Security and Privacy Control Collaboration Index ... - NIST



Security and Privacy Control Collaboration Index TemplateThis collaboration index template supports information security and privacy program collaboration to help ensure that the objectives of both disciplines are met and that risks are appropriately managed. It is an optional tool for information security and privacy programs to identify the degree of collaboration needed between security and privacy programs with respect to the selection and/or implementation of controls in NIST Special Publication (SP) 800-53, Revision 5. There may be circumstances where the selection and/or implementation of a control or control enhancement affects the ability of a security or privacy program to achieve its objectives and manage its respective risks. While the discussion section may highlight specific security and/or privacy considerations, they are not exhaustive. NIST encourages organizations to share feedback by sending an email to sec-cert@ to help improve the controls and supplemental materials. ACCESS CONTROL FAMILYcontrolnumbercontrol namecontrol enhancement nameCOLLABORATION INDEX VALUEAC-1Policy and Procedures AC-2Account ManagementAC-2(1)automated system account managementAC-2(2)automated temporary and emergency account managementAC-2(3)disable accountsAC-2(4)automated audit actionsAC-2(5)inactivity logoutAC-2(6)dynamic privilege managementAC-2(7)privileged user accountsAC-2(8)dynamic account managementAC-2(9)restrictions on use of shared and group accountsAC-2(10)shared and group account credential changeAC-2(11)usage conditionsAC-2(12)account monitoring for atypical usageAC-2(13)disable accounts for high-risk individualsAC-3Access EnforcementAC-3(1)restricted access to privileged functionAC-3(2)dual authorizationAC-3(3)mandatory access controlAC-3(4)discretionary access controlAC-3(5)security-relevant informationAC-3(6)protection of user and system informationAC-3(7)role-based access controlAC-3(8)revocation of access authorizationsAC-3(9)controlled releaseAC-3(10)audited override of access control mechanismsAC-3(11)restrict access to specific information typesAC-3(12)assert and enforce application accessAC-3(13)attribute-based access controlAC-3(14)individual accessAC-3(15)discretionary and mandatory access controlAC-4Information Flow EnforcementAC-4(1)object security and privacy attributesAC-4(2)processing domainsAC-4(3)dynamic information flow controlAC-4(4)flow control of encrypted informationAC-4(5)embedded data typesAC-4(6)metadataAC-4(7)one-way flow mechanismsAC-4(8)security and privacy policy filtersAC-4(9)human reviewsAC-4(10)enable and disable security or privacy policy filtersAC-4(11)configuration of security or privacy policy filtersAC-4(12)data type identifiersAC-4(13)decomposition into policy-relevant subcomponentsAC-4(14)security or privacy policy filter constraintsAC-4(15)detection of unsanctioned informationAC-4(16)information transfers on interconnected systemsAC-4(17)domain authenticationAC-4(18)security attribute bindingAC-4(19)validation of metadataAC-4(20)approved solutionsAC-4(21)physical or logical separation of information flowsAC-4(22)access onlyAC-4(23)modify non-releasable informationAC-4(24)internal normalized formatAC-4(25)data sanitizationAC-4(26)audit filtering actionsAC-4(27)redundant/independent filtering mechanismsAC-4(28)linear filter pipelinesAC-4(29)filter orchestration enginesAC-4(30)filter mechanisms using multiple processesAC-4(31)failed content transfer preventionAC-4(32)process requirements for information transferAC-5Separation of DutiesAC-6Least PrivilegeAC-6(1)authorize access to security functionsAC-6(2)non-privileged access for nonsecurity functionsAC-6(3)network access to privileged commandsAC-6(4)separate processing domainsAC-6(5)privileged accountsAC-6(6)privileged access by non-organizational usersAC-6(7)review of user privilegesAC-6(8)privilege levels for code executionAC-6(9)log use of privileged functionsAC-6(10)prohibit non-privileged users from executing privileged functionsAC-7Unsuccessful Logon AttemptsAC-7(1)automatic account lockAC-7(2)purge or wipe mobile deviceAC-7(3)biometric attempt limitingAC-7(4)use of alternate authentication factorAC-8System Use NotificationAC-9Previous Logon NotificationAC-9(1)unsuccessful logonsAC-9(2)successful and unsuccessful logonsAC-9(3)notification of account changesAC-9(4)additional logon informationAC-10Concurrent Session ControlAC-11Device LockAC-11(1)pattern-hiding displaysAC-12Session TerminationAC-12(1)user-initiated logoutsAC-12(2)termination messageAC-12(3)timeout warning messageAC-13Supervision and Review-Access ControlAC-14Permitted Actions without Identification or AuthenticationAC-14(1)necessary usesAC-15Automated MarkingAC-16Security and Privacy AttributesAC-16(1)dynamic attribute associationAC-16(2)attribute value changes by authorized individualsAC-16(3)maintenance of attribute associations by systemAC-16(4)association of attributes by authorized individualsAC-16(5)attribute displays on objects to be outputAC-16(6)maintenance of attribute associationAC-16(7)consistent attribute interpretationAC-16(8)association techniques and technologiesAC-16(9)attribute reassignment – regrading mechanismsAC-16(10)attribute configuration by authorized individualsAC-17Remote AccessAC-17(1)monitoring and controlAC-17(2)protection of confidentiality and integrity using encryptionAC-17(3)managed access control pointsAC-17(4)privileged commands and accessAC-17(5)monitoring for unauthorized connectionsAC-17(6)protection of mechanism informationAC-17(7)additional protection for security function accessAC-17(8)disable nonsecure network protocolsAC-17(9)disconnect or disable accessAC-17(10)authenticate remote commandsAC-18Wireless AccessAC-18(1)authentication and encryptionAC-18(2)monitoring unauthorized connectionsAC-18(3)disable wireless networkingAC-18(4)restrict configurations by usersAC-18(5)antennas and transmission power levelsAC-19Access Control for Mobile DevicesAC-19(1)use of writable and portable storage devicesAC-19(2)use of personally owned portable storage devicesAC-19(3)use of portable storage devices with no identifiable ownerAC-19(4)restrictions for classified informationAC-19(5)full device or container-based encryptionAC-20Use of External SystemsAC-20(1)limits on authorized useAC-20(2)portable storage devices — restricted useAC-20(3)non-organizationally owned systems — restricted useAC-20(4)network accessible storage devices — prohibited useAC-20(5)portable storage devices — prohibited useAC-21Information SharingAC-21(1)automated decision supportAC-21(2)information search and retrievalAC-22Publicly Accessible ContentAC-23Data Mining ProtectionAC-24Access Control DecisionsAC-24(1)transmit access authorization informationAC-24(2)no user or process identityAC-25Reference MonitorAWARENESS AND TRAINING FAMILYcontrolnumbercontrol namecontrol enhancement namecollaboration index valueAT-1Policy and ProceduresAT-2Literacy Training and AwarenessAT-2(1)practical exercisesAT-2(2)insider threatAT-2(3)social engineering and miningAT-2(4)suspicious communications and anomalous system behaviorAT-2(5)advanced persistent threatAT-2(6)cyber threat environmentAT-3Role-Based TrainingAT-3(1)environmental controlsAT-3(2)physical security controlsAT-3(3)practical exercisesAT-3(4)suspicious communications and anomalous system behaviorAT-3(5)processing personally identifiable informationAT-4Training RecordsAT-5Contacts with Security Groups and AssociationsAT-6Training FeedbackAUDIT AND ACCOUNTABILITY FAMILYcontrolnumbercontrol namecontrol enhancement nameCOLLABORATION INDEX VALUEAU-1Policy and ProceduresAU-2Event LoggingAU-2(1)compilation of audit records from multiple sourcesAU-2(2)selection of audit events by componentAU-2(3)reviews and updatesAU-2(4)privileged functionsAU-3Content of Audit RecordsAU-3(1)additional audit informationAU-3(2)centralized management of planned audit record contentAU-3(3)limit personally identifiable information elementsAU-4Audit Log Storage CapacityAU-4(1)transfer to alternate storageAU-5Response to Audit Logging Process FailuresAU-5(1)storage capacity warningAU-5(2)real-time alertsAU-5(3)configurable traffic volume thresholdsAU-5(4)shutdown on failureAU-5(5)alternate audit logging capabilityAU-6Audit Record Review, Analysis, and ReportingAU-6(1)automated process integrationAU-6(2)automated security alertsAU-6(3)correlate audit record repositoriesAU-6(4)central review and analysisAU-6(5)integrated analysis of audit recordsAU-6(6)correlation with physical monitoringAU-6(7)permitted actionsAU-6(8)full text analysis of privileged commandsAU-6(9)correlation with information from nontechnical sourcesAU-6(10)audit level adjustmentAU-7Audit Record Reduction and Report GenerationAU-7(1)automatic processingAU-7(2)automatic search and sortAU-8Time StampsAU-8(1)synchronization with authoritative time sourceAU-8(2)secondary authoritative time sourceAU-9Protection of Audit InformationAU-9(1)hardware write-once mediaAU-9(2)store on separate physical systems or componentsAU-9(3)cryptographic protectionAU-9(4)access by subset of privileged usersAU-9(5)dual authorizationAU-9(6)read-only accessAU-9(7)store on component with different operating systemAU-10Non-repudiationAU-10(1)association of identitiesAU-10(2)validate binding of information producer identityAU-10(3)chain of custodyAU-10(4)validate binding of information reviewer identityAU-10(5)digital signaturesAU-11Audit Record RetentionAU-11(1)long-term retrieval capabilityAU-12Audit Record GenerationAU-12(1)system-wide and time-correlated audit trailAU-12(2)standardized formatsAU-12(3)changes by authorized individualsAU-12(4)query parameter audits of personally identifiable informationAU-13Monitoring for Information DisclosureAU-13(1)use of automated toolsAU-13(2)review of monitored sitesAU-13(3)unauthorized replication of informationAU-14Session AuditAU-14(1)system start-upAU-14(2)capture and record contentAU-14(3)remote viewing and listeningAU-15Alternate Audit Logging CapabilityAU-16Cross-Organizational Audit LoggingAU-16(1)identity preservationAU-16(2)sharing of audit informationAU-16(3)disassociabilityASSESSMENT, AUTHORIZATION, AND MONITORING FAMILYcontrolnumbercontrol namecontrol enhancement namecollaboration index valueCA-1Policy and ProceduresCA-2Control AssessmentsCA-2(1)independent assessorsCA-2(2)specialized assessmentsCA-2(3)leveraging results from external organizationsCA-3Information Exchange CA-3(1)unclassified national security connectionsCA-3(2)classified national security system connectionsCA-3(3)unclassified non-national security system connectionsCA-3(4)connections to public networksCA-3(5)restrictions on external system connectionsCA-3(6)transfer authorizationsCA-3(7)transitive information exchangesCA-4Security Certification CA-5Plan of Action and MilestonesCA-5(1)automation support for accuracy and currencyCA-6AuthorizationCA-6(1)joint authorization — intra-organizationCA-6(2)joint authorization — inter-organizationCA-7Continuous MonitoringCA-7(1)independent assessmentCA-7(2)types of assessmentsCA-7(3)trend analysesCA-7(4)risk monitoringCA-7(5)consistency analysisCA-7(6)automation support for monitoringCA-8Penetration TestingCA-8(1)independent penetration testing agent or teamCA-8(2)red team exercisesCA-8(3)facility penetration testingCA-9Internal System ConnectionsCA-9(1)compliance checksCONFIGURATION MANAGEMENT FAMILYcontrolnumbercontrol namecontrol enhancement nameCOLLABORATION INDEX VALUECM-1Policy and ProceduresCM-2Baseline ConfigurationCM-2(1)reviews and updatesCM-2(2)automation support for accuracy and currencyCM-2(3)retention of previous configurationsCM-2(4)unauthorized softwareCM-2(5)authorized softwareCM-2(6)development and test environmentsCM-2(7)configure systems and components for high-risk areasCM-3Configuration Change ControlCM-3(1)automated documentation, notification, and prohibition of changesCM-3(2)testing, validation, and documentation of changesCM-3(3)automated change implementationCM-3(4)security and privacy representativesCM-3(5)automated security response CM-3(6)cryptography managementCM-3(7)review system changesCM-3(8)prevent or restrict configuration changesCM-4Impact AnalysesCM-4(1)separate test environmentsCM-4(2)verification of controlsCM-5Access Restrictions for ChangeCM-5(1)automated access enforcement and audit recordsCM-5(2)review system changesCM-5(3)signed componentsCM-5(4)dual authorizationCM-5(5)privilege limitation for production and operationCM-5(6)limit library privilegesCM-5(7)automatic implementation of security safeguardsCM-6Configuration SettingsCM-6(1)automated management, application, and verificationCM-6(2)respond to unauthorized changesCM-6(3)unauthorized change detectionCM-6(4)conformance demonstrationCM-7Least FunctionalityCM-7(1)periodic reviewCM-7(2)prevent program executionCM-7(3)registration complianceCM-7(4)unauthorized softwareCM-7(5)authorized softwareCM-7(6)confined environments with limited privilegesCM-7(7)code execution in protected environmentsCM-7(8)binary or machine executable codeCM-7(9)prohibiting the use of unauthorized hardwareCM-8System Component InventoryCM-8(1)updates during installation and removalCM-8(2)automated maintenanceCM-8(3)automated unauthorized component detectionCM-8(4)accountability informationCM-8(5)no duplicate accounting of components CM-8(5)no duplicate accounting of componentsCM-8(6)assessed configurations and approved deviationsCM-8(7)centralized repositoryCM-8(8)automated location trackingCM-8(9)assignment of components to systemsCM-9Configuration Management PlanCM-9(1)assignment of responsibilityCM-10Software Usage RestrictionsCM-10(1)open-source softwareCM-11User-Installed SoftwareCM-11(1)alerts for unauthorized installationsCM-11(2)software installation with privileged statusCM-11(3)automated enforcement and monitoringCM-12Information LocationCM-12(1)automated tools to support information locationCM-13Data Action MappingCM-14Signed Components CONTINGENCY PLANNING FAMILYcontrolnumbercontrol namecontrol enhancement nameCOLLABORATION INDEX VALUECP-1Policy and ProceduresCP-2Contingency PlanCP-2(1)coordinate with related plansCP-2(2)capacity planningCP-2(3)resume mission and business functionsCP-2(4)resume all mission and business functionsCP-2(5)continue mission and business functionsCP-2(6)alternate processing and storage sitesCP-2(7)coordinate with external service providersCP-2(8)identify critical assetsCP-3Contingency TrainingCP-3(1)simulated eventsCP-3(2)mechanisms used in training environmentsCP-4Contingency Plan TestingCP-4(1)coordinate with related plansCP-4(2)alternate processing siteCP-4(3)automated testingCP-4(4)full recovery and reconstitutionCP-4(5)self-challengeCP-5Contingency Plan UpdateCP-6Alternate Storage SiteCP-6(1)separation from primary siteCP-6(2)recovery time and recovery point objectivesCP-6(3)accessibilityCP-7Alternate Processing SiteCP-7(1)separation from primary siteCP-7(2)accessibilityCP-7(3)priority of serviceCP-7(4)preparation for useCP-7(5)equivalent information security safeguardsCP-7(6)inability to return to primary siteCP-8Telecommunications ServicesCP-8(1)priority of service provisionsCP-8(2)single points of failureCP-8(3)separation of primary and alternate providersCP-8(4)provider contingency planCP-8(5)alternate telecommunication service testingCP-9System BackupCP-9(1)testing for reliability and integrityCP-9(2)test restoration using samplingCP-9(3)separate storage for critical informationCP-9(4)protection from unauthorized modificationCP-9(5)transfer to alternate storage siteCP-9(6)redundant secondary systemCP-9(7)dual authorizationCP-9(8)cryptographic protectionCP-10System Recovery and ReconstitutionCP-10(1)contingency plan testingCP-10(2)transaction recoveryCP-10(3)compensating security controlsCP-10(4)restore within time periodCP-10(5)failover capabilityCP-10(6)component protectionCP-11Alternate Communications ProtocolsCP-12Safe ModeCP-13Alternative Security MechanismsIDENTIFICATION AND AUTHENTICATION FAMILYcontrolnumbercontrol namecontrol enhancement nameCOLLABORATION INDEX VALUEIA-1Policy and ProceduresIA-2Identification and Authentication (Organizational Users)IA-2(1)multi-factor authentication to privileged accountsIA-2(2)multi-factor authentication to non-privileged accountsIA-2(3)local access to privileged accountsIA-2(4)local access to non-privileged accountsIA-2(5)individual authentication with group authenticationIA-2(6)access to accounts — separate deviceIA-2(7)network access to non-privileged accounts — separate deviceIA-2(8)access to accounts — replay resistantIA-2(9)network access to non-privileged accounts — replay resistantIA-2(10)single sign-onIA-2(11)remote access — separate deviceIA-2(12)acceptance of piv credentialsIA-2(13)out-of-band authenticationIA-3Device Identification and AuthenticationIA-3(1)cryptographic bidirectional authenticationIA-3(2)cryptographic bidirectional network authenticationIA-3(3)dynamic address allocationIA-3(4)device attestationIA-4Identifier ManagementIA-4(1)prohibit account identifiers as public identifiersIA-4(2)supervisor authorizationIA-4(3)multiple forms of certificationIA-4(4)identify user statusIA-4(5)dynamic managementIA-4(6)cross-organization managementIA-4(7)in-person registrationIA-4(8)pairwise pseudonymous identifiersIA-4(9)attribute maintenance and protectionIA-5Authenticator ManagementIA-5(1)password-based authenticationIA-5(2)public key-based authenticationIA-5(3)in-person or trusted external party registrationIA-5(4)automated support for password strength determinationIA-5(5)change authenticators prior to deliveryIA-5(6)protection of authenticatorsIA-5(7)no embedded unencrypted static authenticatorsIA-5(8)multiple system accountsIA-5(9)federated credential managementIA-5(10)dynamic credential bindingIA-5(11)hardware token-based authenticationIA-5(12)biometric authentication performanceIA-5(13)expiration of cached authenticatorsIA-5(14)managing content of pki trust storesIA-5(15)gsa-approved products and servicesIA-5(16)in-person or trusted external party authenticator issuanceIA-5(17)presentation attack detection for biometric authenticatorsIA-5(18)password managersIA-6Authentication FeedbackIA-7Cryptographic Module AuthenticationIA-8Identification and Authentication (Non-Organizational Users)IA-8(1)acceptance of piv credentials from other agenciesIA-8(2)acceptance of external authenticatorsIA-8(3)use of ficam-approved productsIA-8(4)use of defined profilesIA-8(5)acceptance of piv-i credentialsIA-8(6)disassociabilityIA-9Service Identification and AuthenticationIA-9(1)information exchangeIA-9(2)transmission of decisionsIA-10Adaptive AuthenticationIA-11Re-authenticationIA-12Identity ProofingIA-12(1)supervisor authorizationIA-12(2)identity evidenceIA-12(3)identity evidence validation and verificationIA-12(4)in-person validation and verificationIA-12(5)address confirmationIA-12(6)accept externally-proofed identitiesINCIDENT RESPONSE FAMILYcontrolnumbercontrol namecontrol enhancement nameCOLLABORATION INDEX VALUEIR-1Policy and ProceduresIR-2Incident Response TrainingIR-2(1)simulated eventsIR-2(2)automated training environmentsIR-2(3)breachIR-3Incident Response TestingIR-3(1)automated testingIR-3(2)coordination with related plansIR-3(3)continuous improvementIR-4Incident HandlingIR-4(1)automated incident handling processesIR-4(2)dynamic reconfigurationIR-4(3)continuity of operationsIR-4(4)information correlationIR-4(5)automatic disabling of systemIR-4(6)insider threatsIR-4(7)insider threats — intra-organization coordinationIR-4(8)correlation with external organizationsIR-4(9)dynamic response capabilityIR-4(10)supply chain coordinationIR-4(11)integrated incident response teamIR-4(12)malicious code and forensic analysisIR-4(13)behavior analysisIR-4(14)security operations centerIR-4(15)public relations and reputation repairIR-5Incident MonitoringIR-5(1)automated tracking, data collection, and analysisIR-6Incident ReportingIR-6(1)automated reportingIR-6(2)vulnerabilities related to incidentsIR-6(3)supply chain coordinationIR-7Incident Response AssistanceIR-7(1)automation support for availability of information and supportIR-7(2)coordination with external providersIR-8Incident Response PlanIR-8(1)breachesIR-9Information Spillage ResponseIR-9(1)responsible personnelIR-9(2)trainingIR-9(3)post-spill operationsIR-9(4)exposure to unauthorized personnelMAINTENANCE FAMILYcontrolnumbercontrol namecontrol enhancement nameCOLLABORATION INDEX VALUEMA-1Policy and ProceduresMA-2Controlled MaintenanceMA-2(1)record contentMA-2(2)automated maintenance activitiesMA-3Maintenance ToolsMA-3(1)inspect toolsMA-3(2)inspect mediaMA-3(3)prevent unauthorized removalMA-3(4)restricted tool useMA-3(5)execution with privilegeMA-3(6)software updates and patchesMA-4Nonlocal MaintenanceMA-4(1)logging and reviewMA-4(2)document nonlocal maintenanceMA-4(3)comparable security and sanitizationMA-4(4)authentication and separation of maintenance sessionsMA-4(5)approvals and notificationsMA-4(6)cryptographic protectionMA-4(7)disconnect verificationMA-5Maintenance PersonnelMA-5(1)individuals without appropriate accessMA-5(2)security clearances for classified systemsMA-5(3)citizenship requirements for classified systemsMA-5(4)foreign nationalsMA-5(5)non-system maintenanceMA-6Timely MaintenanceMA-6(1)preventive maintenanceMA-6(2)predictive maintenanceMA-6(3)automated support for predictive maintenanceMA-7Field MaintenanceMEDIA PROTECTION FAMILYcontrolnumbercontrol namecontrol enhancement nameCOLLABORATION INDEX VALUEMP-1Policy and ProceduresMP-2Media AccessMP-2(1)automated restricted accessMP-2(2)cryptographic protectionMP-3Media MarkingMP-4Media StorageMP-4(1)cryptographic protectionMP-4(2)automated restricted access MP-5Media TransportMP-5(1)protection outside of controlled areasMP-5(2)documentation of activitiesMP-5(3)custodiansMP-5(4)cryptographic protectionMP-6Media SanitizationMP-6(1)review, approve, track, document, and verifyMP-6(2)equipment testingMP-6(3)nondestructive techniquesMP-6(4)controlled unclassified informationMP-6(5)classified informationMP-6(6)media destructionMP-6(7)dual authorizationMP-6(8)remote purging or wiping of informationMP-7Media UseMP-7(1)prohibit use without ownerMP-7(2)prohibit use of sanitization-resistant mediaMP-8Media DowngradingMP-8(1)documentation of processMP-8(2)equipment testingMP-8(3)controlled unclassified informationMP-8(4)classified informationPHYSICAL AND ENVIRONMENTAL PROTECTION FAMILYcontrolnumbercontrol namecontrol enhancement nameCOLLABORATION INDEX VALUEPE-1Policy and ProceduresPE-2Physical Access AuthorizationsPE-2(1)access by position and rolePE-2(2)two forms of identificationPE-2(3)restrict unescorted accessPE-3Physical Access ControlPE-3(1)system accessPE-3(2)facility and systemsPE-3(3)continuous guardsPE-3(4)lockable casingsPE-3(5)tamper protectionPE-3(6)facility penetration testingPE-3(7)physical barriersPE-3(8)access control vestibulesPE-4Access Control for TransmissionPE-5Access Control for Output DevicesPE-5(1)access to output by authorized individualsPE-5(2)link to individual identityPE-5(3)marking output devicesPE-6Monitoring Physical AccessPE-6(1)intrusion alarms and surveillance equipmentPE-6(2)automated intrusion recognition and responsesPE-6(3)video surveillancePE-6(4)monitoring physical access to systemsPE-7Visitor ControlPE-8Visitor Access RecordsPE-8(1)automated records maintenance and reviewPE-8(2)physical access recordsPE-8(3)limit personally identifiable information elementsPE-9Power Equipment and CablingPE-9(1)redundant cablingPE-9(2)automatic voltage controlsPE-10Emergency ShutoffPE-10(1)accidental and unauthorized activationPE-11Emergency PowerPE-11(1)alternate power supply — minimal operational capabilityPE-11(2)alternate power supply — self-containedPE-12Emergency LightingPE-12(1)essential mission and business functionsPE-13Fire ProtectionPE-13(1)detection systems — automatic activation and notificationPE-13(2)suppression systems — automatic activation and notificationPE-13(3)automatic fire suppressionPE-13(4)inspectionsPE-14Environmental ControlsPE-14(1)automatic controlsPE-14(2)monitoring with alarms and notificationsPE-15Water Damage ProtectionPE-15(1)automation supportPE-16Delivery and RemovalPE-17Alternate Work SitePE-18Location of System ComponentsPE-18(1)facility sitePE-19Information LeakagePE-19(1)national emissions and tempest policies and proceduresPE-20Asset Monitoring and TrackingPE-21Electromagnetic Pulse ProtectionPE-22Component MarkingPE-23Facility LocationPLANNING FAMILYcontrolnumbercontrol namecontrol enhancement nameCOLLABORATION INDEX VALUEPL-1Policy and ProceduresPL-2System Security and Privacy PlansPL-2(1)concept of operationsPL-2(2)functional architecturePL-2(3)plan and coordinate with other organizational entitiesPL-3System Security Plan Update PL-4Rules of BehaviorPL-4(1)social media and external site/application usage restrictionsPL-5Privacy Impact AssessmentPL-6Security-Related Activity PlanningPL-7Concept of OperationsPL-8Security and Privacy ArchitecturesPL-8(1)defense in depthPL-8(2)supplier diversityPL-9Central ManagementPL-10Baseline SelectionPL-11Baseline TailoringPROGRAM MANAGEMENT FAMILYcontrolnumbercontrol namecontrol enhancement namecollaboration index valuePM-1Information Security Program PlanPM-2Information Security Program Leadership RolePM-3Information Security and Privacy ResourcesPM-4Plan of Action and Milestones ProcessPM-5System InventoryPM-5(1)inventory of personally identifiable informationPM-6Measures of PerformancePM-7Enterprise ArchitecturePM-7(1)offloadingPM-8Critical Infrastructure PlanPM-9Risk Management StrategyPM-10Authorization ProcessPM-11Mission and Business Process DefinitionPM-12Insider Threat ProgramPM-13Security and Privacy WorkforcePM-14Testing, Training, and MonitoringPM-15Security and Privacy Groups and AssociationsPM-16Threat Awareness ProgramPM-16(1)automated means for sharing threat intelligencePM-17Protecting Controlled Unclassified Information on External SystemsPM-18Privacy Program PlanPM-19Privacy Program Leadership RolePM-20Dissemination of Privacy Program InformationPM-20(1)privacy policies on websites, applications, and digital servicesPM-21Accounting of DisclosuresPM-22Personally Identifiable Information Quality ManagementPM-23Data Governance BodyPM-24Data Integrity BoardPM-25Minimization of Personally Identifiable Information Used in Testing, Training, and ResearchPM-26Complaint ManagementPM-27Privacy ReportingPM-28Risk FramingPM-29Risk Management Program Leadership RolesPM-30Supply Chain Risk Management StrategyPM-30(1)suppliers of critical or mission-essential itemsPM-31Continuous Monitoring StrategyPM-32PurposingPERSONNEL SECURITY FAMILYcontrolnumbercontrol namecontrol enhancement namecollaboration index valuePS-1Policy and ProceduresPS-2Position Risk DesignationPS-3Personnel ScreeningPS-3(1)classified InformationPS-3(2)formal indoctrinationPS-3(3)information with special protection measuresPS-3(4)citizenship requirementsPS-4Personnel TerminationPS-4(1)post-employment requirementsPS-4(2)automated actionsPS-5Personnel TransferPS-6Access AgreementsPS-6(1)information requiring special protectionPS-6(2)classified information requiring special protectionPS-6(3)post-employment requirementsPS-7External Personnel SecurityPS-8Personnel SanctionsPS-9Position Descriptions PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY FAMILYcontrolnumbercontrol namecontrol enhancement namecollaboration index valuePT-1Policy and ProceduresPT-2Authority to Process Personally Identifiable InformationPT-2(1)data taggingPT-2(2)automationPT-3Personally Identifiable Information Processing PurposesPT-3(1)data taggingPT-3(2)automationPT-4ConsentPT-4(1)tailored consentPT-4(2)just-in-time consentPT-4(3)revocationPT-5Privacy NoticePT-5(1)just-in-time noticePT-5(2)privacy act statementsPT-6System of Records NoticePT-6(1)routine usesPT-6(2)exemption rulesPT-7Specific Categories of Personally Identifiable InformationPT-7(1)social security numbersPT-7(2)first amendment informationPT-8Computer Matching RequirementsRISK ASSESSMENT FAMILYcontrolnumbercontrol namecontrol enhancement namecollaboration index valueRA-1Policy and ProceduresRA-2Security CategorizationRA-2(1)impact-level prioritizationRA-3Risk AssessmentRA-3(1)supply chain risk assessmentRA-3(2)use of all-source intelligenceRA-3(3)dynamic threat awarenessRA-3(4)predictive cyber analyticsRA-4Risk Assessment UpdateRA-5Vulnerability Monitoring and ScanningRA-5(1)update tool capabilityRA-5(2)update vulnerabilities to be scannedRA-5(3)breadth and depth of coverageRA-5(4)discoverable informationRA-5(5)privileged accessRA-5(6)automated trend analysesRA-5(7)automated detection and notification of unauthorized componentsRA-5(8)review historic audit logsRA-5(9)penetration testing and analysesRA-5(10)correlate scanning informationRA-5(11)public disclosure programRA-6Technical Surveillance Countermeasures SurveyRA-7Risk ResponseRA-8Privacy Impact AssessmentsRA-9Criticality AnalysisRA-10Threat HuntingSYSTEM AND SERVICES ACQUISITION FAMILYcontrolnumbercontrol namecontrol enhancement namecollaboration index valueSA-1Policy and ProceduresSA-2Allocation of ResourcesSA-3System Development Life CycleSA-3(1)manage preproduction environmentSA-3(2)use of live or operational dataSA-3(3)technology refreshSA-4Acquisition ProcessSA-4(1)functional properties of controlsSA-4(2)design and implementation information for controlsSA-4(3)development methods, techniques, and practicesSA-4(4)assignment of components to systemsSA-4(5)system, component, and service configurationsSA-4(6)use of information assurance productsSA-4(7)niap-approved protection profilesSA-4(8)continuous monitoring plan for controlsSA-4(9)functions, ports, protocols, and services in useSA-4(10)use of approved piv productsSA-4(11)system of recordsSA-4(12)data ownershipSA-5System DocumentationSA-5(1)functional properties of security controlsSA-5(2)security-relevant external system interfacesSA-5(3)high-level designSA-5(4)low-level designSA-5(5)source codeSA-6Software Usage RestrictionsSA-7User-Installed SoftwareSA-8Security and Privacy Engineering PrinciplesSA-8(1)clear abstractionsSA-8(2)least common mechanismSA-8(3)modularity and layeringSA-8(4)partially ordered dependenciesSA-8(5)efficiently mediated accessSA-8(6)minimized sharingSA-8(7)reduced complexitySA-8(8)secure evolvabilitySA-8(9)trusted componentsSA-8(10)hierarchical trustSA-8(11)inverse modification thresholdSA-8(12)hierarchical protectionSA-8(13)minimized security elementsSA-8(14)least privilegeSA-8(15)predicate permissionSA-8(16)self-reliant trustworthinessSA-8(17)secure distributed compositionSA-8(18)trusted communications channelsSA-8(19)continuous protectionSA-8(20)secure metadata managementSA-8(21)self-analysisSA-8(22)accountability and traceabilitySA-8(23)secure defaultsSA-8(24)secure failure and recoverySA-8(25)economic securitySA-8(26)performance securitySA-8(27)human factored securitySA-8(28)acceptable securitySA-8(29)repeatable and documented proceduresSA-8(30)procedural rigorSA-8(31)secure system modificationSA-8(32)sufficient documentationSA-8(33)minimizationSA-9External System ServicesSA-9(1)risk assessments and organizational approvalsSA-9(2)identification of functions, ports, protocols, and servicesSA-9(3)establish and maintain trust relationship with providersSA-9(4)consistent interests of consumers and providersSA-9(5)processing, storage, and service locationSA-9(6)organization-controlled cryptographic keysSA-9(7)organization-controlled integrity checkingSA-9(8)processing and storage location — u.s. jurisdictionSA-10Developer Configuration ManagementSA-10(1)software and firmware integrity verificationSA-10(2)alternative configuration management processesSA-10(3)hardware integrity verificationSA-10(4)trusted generationSA-10(5)mapping integrity for version controlSA-10(6)trusted distributionSA-10(7)security and privacy representativesSA-11Developer Testing and EvaluationSA-11(1)static code analysisSA-11(2)threat modeling and vulnerability analysesSA-11(3)independent verification of assessment plans and evidenceSA-11(4)manual code reviewsSA-11(5)penetration testingSA-11(6)attack surface reviewsSA-11(7)verify scope of testing and evaluationSA-11(8)dynamic code analysisSA-11(9)interactive application security testingSA-12Supply Chain ProtectionSA-12(1)acquisition strategies, tools, and methodsSA-12(2)supplier reviewsSA-12(3)trusted shipping and warehousingSA-12(4)diversity of suppliersSA-12(5)limitation of harmSA-12(6)minimizing procurement timeSA-12(7)assessments prior to selection / acceptance / updateSA-12(8)use of all-source intelligenceSA-12(9)operations securitySA-12(10)validate as genuine and not alteredSA-12(11)penetration testing / analysis of elements, processes, and actorsSA-12(12)inter-organizational agreementsSA-12(13)critical information system componentsSA-12(14)identity and traceabilitySA-12(15)process to address weaknesses or deficienciesSA-13TrustworthinessSA-14Criticality AnalysisSA-14(1)critical components with no viable alternative sourcingSA-15Development Process, Standards, and ToolsSA-15(1)quality metricsSA-15(2)security and privacy tracking toolsSA-15(3)criticality analysisSA-15(4)threat modeling and vulnerability analysisSA-15(5)attack surface reductionSA-15(6)continuous improvementSA-15(7)automated vulnerability analysisSA-15(8)reuse of threat and vulnerability informationSA-15(9)use of live dataSA-15(10)incident response planSA-15(11)archive system or componentSA-15(12)minimize personally identifiable informationSA-16Developer-Provided TrainingSA-17Developer Security and Privacy Architecture and DesignSA-17(1)formal policy modelSA-17(2)security-relevant componentsSA-17(3)formal correspondenceSA-17(4)informal correspondenceSA-17(5)conceptually simple designSA-17(6)structure for testingSA-17(7)structure for least privilegeSA-17(8)orchestrationSA-17(9)design diversitySA-18Tamper Resistance and DetectionSA-18(1)multiple phases of system development life cycleSA-18(2)inspection of systems or componentsSA-19Component AuthenticitySA-19(1)anti-counterfeit trainingSA-19(2)configuration control for component service and repairSA-19(3)component disposalSA-19(4)anti-counterfeit scanningSA-20Customized Development of Critical ComponentsSA-21Developer ScreeningSA-21(1)validation of screeningSA-22Unsupported System ComponentsSA-22(1)alternative sources for continued supportSA-23SpecializationSYSTEM AND COMMUNICATIONS PROTECTION FAMILYcontrolnumbercontrol namecontrol enhancement nameCOLLABORATION INDEX VALUESC-1Policy and ProceduresSC-2Separation of System and User FunctionalitySC-2(1)interfaces for non-privileged usersSC-2(2)disassociabilitySC-3Security Function IsolationSC-3(1)hardware separationSC-3(2)access and flow control functionsSC-3(3)minimize nonsecurity functionalitySC-3(4)module coupling and cohesivenessSC-3(5)layered structuresSC-4Information in Shared System ResourcesSC-4(1)security levelsSC-4(2)multilevel or periods processingSC-5Denial-of-Service ProtectionSC-5(1)restrict ability to attack other systemsSC-5(2)capacity, bandwidth, and redundancySC-5(3)detection and monitoringSC-6Resource AvailabilitySC-7Boundary ProtectionSC-7(1)physically separated subnetworksSC-7(2)public accessSC-7(3)access pointsSC-7(4)external telecommunications servicesSC-7(5)deny by default — allow by exceptionSC-7(6)response to recognized failuresSC-7(7)split tunneling for remote devicesSC-7(8)route traffic to authenticated proxy serversSC-7(9)restrict threatening outgoing communications trafficSC-7(10)prevent exfiltrationSC-7(11)restrict incoming communications trafficSC-7(12)host-based protectionSC-7(13)isolation of security tools, mechanisms, and support componentsSC-7(14)protect against unauthorized physical connectionsSC-7(15)networked privileged accessesSC-7(16)prevent discovery of system componentsSC-7(17)automated enforcement of protocol formatsSC-7(18)fail secureSC-7(19)block communication from non-organizationally configured hostsSC-7(20)dynamic isolation and segregationSC-7(21)isolation of system componentsSC-7(22)separate subnets for connecting to different security domainsSC-7(23)disable sender feedback on protocol validation failureSC-7(24)personally identifiable informationSC-7(25)unclassified national security connectionsSC-7(26)classified national security system connectionsSC-7(27)unclassified non-national security system connectionsSC-7(28)connections to public networksSC-7(29)separate subnets to isolate functionsSC-8Transmission Confidentiality and IntegritySC-8(1)cryptographic protectionSC-8(2)pre- and post-transmission handlingSC-8(3)cryptographic protection for message externalsSC-8(4)conceal or randomize communicationsSC-8(5)protected distribution systemSC-9Transmission ConfidentialitySC-10Network DisconnectSC-11Trusted PathSC-11(1)irrefutable communications pathSC-12Cryptographic Key Establishment and Management SC-12(1)availabilitySC-12(2)symmetric keysSC-12(3)asymmetric keysSC-12(4)pki certificatesSC-12(5)pki certificates / hardware tokensSC-12(6)physical control of keysSC-13Cryptographic ProtectionSC-13(1)fips-validated cryptographySC-13(2)nsa-approved cryptographySC-13(3)individuals without formal access approvalsSC-13(4)digital signaturesSC-14Public Access ProtectionsSC-15Collaborative Computing Devices and ApplicationsSC-15(1)physical or logical disconnectSC-15(2)blocking inbound and outbound communications trafficSC-15(3)disabling and removal in secure work areasSC-15(4)explicitly indicate current participantsSC-16Transmission of Security and Privacy AttributesSC-16(1)integrity verificationSC-16(2)anti-spoofing mechanismsSC-16(3)cryptographic bindingSC-17Public Key Infrastructure CertificatesSC-18Mobile CodeSC-18(1)identify unacceptable code and take corrective actionsSC-18(2)acquisition, development, and useSC-18(3)prevent downloading and executionSC-18(4)prevent automatic executionSC-18(5)allow execution only in confined environmentsSC-19Voice over Internet ProtocolSC-20Secure Name/Address Resolution Service(Authoritative Source)SC-20(1)child subspacesSC-20(2)data origin and integritySC-21Secure Name/Address Resolution Service(Recursive or Caching Resolver)SC-21(1)data origin and integritySC-22Architecture and Provisioning forName/Address Resolution ServiceSC-23Session AuthenticitySC-23(1)invalidate session identifiers at logoutSC-23(2)user-initiated logouts and message displaysSC-23(3)unique system-generated session identifiersSC-23(4)unique session identifiers with randomizationSC-23(5)allowed certificate authoritiesSC-24Fail in Known StateSC-25Thin NodesSC-26DecoysSC-26(1)detection of malicious codeSC-27Platform-Independent ApplicationsSC-28Protection of Information at RestSC-28(1)cryptographic protectionSC-28(2)offline storageSC-28(3)cryptographic keysSC-29HeterogeneitySC-29(1)virtualization techniquesSC-30Concealment and MisdirectionSC-30(1)virtualization techniquesSC-30(2)randomnessSC-30(3)change processing and storage locationsSC-30(4)misleading informationSC-30(5)concealment of system componentsSC-31Covert Channel AnalysisSC-31(1)test covert channels for exploitabilitySC-31(2)maximum bandwidthSC-31(3)measure bandwidth in operational environmentsSC-32System PartitioningSC-32(1)separate physical domains for privileged functionsSC-33Transmission Preparation IntegritySC-34Non-Modifiable Executable ProgramsSC-34(1)no writable storageSC-34(2)integrity protection and read-only mediaSC-34(3)hardware-based protectionSC-35External Malicious Code IdentificationSC-36Distributed Processing and StorageSC-36(1)polling techniquesSC-36(2)synchronizationSC-37Out-of-Band ChannelsSC-37(1)ensure delivery and transmissionSC-38Operations SecuritySC-39Process IsolationSC-39(1)hardware separationSC-39(2)separate execution domain per threadSC-40Wireless Link ProtectionSC-40(1)electromagnetic interferenceSC-40(2)reduce detection potentialSC-40(3)imitative or manipulative communications deceptionSC-40(4)signal parameter identificationSC-41Port and I/O Device AccessSC-42Sensor Capability and DataSC-42(1)reporting to authorized individuals or rolesSC-42(2)authorized useSC-42(3)prohibit use of devicesSC-42(4)notice of collectionSC-42(5)collection minimizationSC-43Usage RestrictionsSC-44Detonation ChambersSC-45System Time SynchronizationSC-45(1)synchronization with authoritative time sourceSC-45(2)secondary authoritative time sourceSC-46Cross Domain Policy EnforcementSC-47Alternate Communications PathsSC-48Sensor RelocationSC-48(1)dynamic relocation of sensors or monitoring capabilitiesSC-49Hardware-Enforced Separation and Policy EnforcementSC-50Software-Enforced Separation and Policy EnforcementSC-51Hardware-Based ProtectionSYSTEM AND INFORMATION INTEGRITY FAMILYcontrolnumbercontrol namecontrol enhancement nameCOLLABORATION INDEX VALUESI-1Policy and ProceduresSI-2Flaw RemediationSI-2(1)central managementSI-2(2)automated flaw remediation statusSI-2(3)time to remediate flaws and benchmarks for corrective actionsSI-2(4)automated patch management toolsSI-2(5)automatic software and firmware updatesSI-2(6)removal of previous versions of software and firmwareSI-3Malicious Code ProtectionSI-3(1)central managementSI-3(2)automatic updatesSI-3(3)non-privileged usersSI-3(4)updates only by privileged usersSI-3(5)portable storage devicesSI-3(6)testing and verificationSI-3(7)nonsignature-based detectionSI-3(8)detect unauthorized commandsSI-3(9)authenticate remote commandsSI-3(10)malicious code analysisSI-4System MonitoringSI-4(1)system-wide intrusion detection systemSI-4(2)automated tools and mechanisms for real-time analysisSI-4(3)automated tool and mechanism integrationSI-4(4)inbound and outbound communications trafficSI-4(5)system-generated alertsSI-4(6)restrict non-privileged usersSI-4(7)automated response to suspicious eventsSI-4(8)protection of monitoring informationSI-4(9)testing of monitoring tools and mechanismsSI-4(10)visibility of encrypted communicationsSI-4(11)analyze communications traffic anomaliesSI-4(12)automated organization-generated alertsSI-4(13)analyze traffic and event patternsSI-4(14)wireless intrusion detectionSI-4(15)wireless to wireline communicationsSI-4(16)correlate monitoring informationSI-4(17)integrated situational awarenessSI-4(18)analyze traffic and covert exfiltrationSI-4(19)risk for individualsSI-4(20)privileged usersSI-4(21)probationary periodsSI-4(22)unauthorized network servicesSI-4(23)host-based devicesSI-4(24)indicators of compromiseSI-4(25)optimize network traffic analysisSI-5Security Alerts, Advisories, and DirectivesSI-5(1)automated alerts and advisoriesSI-6Security and Privacy Function VerificationSI-6(1)notification of failed security testsSI-6(2)automation support for distributed testingSI-6(3)report verification resultsSI-7Software, Firmware, and Information IntegritySI-7(1)integrity checksSI-7(2)automated notifications of integrity violationsSI-7(3)centrally managed integrity toolsSI-7(4)tamper-evident packagingSI-7(5)automated response to integrity violationsSI-7(6)cryptographic protectionSI-7(7)integration of detection and responseSI-7(8)auditing capability for significant eventsSI-7(9)verify boot processSI-7(10)protection of boot firmwareSI-7(11)confined environments with limited privilegesSI-7(12)integrity verificationSI-7(13)code execution in protected environmentsSI-7(14)binary or machine executable codeSI-7(15)code authenticationSI-7(16)time limit on process execution without supervisionSI-7(17)runtime application self-protectionSI-8Spam ProtectionSI-8(1)central managementSI-8(2)automatic updatesSI-8(3)continuous learning capabilitySI-9Information Input RestrictionsSI-10Information Input ValidationSI-10(1)manual override capabilitySI-10(2)review and resolve errorsSI-10(3)predictable behaviorSI-10(4)timing interactionsSI-10(5)restrict inputs to trusted sources and approved formatsSI-10(6)injection preventionSI-11Error HandlingSI-12Information Management and Retention SI-12(1)limit personally identifiable information elementsSI-12(2)minimize personally identifiable information in testing, training, and researchSI-12(3)information disposalSI-13Predictable Failure PreventionSI-13(1)transferring component responsibilitiesSI-13(2)time limit on process execution without supervisionSI-13(3)manual transfer between componentsSI-13(4)standby component installation and notificationSI-13(5)failover capabilitySI-14Non-PersistenceSI-14(1)refresh from trusted sourcesSI-14(2)non-persistent informationSI-14(3)non-persistent connectivitySI-15Information Output FilteringSI-16Memory ProtectionSI-17Fail-Safe ProceduresSI-18Personally Identifiable Information Quality OperationsSI-18(1)automation supportSI-18(2)data tagsSI-18(3)collectionSI-18(4) individual requestsSI-18(5)notice of correction or deletionSI-19De-IdentificationSI-19(1)collectionSI-19(2)archivingSI-19(3)releaseSI-19(4)removal, masking, encryption, hashing, or replacement of direct identifiersSI-19(5)statistical disclosure controlSI-19(6)differential privacySI-19(7)validated algorithms softwareSI-19(8)motivated intruderSI-20TaintingSI-21Information RefreshSI-22Information DiversitySI-23Information FragmentationSUPPLY CHAIN RISK MANAGEMENT FAMILYcontrolnumbercontrol namecontrol enhancement nameCOLLABORATION INDEX VALUESR-1Policy and ProceduresSR-2Supply Chain Risk Management PlanSR-2(1)establish scrm teamSR-3Supply Chain Controls and ProcessesSR-3(1)diverse supply baseSR-3(2)limitation of harmSR-3(3)sub-tier flow downSR-4ProvenanceSR-4(1)identitySR-4(2)track and traceSR-4(3)validate as genuine and not alteredSR-4(4)supply chain integrity — pedigreeSR-5Acquisition Strategies, Tools, and MethodsSR-5(1)adequate supplySR-5(2)assessments prior to selection, acceptance, modification, or updateSR-6Supplier Assessments and ReviewsSR-6(1)testing and analysisSR-7Supply Chain Operations SecuritySR-8Notification AgreementsSR-9Tamper Resistance and DetectionSR-9(1)multiple stages of system development life cycleSR-10Inspection of Systems or ComponentsSR-11Component AuthenticitySR-11(1)anti-counterfeit trainingSR-11(2)configuration control for component service and repairSR-11(3)anti-counterfeit scanning SR-12Component Disposal ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download