined network accessible storage devices] in external systems. AC-20(4) ¶ 1]	Data and Information Management	Preventive
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Establish/Maintain Documentation	Preventive
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Establish/Maintain Documentation	Preventive
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 [{appropriate authority}{approve} Use only General Services Administration-approved products and services for identity, credential, and access management. IA-5(15) ¶ 1]	Establish/Maintain Documentation	Preventive
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Establish/Maintain Documentation	Preventive
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Establish/Maintain Documentation	Corrective
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Establish/Maintain Documentation	Preventive
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 [Enforce and monitor compliance with software installation policies using [Assignment: organization-defined automated mechanisms]. CM-11(3) ¶ 1 Establish [Assignment: organization-defined policies] governing the installation of software by users; CM-11a. Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: [Assignment: organization-defined user-installed software]. CM-7(6) ¶ 1 Allow user installation of software only with explicit privileged status. CM-11(2) ¶ 1 Prevent the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. CM-14 Control Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and CM-11b. Establish the following restrictions on the use of open-source software: [Assignment: organization-defined restrictions]. CM-10(1) ¶ 1 Require that the integrity of the following user-installed software be verified prior to execution: [Assignment: organization-defined user-installed software]. SI-7(12) ¶ 1]	Establish/Maintain Documentation	Preventive
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 [Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; PL-4a.]	Communicate	Preventive
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 [Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; PL-4b.]	Establish/Maintain Documentation	Preventive
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 [Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [Selection (one or more): [Assignment: organization-defined frequency]; when the rules are revised or updated]. PL-4d.]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 [Use software and associated documentation in accordance with contract agreements and copyright laws; CM-10a. {unauthorized display}{unauthorized performance}{unauthorized reproduction} Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. CM-10c.]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Business Processes	Preventive
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512	Establish/Maintain Documentation	Preventive
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an e-mail policy. CC ID 06439	Establish/Maintain Documentation	Preventive
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Establish/Maintain Documentation	Preventive
Identify the sender in all electronic messages. CC ID 13996	Data and Information Management	Preventive
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 [{security plans} {privacy plans} {unauthorized modification} Protect the plans from unauthorized disclosure and modification. PL-2e. {unauthorized modification} Protect the supply chain risk management plan from unauthorized disclosure and modification. SR-2c. {unauthorized modification} Develop, document, and implement a configuration management plan for the system that: Protects the configuration management plan from unauthorized disclosure and modification. CM-9e. {unauthorized modification} Protect the incident response plan from unauthorized disclosure and modification. IR-8e. {unauthorized modification} Protect the information security program plan from unauthorized disclosure and modification. PM-1c. {unauthorized modification } Protect the contingency plan from unauthorized disclosure and modification. CP-2h.]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement]]; CA-3a. Verify that access to classified information requiring special protection is granted only to individuals who: Have read, understood, and signed a nondisclosure agreement. PS-6(2) ¶ 1(c)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Communicate	Preventive
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667	Establish/Maintain Documentation	Preventive
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a use of information agreement. CC ID 06215	Establish/Maintain Documentation	Preventive
Include use limitations in the use of information agreement. CC ID 06244	Establish/Maintain Documentation	Preventive
Include disclosure requirements in the use of information agreement. CC ID 11735	Establish/Maintain Documentation	Preventive
Include information recipients in the use of information agreement. CC ID 06245	Establish/Maintain Documentation	Preventive
Include reporting out of scope use of information in the use of information agreement. CC ID 06246	Establish/Maintain Documentation	Preventive
Include disclosure of information in the use of information agreement. CC ID 11830	Establish/Maintain Documentation	Preventive
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130	Establish/Maintain Documentation	Preventive
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418	Establish/Maintain Documentation	Preventive
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131	Establish/Maintain Documentation	Preventive
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132	Establish/Maintain Documentation	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{security testing}{security training}{security monitoring}{privacy training}{privacy monitoring} Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: Continue to be executed; and PM-14a.2.]	Business Processes	Preventive
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821	Process or Activity	Preventive
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819	Process or Activity	Preventive
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818	Process or Activity	Preventive
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817	Process or Activity	Preventive
Analyze the Governance, Risk, and Compliance approach. CC ID 12816	Process or Activity	Preventive
Analyze the organizational culture. CC ID 12899	Process or Activity	Preventive
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922	Process or Activity	Detective
Include the organizational climate in the analysis of the organizational culture. CC ID 12921	Process or Activity	Detective
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920	Process or Activity	Detective
Include employee engagement in the analysis of the organizational culture. CC ID 12914	Behavior	Preventive
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674	Business Processes	Preventive
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673	Business Processes	Preventive
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675	Business Processes	Preventive
Include skill development in the analysis of the organizational culture. CC ID 12913	Behavior	Preventive
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912	Behavior	Preventive
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671	Business Processes	Preventive
Include employee loyalty in the analysis of the organizational culture. CC ID 12911	Behavior	Preventive
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910	Behavior	Preventive
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747	Process or Activity	Corrective
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [Develops and disseminates an organization-wide information security program plan that: Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; PM-1a.2.]	Establish/Maintain Documentation	Preventive
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788	Communicate	Preventive
Review systems for compliance with organizational information security policies. CC ID 12004 [{security authorization} Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; PM-10a.]	Business Processes	Preventive
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [Develop and disseminate an organization-wide information security program plan that: PM-1a.]	Behavior	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630	Business Processes	Preventive
Assign an information owner to organizational assets, as necessary. CC ID 12729 [Bind the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and AU-10(1)(a)]	Human Resources Management	Preventive
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Establish/Maintain Documentation	Preventive
Apply security controls to each level of the information classification standard. CC ID 01903 [{security attributes} {privacy attributes} Determine the following permitted attribute values or ranges for each of the established attributes: [Assignment: organization-defined attribute values or ranges for established attributes]; AC-16d.]	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904	Establish/Maintain Documentation	Preventive
Define confidentiality controls. CC ID 01908	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the systems' availability level. CC ID 01905	Establish/Maintain Documentation	Preventive
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742	Process or Activity	Preventive
Define integrity controls. CC ID 01909 [Employ [Assignment: organization-defined controls] and conduct [Assignment: organization-defined analysis] to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services. SR-4(4) ¶ 1 Implement the following mechanisms to protect the integrity of boot firmware in [Assignment: organization-defined system components]: [Assignment: organization- defined mechanisms]. SI-7(10) ¶ 1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the systems' integrity level. CC ID 01906 [Employ [Assignment: organization-defined controls] and conduct [Assignment: organization-defined analysis] to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services. SR-4(4) ¶ 1 Verify the integrity of the boot process of the following system components: [Assignment: organization-defined system components]. SI-7(9) ¶ 1]	Establish/Maintain Documentation	Preventive
Define availability controls. CC ID 01911	Establish/Maintain Documentation	Preventive
Classify assets according to the Asset Classifi