NIST 800-53 Analysis

The organization:

Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

AC-1a.1.

An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

AC-1 a 1 (CCI-000001)	The organization develops an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
AC-1 a 1 (CCI-000002)	The organization disseminates the access control policy to organization-defined personnel or roles.
AC-1 a 1 (CCI-002106)	The organization documents the access control policy.
AC-1 a 1 (CCI-002107)	The organization defines the personnel or roles to be recipients of the access control policy necessary to facilitate the implementation of the access control policy and associated access controls.
AC-1 a 1 (CCI-002108)	The organization defines the personnel or roles to be recipients of the procedures necessary to facilitate the implementation of the access control policy and associated access controls.

AC-1a.2.

Procedures to facilitate the implementation of the access control policy and associated access controls; and

AC-1 a 2 (CCI-000004)	The organization develops procedures to facilitate the implementation of the access control policy and associated access controls.
AC-1 a 2 (CCI-000005)	The organization disseminates the procedures to facilitate access control policy and associated access controls to the organization-defined personnel or roles.
AC-1 a 2 (CCI-002109)	The organization documents procedures to facilitate the implementation of the access control policy and associated access controls.

AC-1b.

Reviews and updates the current:

AC-1b.1.

Access control policy [Assignment: organization-defined frequency]; and

AC-1 b 1 (CCI-001545)	The organization defines a frequency for reviewing and updating the access control policy.
AC-1 b 1 (CCI-000003)	The organization reviews and updates the access control policy in accordance with organization-defined frequency.

AC-1b.2.

Access control procedures [Assignment: organization-defined frequency].

AC-1 b 2 (CCI-001546)	The organization defines a frequency for reviewing and updating the access control procedures.
AC-1 b 2 (CCI-000006)	The organization reviews and updates the access control procedures in accordance with organization-defined frequency.

AC-2

The organization:

AC-2a.

Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];

AC-2 a (CCI-002110)	The organization defines the information system account types that support the organizational missions/business functions.
AC-2 a (CCI-002111)	The organization identifies and selects the organization-defined information system account types of information system accounts which support organizational missions/business functions.

AC-2b.

Assigns account managers for information system accounts;

AC-2 b
(CCI-002112)

The organization assigns account managers for information system accounts.

AC-2c.

Establishes conditions for group and role membership;

AC-2 c (CCI-000008)	The organization establishes conditions for group membership.
AC-2 c (CCI-002113)	The organization establishes conditions for role membership.

AC-2d.

Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;

AC-2 d (CCI-002114)	The organization specifies authorized users of the information system for each account.
AC-2 d (CCI-002115)	The organization specifies authorized users of the information system.
AC-2 d (CCI-002116)	The organization specifies authorized group membership on the information system.
AC-2 d (CCI-002117)	The organization specifies authorized role membership on the information system.
AC-2 d (CCI-002118)	The organization specifies access authorizations (i.e., privileges) for each account on the information system.
AC-2 d (CCI-002119)	The organization specifies other attributes for each account on the information system.

AC-2e.

Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;

AC-2 e (CCI-000010)	The organization requires approvals by organization-defined personnel or roles for requests to create information system accounts.
AC-2 e (CCI-002120)	The organization defines the personnel or roles authorized to approve the creation of information system accounts.

AC-2f.

Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];

AC-2 f (CCI-000011)	The organization creates, enables, modifies, disables, and removes information system accounts in accordance with organization-defined procedures or conditions.
AC-2 f (CCI-002121)	The organization defines the procedures or conditions to be employed when creating, enabling, modifying, disabling, and removing information system accounts.

AC-2g.

Monitors the use of information system accounts;

AC-2 g
(CCI-002122)

The organization monitors the use of information system accounts.

AC-2h.

Notifies account managers:

AC-2h.1.

When accounts are no longer required;

AC-2 h 1
(CCI-002123)

The organization notifies account managers when accounts are no longer required.

AC-2h.2.

When users are terminated or transferred; and

AC-2 h 2
(CCI-002124)

The organization notifies account managers when users are terminated or transferred.

AC-2h.3.

When individual information system usage or need-to-know changes;

AC-2 h 3
(CCI-002125)

The organization notifies account managers when individual information system usage or need-to-know changes.

AC-2i.

Authorizes access to the information system based on:

AC-2i.1.

A valid access authorization;

AC-2i.2.

Intended system usage; and

AC-2i.3.

Other attributes as required by the organization or associated missions/business functions;

AC-2j.

Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and

AC-2 j (CCI-001547)	The organization defines the frequency on which it will review information system accounts for compliance with account management requirements.
AC-2 j (CCI-000012)	The organization reviews information system accounts for compliance with account management requirements per organization-defined frequency.

AC-2k.

Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

AC-2 k
(CCI-002129)

The organization establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

AC-2 (1)

The organization employs automated mechanisms to support the management of information system accounts.

AC-2 (1)
(CCI-000015)

The organization employs automated mechanisms to support the information system account management functions.

AC-2 (2)

The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].

AC-2 (2) (CCI-000016)	The information system automatically removes or disables temporary accounts after an organization-defined time period for each type of account.
AC-2 (2) (CCI-001361)	The organization defines a time period after which temporary accounts are automatically terminated.
AC-2 (2) (CCI-001365)	The organization defines a time period after which emergency accounts are automatically terminated.
AC-2 (2) (CCI-001682)	The information system automatically removes or disables emergency accounts after an organization-defined time period for each type of account.

AC-2 (3)

The information system automatically disables inactive accounts after [Assignment: organization-defined time period].

AC-2 (3) (CCI-000017)	The information system automatically disables inactive accounts after an organization-defined time period.
AC-2 (3) (CCI-000217)	The organization defines a time period after which inactive accounts are automatically disabled.

AC-2 (4)

The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].

AC-2 (4) (CCI-000018)	The information system automatically audits account creation actions.
AC-2 (4) (CCI-001403)	The information system automatically audits account modification actions.
AC-2 (4) (CCI-001404)	The information system automatically audits account disabling actions.
AC-2 (4) (CCI-001405)	The information system automatically audits account removal actions.
AC-2 (4) (CCI-001683)	The information system notifies organization-defined personnel or roles for account creation actions.
AC-2 (4) (CCI-001684)	The information system notifies organization-defined personnel or roles for account modification actions.
AC-2 (4) (CCI-001685)	The information system notifies organization-defined personnel or roles for account disabling actions.
AC-2 (4) (CCI-001686)	The information system notifies organization-defined personnel or roles for account removal actions.
AC-2 (4) (CCI-002130)	The information system automatically audits account enabling actions.
AC-2 (4) (CCI-002131)	The organization defines the personnel or roles to be notified on account creation, modification, enabling, disabling, and removal actions.
AC-2 (4) (CCI-002132)	The information system notifies organization-defined personnel or roles for account enabling actions.

AC-2 (5)

The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out].

AC-2 (5) (CCI-000019)	The organization requires that users log out in accordance with the organization-defined time period of inactivity or description of when to log out.
AC-2 (5) (CCI-001406)	The organization defines a time period of expected inactivity when users are required to log out.
AC-2 (5) (CCI-002133)	The organization defines other conditions when users are required to log out.

AC-2 (6)

The information system implements the following dynamic privilege management capabilities: [Assignment: organization-defined list of dynamic privilege management capabilities].

AC-2 (6) (CCI-002134)	The organization defines a list of dynamic privilege management capabilities to be implemented by the information system.
AC-2 (6) (CCI-002135)	The information system implements the organization-defined list of dynamic privilege management capabilities.

AC-2 (7)

The organization:

AC-2 (7)(a)

Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;

AC-2 (7) (a) (CCI-001407)	The organization administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles.
AC-2 (7) (a) (CCI-001358)	The organization establishes privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles.

AC-2 (7)(b)

Monitors privileged role assignments; and

AC-2 (7) (b)
(CCI-001360)

The organization monitors privileged role assignments.

AC-2 (7)(c)

Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.

AC-2 (7) (c) (CCI-002136)	The organization defines the actions to be taken when privileged role assignments are no longer appropriate.
AC-2 (7) (c) (CCI-002137)	The organization takes organization-defined actions when privileged role assignments are no longer appropriate.

AC-2 (8)

The information system creates [Assignment: organization-defined information system accounts] dynamically.

AC-2 (8) (CCI-002138)	The organization defines the information system accounts that can be dynamically created.
AC-2 (8) (CCI-002139)	The information system creates organization-defined information system accounts dynamically.

AC-2 (9)

The organization only permits the use of shared/group accounts that meet [Assignment: organization-defined conditions for establishing shared/group accounts].

AC-2 (9) (CCI-002140)	The organization defines the conditions for establishing shared/group accounts.
AC-2 (9) (CCI-002141)	The organization only permits the use of shared/group accounts that meet organization-defined conditions for establishing shared/group accounts.

AC-2 (10)

The information system terminates shared/group account credentials when members leave the group.

AC-2 (10)
(CCI-002142)

The information system terminates shared/group account credentials when members leave the group.

AC-2 (11)

The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts].

AC-2 (11) (CCI-002143)	The organization defines the circumstances and/or usage conditions that are to be enforced for organization-defined information system accounts.
AC-2 (11) (CCI-002144)	The organization defines the information system accounts that are to be subject to the enforcement of organization-defined circumstances and/or usage conditions.
AC-2 (11) (CCI-002145)	The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.

AC-2 (12)

The organization:

AC-2 (12)(a)

Monitors information system accounts for [Assignment: organization-defined atypical use]; and

AC-2 (12) (a) (CCI-002146)	The organization defines atypical usage for which the information system accounts are to be monitored.
AC-2 (12) (a) (CCI-002147)	The organization monitors information system accounts for organization-defined atypical use.

AC-2 (12)(b)

Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles].

AC-2 (12) (b) (CCI-002148)	The organization defines the personnel or roles to whom atypical usage of information system accounts are to be reported.
AC-2 (12) (b) (CCI-002149)	The organization reports atypical usage of information system accounts to organization-defined personnel or roles.

AC-2 (13)

The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk.

AC-2 (13) (CCI-002150)	The organization defines the time period within which the accounts of users posing a significant risk are to be disabled after discovery of the risk.
AC-2 (13) (CCI-002151)	The organization disables accounts of users posing a significant risk within an organization-defined time period of discovery of the risk.

AC-3

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

AC-3
(CCI-000213)

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

AC-3 (1)

[Withdrawn: Incorporated into AC-6].

AC-3 (2)

The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].

AC-3 (2) (CCI-000021)	The information system enforces dual authorization for organization-defined privileged commands and/or other organization-defined actions.
AC-3 (2) (CCI-001408)	The organization defines privileged commands for which dual authorization is to be enforced.
AC-3 (2) (CCI-002152)	The organization defines other actions necessary for which dual authorization is to be enforced.

AC-3 (3)

The information system enforces [Assignment: organization-defined mandatory access control policies] over all subjects and objects where the policy specifies that:

AC-3 (3) (CCI-002153)	The organization defines the mandatory access control policies that are to be enforced over all subjects and objects.
AC-3 (3) (CCI-003014)	The information system enforces organization-defined mandatory access control policies over all subjects and objects.

AC-3 (3)(a)

The policy is uniformly enforced across all subjects and objects within the boundary of the information system;

AC-3 (3) (a)
(CCI-002154)

The mandatory access control policy specifies that the policy is uniformly enforced across all subjects and objects within the boundary of the information system.

AC-3 (3)(b)

A subject that has been granted access to information is constrained from doing any of the following;

AC-3 (3)(b)(1)

Passing the information to unauthorized subjects or objects;

AC-3 (3) (b) (1)
(CCI-002155)

The mandatory access control policy specifies that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects.

AC-3 (3)(b)(2)

Granting its privileges to other subjects;

AC-3 (3) (b) (2)
(CCI-002156)

The mandatory access control policy specifies that a subject that has been granted access to information is constrained from granting its privileges to other subjects.

AC-3 (3)(b)(3)

Changing one or more security attributes on subjects, objects, the information system, or information system components;

AC-3 (3) (b) (3)
(CCI-002157)

The mandatory access control policy specifies that a subject that has been granted access to information is constrained from changing one or more security attributes on subjects, objects, the information system, or information system components.

AC-3 (3)(b)(4)

Choosing the security attributes and attribute values to be associated with newly created or modified objects; or

AC-3 (3) (b) (4) (CCI-002158)	The mandatory access control policy specifies that a subject that has been granted access to information is constrained from choosing the security attributes to be associated with newly created or modified objects.
AC-3 (3) (b) (4) (CCI-002159)	The mandatory access control policy specifies that a subject that has been granted access to information is constrained from choosing the attribute values to be associated with newly created or modified objects.

AC-3 (3)(b)(5)

Changing the rules governing access control; and

AC-3 (3) (b) (5)
(CCI-002160)

The mandatory access control policy specifies that a subject that has been granted access to information is constrained from changing the rules governing access control.

AC-3 (3)(c)

[Assignment: Organized-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints.

AC-3 (3) (c) (CCI-002161)	The organization defines subjects which may explicitly be granted organization-defined privileges such that they are not limited by some or all of the mandatory access control constraints.
AC-3 (3) (c) (CCI-002162)	The organization defines the privileges that may explicitly be granted to organization-defined subjects such that they are not limited by some or all of the mandatory access control constraints.
AC-3 (3) (c) (CCI-003015)	The mandatory access control policy specifies that organization-defined subjects may explicitly be granted organization-defined privileges such that they are not limited by some or all of the mandatory access control constraints.

AC-3 (4)

The information system enforces [Assignment: organization-defined discretionary access control policies] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following:

AC-3 (4) (CCI-002163)	The organization defines the discretionary access control policies the information system is to enforce over subjects and objects.
AC-3 (4) (CCI-002165)	The information system enforces organization-defined discretionary access control policies over defined subjects and objects.

AC-3 (4)(a)

Pass the information to any other subjects or objects;

AC-3 (4)(b)

Grant its privileges to other subjects;

AC-3 (4)(c)

Change security attributes on subjects, objects, the information system, or the information system�s components;

AC-3 (4)(d)

Choose the security attributes to be associated with newly created or revised objects; or

AC-3 (4)(e)

Change the rules governing access control.

AC-3 (5)

The information system prevents access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states.

AC-3 (5) (CCI-000024)	The information system prevents access to organization-defined security-relevant information except during secure, non-operable system states.
AC-3 (5) (CCI-001411)	The organization defines security-relevant information to which the information system prevents access except during secure, non-operable system states.

AC-3 (6)

[Withdrawn: Incorporated into MP-4 and SC-28].

AC-3 (7)

The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles].

AC-3 (7) (CCI-002166)	The organization defines the role-based access control policies the information system is to enforce over all subjects and objects.
AC-3 (7) (CCI-002167)	The organization defines the subjects over which the information system will enforce a role-based access control policy.
AC-3 (7) (CCI-002168)	The organization defines the objects over which the information system will enforce a role-based access control policy.
AC-3 (7) (CCI-002169)	The information system enforces a role-based access control policy over defined subjects and objects.
AC-3 (7) (CCI-002170)	The information system controls access based upon organization-defined roles and users authorized to assume such roles.
AC-3 (7) (CCI-002171)	The information system enforces a role-based access control policy over organization-defined subjects.
AC-3 (7) (CCI-002172)	The information system enforces a role-based access control policy over organization-defined objects.
AC-3 (7) (CCI-002173)	The organization defines the roles for which the information system will control access based upon the organization-defined role-based access control policy.
AC-3 (7) (CCI-002174)	The organization defines the users for which the information system will control access based upon the organization-defined role-based access control policy.
AC-3 (7) (CCI-002175)	The information system controls access based upon organization-defined roles authorized to assume such roles, employing the organization-defined role-based access control policy.
AC-3 (7) (CCI-002176)	The information system controls access based upon organization-defined users authorized to assume such roles, employing the organization-defined role-based access control policy.

AC-3 (8)

The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations].

AC-3 (8) (CCI-002177)	The organization defines the rules which will govern the timing of revocation of access authorizations.
AC-3 (8) (CCI-002178)	The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects based on organization-defined rules governing the timing of revocations of access authorizations.
AC-3 (8) (CCI-002179)	The information system enforces the revocation of access authorizations resulting from changes to the security attributes of objects based on organization-defined rules governing the timing of revocations of access authorizations.

AC-3 (9)

The information system does not release information outside of the established system boundary unless:

AC-3 (9)(a)

The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and

AC-3 (9) (a) (CCI-002180)	The organization defines the security safeguards the organization-defined information system or system component is to provide to protect information released outside the established system boundary.
AC-3 (9) (a) (CCI-002181)	The organization defines information systems or system components that are to provide organization-defined security safeguards to protect information received outside the established system boundary.
AC-3 (9) (a) (CCI-002182)	The information system does not release information outside of the established system boundary unless the receiving organization-defined information system or system component provides organization-defined security safeguards.

AC-3 (9)(b)

[Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release.

AC-3 (9) (b) (CCI-002183)	The organization defines the security safeguards to be used to validate the appropriateness of the information designated for release.
AC-3 (9) (b) (CCI-002184)	The information system does not release information outside of the established system boundary unless organization-defined security safeguards are used to validate the appropriateness of the information designated for release.

AC-3 (10)

The organization employs an audited override of automated access control mechanisms under [Assignment: organization-defined conditions].

AC-3 (10) (CCI-002185)	The organization defines the conditions on which it will employ an audited override of automated access control mechanisms.
AC-3 (10) (CCI-002186)	The organization employs an audited override of automated access control mechanisms under organization-defined conditions.

AC-4

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].

AC-4 (CCI-001548)	The organization defines the information flow control policies for controlling the flow of information within the system.
AC-4 (CCI-001549)	The organization defines the information flow control policies for controlling the flow of information between interconnected systems.
AC-4 (CCI-001550)	The organization defines approved authorizations for controlling the flow of information within the system.
AC-4 (CCI-001551)	The organization defines approved authorizations for controlling the flow of information between interconnected systems.
AC-4 (CCI-001414)	The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
AC-4 (CCI-001368)	The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.

AC-4 (1)

The information system uses [Assignment: organization-defined security attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.

AC-4 (1) (CCI-002187)	The organization defines the security attributes to be used to enforce organization-defined information flow control policies.
AC-4 (1) (CCI-002188)	The organization defines the information, source, and destination objects with which the organization-defined security attributes are to be associated.
AC-4 (1) (CCI-002189)	The organization defines the information flow control policies to be enforced for flow control decisions.
AC-4 (1) (CCI-002190)	The information system uses organization-defined security attributes associated with organization-defined information, source, and destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions.

AC-4 (2)

The information system uses protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.

AC-4 (2) (CCI-000026)	The information system uses protected processing domains to enforce organization-defined information flow control policies as a basis for flow control decisions.
AC-4 (2) (CCI-002191)	The organization defines the information flow control policies to be enforced by the information system using protected processing domains.

AC-4 (3)

The information system enforces dynamic information flow control based on [Assignment: organization-defined policies].

AC-4 (3) (CCI-000027)	The information system enforces dynamic information flow control based on organization-defined policies.
AC-4 (3) (CCI-002192)	The organization defines the policies the information system is to enforce to achieve dynamic information flow control.

AC-4 (4)

The information system prevents encrypted information from bypassing content-checking mechanisms by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]].

AC-4 (4) (CCI-000028)	The information system prevents encrypted information from bypassing content-checking mechanisms by employing organization-defined procedures or methods.
AC-4 (4) (CCI-002193)	The organization defines procedures or methods to be employed by the information system to prevent encrypted information from bypassing content-checking mechanisms, such as decrypting the information, blocking the flow of the encrypted information, and/or terminating communications sessions attempting to pass encrypted information.

AC-4 (5)

The information system enforces [Assignment: organization-defined limitations] on embedding data types within other data types.

AC-4 (5) (CCI-000029)	The information system enforces organization-defined limitations on the embedding of data types within other data types.
AC-4 (5) (CCI-001415)	The organization defines limitations for the embedding of data types within other data types.

AC-4 (6)

The information system enforces information flow control based on [Assignment: organization-defined metadata].

AC-4 (6) (CCI-000030)	The information system enforces information flow control based on organization-defined metadata.
AC-4 (6) (CCI-002194)	The organization defines the metadata the information system uses to enforce information flow control.

AC-4 (7)

The information system enforces [Assignment: organization-defined one-way flows] using hardware mechanisms.

AC-4 (7) (CCI-000031)	The information system enforces organization-defined one-way flows using hardware mechanisms.
AC-4 (7) (CCI-001416)	The organization defines one-way information flows to be enforced by the information system.

AC-4 (8)

The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows].

AC-4 (8) (CCI-000032)	The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.
AC-4 (8) (CCI-001417)	The organization defines security policy filters to be enforced by the information system and used as a basis for flow control decisions.
AC-4 (8) (CCI-002195)	The organization defines the information flows against which the organization-defined security policy filters are to be enforced.

AC-4 (9)

The information system enforces the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions].

AC-4 (9) (CCI-002196)	The organization defines the information flows for which the information system will enforce the use of human reviews under organization-defined conditions.
AC-4 (9) (CCI-002197)	The organization defines the conditions which will require the use of human reviews of organization-defined information flows.
AC-4 (9) (CCI-002198)	The information system enforces the use of human reviews for organization-defined information flows under organization-defined conditions.

AC-4 (10)

The information system provides the capability for privileged administrators to enable/disable [Assignment: organization-defined security policy filters] under the following conditions: [Assignment: organization-defined conditions].

AC-4 (10) (CCI-001553)	The organization defines the security policy filters that privileged administrators have the capability to enable/disable.
AC-4 (10) (CCI-000034)	The information system provides the capability for a privileged administrator to enable/disable organization-defined security policy filters under organization-defined conditions.
AC-4 (10) (CCI-002199)	The organization defines the conditions under which the information system provides the capability for privileged administrators to enable/disable organization-defined security policy filters.

AC-4 (11)

The information system provides the capability for privileged administrators to configure [Assignment: organization-defined security policy filters] to support different security policies.

AC-4 (11) (CCI-001554)	The organization defines the security policy filters that privileged administrators have the capability to configure.
AC-4 (11) (CCI-000035)	The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies.

AC-4 (12)

The information system, when transferring information between different security domains, uses [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions.

AC-4 (12) (CCI-002200)	The organization defines the data type identifiers to be used to validate data being transferred between different security domains.
AC-4 (12) (CCI-002201)	The information system, when transferring information between different security domains, uses organization-defined data type identifiers to validate data essential for information flow decisions.

AC-4 (13)

The information system, when transferring information between different security domains, decomposes information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms.

AC-4 (13) (CCI-000219)	The information system, when transferring information between different security domains, decomposes information into organization-defined policy-relevant subcomponents for submission to policy enforcement mechanisms.
AC-4 (13) (CCI-002202)	The organization defines the policy-relevant subcomponents into which information being transferred between different security domains is to be decomposed for submission to policy enforcement mechanisms.

AC-4 (14)

The information system, when transferring information between different security domains, implements [Assignment: organization-defined security policy filters] requiring fully enumerated formats that restrict data structure and content.

AC-4 (14) (CCI-001371)	The organization defines information security policy filters requiring fully enumerated formats which are to be implemented when transferring information between different security domains.
AC-4 (14) (CCI-001372)	The information system, when transferring information between different security domains, implements organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content.

AC-4 (15)

The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organization-defined security policy].

AC-4 (15) (CCI-001373)	The information system, when transferring information between different security domains, examines the information for the presence of organization-defined unsanctioned information.
AC-4 (15) (CCI-001374)	The information system, when transferring information between different security domains, prohibits the transfer of organization-defined unsanctioned information in accordance with the organization-defined security policy.
AC-4 (15) (CCI-002203)	The organization defines the unsanctioned information the information system is to examine when transferring information between different security domains.
AC-4 (15) (CCI-002204)	The organization defines a security policy which prohibits the transfer of unsanctioned information between different security domains.

AC-4 (16)

[Withdrawn: Incorporated into AC-4].

AC-4 (17)

The information system uniquely identifies and authenticates source and destination points by [Selection (one or more): organization, system, application, individual] for information transfer.

AC-4 (17) (CCI-002205)	The information system uniquely identifies and authenticates source by organization, system, application, and/or individual for information transfer.
AC-4 (17) (CCI-002206)	The information system uniquely authenticates source by organization, system, application, and/or individual for information transfer.
AC-4 (17) (CCI-002207)	The information system uniquely identifies and authenticates destination by organization, system, application, and/or individual for information transfer.
AC-4 (17) (CCI-002208)	The information system uniquely authenticates destination by organization, system, application, and/or individual for information transfer.

AC-4 (18)

The information system binds security attributes to information using [Assignment: organization-defined binding techniques] to facilitate information flow policy enforcement.

AC-4 (18) (CCI-002209)	The organization defines the techniques to be used to bind security attributes to information.
AC-4 (18) (CCI-002210)	The information system binds security attributes to information using organization-defined binding techniques to facilitate information flow policy enforcement.

AC-4 (19)

The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads.

AC-4 (19)
(CCI-002211)

The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads.

AC-4 (20)

The organization employs [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains.

AC-4 (20) (CCI-002212)	The organization defines the solutions in approved configurations to be employed to control the flow of organization-defined information across security domains.
AC-4 (20) (CCI-002213)	The organization defines the information to be subjected to flow control across security domains.
AC-4 (20) (CCI-002214)	The organization employs organization-defined solutions in approved configurations to control the flow of organization-defined information across security domains.

AC-4 (21)

The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].

AC-4 (21) (CCI-002215)	The organization defines the mechanisms and/or techniques to be used to logically or physically separate information flows.
AC-4 (21) (CCI-002216)	The organization defines the types of information required to accomplish logical or physical separation of information flows.
AC-4 (21) (CCI-002217)	The information system separates information flows logically or physically using organization-defined mechanisms and/or techniques to accomplish organization-defined required separations by types of information.

AC-4 (22)

The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains.

AC-4 (22)
(CCI-002218)

The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains.

AC-5

The organization:

AC-5a.

Separates [Assignment: organization-defined duties of individuals];

AC-5 a (CCI-000036)	The organization separates organization-defined duties of individuals.
AC-5 a (CCI-002219)	The organization defines the duties of individuals that are to be separated.

AC-5b.

Documents separation of duties of individuals; and

AC-5 b
(CCI-001380)

The organization documents separation of duties of individuals.

AC-5c.

Defines information system access authorizations to support separation of duties.

AC-5 c
(CCI-002220)

The organization defines information system access authorizations to support separation of duties.

AC-6

The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

AC-6
(CCI-000225)

The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

AC-6 (1)

The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information].

AC-6 (1) (CCI-001558)	The organization defines the security functions (deployed in hardware, software, and firmware) for which access must be explicitly authorized.
AC-6 (1) (CCI-002221)	The organization defines the security-relevant information for which access must be explicitly authorized.
AC-6 (1) (CCI-002222)	The organization explicitly authorizes access to organization-defined security functions.
AC-6 (1) (CCI-002223)	The organization explicitly authorizes access to organization-defined security-relevant information.

AC-6 (2)

The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non-privileged accounts or roles, when accessing nonsecurity functions.

AC-6 (2) (CCI-000039)	The organization requires that users of information system accounts or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions.
AC-6 (2) (CCI-001419)	The organization defines the security functions or security-relevant information to which users of information system accounts, or roles, have access.

AC-6 (3)

The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system.

AC-6 (3) (CCI-000041)	The organization authorizes network access to organization-defined privileged commands only for organization-defined compelling operational needs.
AC-6 (3) (CCI-000042)	The organization documents the rationale for authorized network access to organization-defined privileged commands in the security plan for the information system.
AC-6 (3) (CCI-001420)	The organization defines the privileged commands to which network access is to be authorized only for organization-defined compelling operational needs.
AC-6 (3) (CCI-002224)	The organization defines the compelling operational needs that must be met in order to be authorized network access to organization-defined privileged commands.

AC-6 (4)

The information system provides separate processing domains to enable finer-grained allocation of user privileges.

AC-6 (4)
(CCI-002225)

The information system provides separate processing domains to enable finer-grained allocation of user privileges.

AC-6 (5)

The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles].

AC-6 (5) (CCI-002226)	The organization defines the personnel or roles to whom privileged accounts are to be restricted on the information system.
AC-6 (5) (CCI-002227)	The organization restricts privileged accounts on the information system to organization-defined personnel or roles.

AC-6 (6)

The organization prohibits privileged access to the information system by non-organizational users.

AC-6 (6)
(CCI-001422)

The organization prohibits privileged access to the information system by non-organizational users.

AC-6 (7)

The organization:

AC-6 (7)(a)

Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and

AC-6 (7) (a) (CCI-002228)	The organization defines the frequency on which it conducts reviews of the privileges assigned to organization-defined roles or classes of users.
AC-6 (7) (a) (CCI-002229)	The organization defines the roles or classes of users that are to have their privileges reviewed on an organization-defined frequency.
AC-6 (7) (a) (CCI-002230)	The organization reviews the privileges assigned to organization-defined roles or classes of users on an organization-defined frequency to validate the need for such privileges.

AC-6 (7)(b)

Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.

AC-6 (7) (b)
(CCI-002231)

The organization reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.

AC-6 (8)

The information system prevents [Assignment: organization-defined software] from executing at higher privilege levels than users executing the software.

AC-6 (8) (CCI-002232)	The organization defines software that is restricted from executing at a higher privilege than users executing the software.
AC-6 (8) (CCI-002233)	The information system prevents organization-defined software from executing at higher privilege levels than users executing the software.

AC-6 (9)

The information system audits the execution of privileged functions.

AC-6 (9)
(CCI-002234)

The information system audits the execution of privileged functions.

AC-6 (10)

The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

AC-6 (10)
(CCI-002235)

The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

AC-7

The information system:

AC-7 (CCI-000043)	The organization defines the maximum number of consecutive invalid logon attempts to the information system by a user during an organization-defined time period.
AC-7 (CCI-001423)	The organization defines the time period in which the organization-defined maximum number of consecutive invalid logon attempts occur.

AC-7a.

Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and

AC-7 a
(CCI-000044)

The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.

AC-7b.

Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.

AC-7 b (CCI-002236)	The organization defines the time period the information system will automatically lock the account or node when the maximum number of unsuccessful logon attempts is exceeded.
AC-7 b (CCI-002237)	The organization defines the delay algorithm to be employed by the information system to delay the next logon prompt when the maximum number of unsuccessful logon attempts is exceeded.
AC-7 b (CCI-002238)	The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

AC-7 (1)

[Withdrawn: Incorporated into AC-7].

AC-7 (2)

The information system purges/wipes information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts.

AC-7 (2) (CCI-002239)	The organization defines the mobile devices that are to be purged/wiped by the information system after an organization-defined number of consecutive, unsuccessful device logon attempts.
AC-7 (2) (CCI-002240)	The organization defines the purging/wiping requirements/techniques to be used by the information system on organization-defined mobile devices after an organization-defined number of consecutive, unsuccessful device logon attempts.
AC-7 (2) (CCI-002241)	The organization defines the number of consecutive, unsuccessful device logon attempts after which the information system will purge/wipe organization-defined mobile devices.
AC-7 (2) (CCI-002242)	The information system purges/wipes information from organization-defined mobile devices based on organization-defined purging/wiping requirements/techniques after an organization-defined number of consecutive, unsuccessful device logon attempts.

AC-8

The information system:

AC-8a.

Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:

AC-8 a (CCI-000048)	The information system displays an organization-defined system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
AC-8 a (CCI-002247)	The organization defines the use notification message or banner the information system displays to users before granting access to the system.

AC-8a.1.

Users are accessing a U.S. Government information system;

AC-8 a 1
(CCI-002243)

The organization-defined information system use notification message or banner is to state that users are accessing a U.S. Government information system.

AC-8a.2.

Information system usage may be monitored, recorded, and subject to audit;

AC-8 a 2
(CCI-002244)

The organization-defined information system use notification message or banner is to state that information system usage may be monitored, recorded, and subject to audit.

AC-8a.3.

Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and

AC-8 a 3
(CCI-002245)

The organization-defined information system use notification message or banner is to state that unauthorized use of the information system is prohibited and subject to criminal and civil penalties.

AC-8a.4.

Use of the information system indicates consent to monitoring and recording;

AC-8 a 4
(CCI-002246)

The organization-defined information system use notification message or banner is to state that use of the information system indicates consent to monitoring and recording.

AC-8b.

Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and

AC-8 b
(CCI-000050)

The information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system.

AC-8c.

For publicly accessible systems:

AC-8c.1.

Displays system use information [Assignment: organization-defined conditions], before granting further access;

AC-8 c 1 (CCI-001384)	The information system, for publicly accessible systems, displays system use information organization-defined conditions before granting further access.
AC-8 c 1 (CCI-002248)	The organization defines the conditions of use which are to be displayed to users of the information system before granting further access.

AC-8c.2.

Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and

AC-8 c 2 (CCI-001385)	The information system, for publicly accessible systems, displays references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities.
AC-8 c 2 (CCI-001386)	The information system, for publicly accessible systems, displays references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities.
AC-8 c 2 (CCI-001387)	The information system, for publicly accessible systems, displays references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities.

AC-8c.3.

Includes a description of the authorized uses of the system.

AC-8 c 3
(CCI-001388)

The information system, for publicly accessible systems, includes a description of the authorized uses of the system.

AC-9

The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access).

AC-9
(CCI-000052)

The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access).

AC-9 (1)

The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access.

AC-9 (1)
(CCI-000053)

The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access.

AC-9 (2)

The information system notifies the user of the number of [Selection: successful logons/accesses; unsuccessful logon/access attempts; both] during [Assignment: organization-defined time period].

AC-9 (2) (CCI-001389)	The organization defines the time period that the information system notifies the user of the number of successful logon/access attempts.
AC-9 (2) (CCI-001390)	The organization defines the time period that the information system notifies the user of the number of unsuccessful logon/access attempts.
AC-9 (2) (CCI-001391)	The information system notifies the user of the number of successful logins/accesses that occur during the organization-defined time period.
AC-9 (2) (CCI-001392)	The information system notifies the user of the number of unsuccessful login/access attempts that occur during organization-defined time period.

AC-9 (3)

The information system notifies the user of changes to [Assignment: organization-defined security-related characteristics/parameters of the user�s account] during [Assignment: organization-defined time period].

AC-9 (3) (CCI-001393)	The organization defines the security-related characteristics/parameters of the user's account which, when changed, will result in a notification being provided to the user during the organization-defined time period.
AC-9 (3) (CCI-001394)	The organization defines the time period during which organization-defined security-related changes to the user's account are to be tracked.
AC-9 (3) (CCI-001395)	The information system notifies the user of changes to organization-defined security-related characteristics/parameters of the user's account that occur during the organization-defined time period.

AC-9 (4)

The information system notifies the user, upon successful logon (access), of the following additional information: [Assignment: organization-defined information to be included in addition to the date and time of the last logon (access)].

AC-9 (4) (CCI-002249)	The organization defines the information, in addition to the date and time of the last logon (access), to be included in the notification to the user upon successful logon (access).
AC-9 (4) (CCI-002250)	The information system notifies the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access).
AC-9 (4) (CCI-002251)	The information system notifies the user, upon successful logon (access), of the date and time of the last logon (access).

AC-10

The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].

AC-10 (CCI-000054)	The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions.
AC-10 (CCI-000055)	The organization defines the maximum number of concurrent sessions to be allowed for each organization-defined account and/or account type.
AC-10 (CCI-002252)	The organization defines the accounts and/or account types for which the information system will limit the number of concurrent sessions.
AC-10 (CCI-002253)	The organization defines the account types for which the information system will limit the number of concurrent sessions.

AC-11

The information system:

AC-11a.

Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and

AC-11 a (CCI-000057)	The information system initiates a session lock after the organization-defined time period of inactivity.
AC-11 a (CCI-000058)	The information system provides the capability for users to directly initiate session lock mechanisms.
AC-11 a (CCI-000059)	The organization defines the time period of inactivity after which the information system initiates a session lock.

AC-11b.

Retains the session lock until the user reestablishes access using established identification and authentication procedures.

AC-11 b
(CCI-000056)

The information system retains the session lock until the user reestablishes access using established identification and authentication procedures.

AC-11 (1)

The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

AC-11 (1)
(CCI-000060)

The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.

AC-12

The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].

AC-12 (CCI-002254)	The organization defines the conditions or trigger events requiring session disconnect to be employed by the information system when automatically terminating a user session.
AC-12 (CCI-002360)	The organization defines the conditions or trigger events requiring session disconnect to be employed by the information system when automatically terminating a user session.
AC-12 (CCI-002361)	The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

AC-12 (1)

The information system:

AC-12 (1) (CCI-002362)	The organization defines the resources requiring information system authentication in order to gain access.
AC-12 (1) (CCI-002363)	The information system provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to organization-defined information resources.
AC-12 (1) (CCI-002364)	The information system displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.

AC-12 (1)(a)

Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and

AC-12 (1)(b)

Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.

AC-13

[Withdrawn: Incorporated into AC-2 and AU-6].

AC-14

The organization:

AC-14a.

Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and

AC-14 a (CCI-000061)	The organization identifies and defines organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions/business functions.
AC-14 a (CCI-002255)	The organization defines the user actions that can be performed on the information system without identification and authentication.

AC-14b.

Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

AC-14 b
(CCI-000232)

The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification and authentication.

AC-14 (1)

[Withdrawn: Incorporated into AC-14].

AC-15

[Withdrawn: Incorporated into MP-3].

AC-16

The organization:

AC-16a.

Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;

AC-16 a (CCI-002256)	The organization defines security attributes having organization-defined types of security attribute values which are associated with information in storage.
AC-16 a (CCI-002257)	The organization defines security attributes having organization-defined types of security attribute values which are associated with information in process.
AC-16 a (CCI-002258)	The organization defines security attributes, having organization-defined types of security attribute values, which are associated with information in transmission.
AC-16 a (CCI-002259)	The organization defines security attribute values associated with organization-defined types of security attributes for information in storage.
AC-16 a (CCI-002260)	The organization defines security attribute values associated with organization-defined types of security attributes for information in process.
AC-16 a (CCI-002261)	The organization defines security attribute values associated with organization-defined types of security attributes for information in transmission.
AC-16 a (CCI-002262)	The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage.
AC-16 a (CCI-002263)	The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in process.
AC-16 a (CCI-002264)	The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission.

AC-16b.

Ensures that the security attribute associations are made and retained with the information;

AC-16 b (CCI-002265)	The organization ensures that the security attribute associations are made with the information.
AC-16 b (CCI-002266)	The organization ensures that the security attribute associations are retained with the information.

AC-16c.

Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and

AC-16 c (CCI-002267)	The organization defines the security attributes that are permitted for organization-defined information systems.
AC-16 c (CCI-002268)	The organization defines the information systems for which permitted organization-defined attributes are to be established.
AC-16 c (CCI-002269)	The organization establishes the permitted organization-defined security attributes for organization-defined information systems.

AC-16d.

Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes.

AC-16 d (CCI-002270)	The organization defines the values or ranges permitted for each of the established security attributes.
AC-16 d (CCI-002271)	The organization determines the permitted organization-defined values or ranges for each of the established security attributes.

AC-16 (1)

The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined.

AC-16 (1) (CCI-001424)	The information system dynamically associates security attributes with organization-defined subjects in accordance with organization-defined security policies as information is created and combined.
AC-16 (1) (CCI-002272)	The information system dynamically associates security attributes with organization-defined objects in accordance with organization-defined security policies as information is created and combined.
AC-16 (1) (CCI-002273)	The organization defines the security policies the information system is to adhere to when dynamically associating security attributes with organization-defined subjects and objects.
AC-16 (1) (CCI-002274)	The organization defines the subjects with which the information system is to dynamically associate security attributes as information is created and combined.
AC-16 (1) (CCI-002275)	The organization defines the objects with which the information system is to dynamically associate security attributes as information is created and combined.

AC-16 (2)

The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes.

AC-16 (2) (CCI-001559)	The organization identifies the individuals authorized to change the value of associated security attributes.
AC-16 (2) (CCI-001425)	The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to change the value of associated security attributes.
AC-16 (2) (CCI-002276)	The organization identifies the individuals authorized to define the value of associated security attributes.
AC-16 (2) (CCI-002277)	The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define the value of associated security attributes.

AC-16 (3)

The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects].

AC-16 (3) (CCI-002278)	The organization defines security attributes for which the association and integrity to organization-defined subjects and objects is maintained by the information system.
AC-16 (3) (CCI-002279)	The organization defines subjects for which the association and integrity of organization-defined security attributes is maintained by the information system.
AC-16 (3) (CCI-002280)	The organization defines objects for which the association and integrity of organization-defined security attributes is maintained by the information system.
AC-16 (3) (CCI-002281)	The information system maintains the association of organization-defined security attributes to organization-defined subjects.
AC-16 (3) (CCI-002282)	The information system maintains the association of organization-defined security attributes to organization-defined objects.
AC-16 (3) (CCI-002283)	The information system maintains the integrity of organization-defined security attributes associated with organization-defined subjects.
AC-16 (3) (CCI-002284)	The information system maintains the integrity of organization-defined security attributes associated with organization-defined objects.

AC-16 (4)

The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals).

AC-16 (4) (CCI-001560)	The organization identifies individuals (or processes acting on behalf of individuals) authorized to associate organization-defined security attributes with organization-defined objects.
AC-16 (4) (CCI-002285)	The organization identifies individuals (or processes acting on behalf of individuals) authorized to associate organization-defined security attributes with organization-defined subjects.
AC-16 (4) (CCI-002286)	The organization defines the subjects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals).
AC-16 (4) (CCI-002287)	The organization defines the objects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals).
AC-16 (4) (CCI-002288)	The organization defines the security attributes authorized individuals (or processes acting on behalf of individuals) are permitted to associate with organization-defined subjects and objects.
AC-16 (4) (CCI-002289)	The information system supports the association of organization-defined security attributes with organization-defined subjects by authorized individuals (or processes acting on behalf of individuals).
AC-16 (4) (CCI-002290)	The information system supports the association of organization-defined security attributes with organization-defined objects by authorized individuals (or processes acting on behalf of individuals).

AC-16 (5)

The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-identified special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human-readable, standard naming conventions].

AC-16 (5) (CCI-001428)	The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify organization-identified special dissemination, handling, or distribution instructions using organization-identified human-readable, standard naming conventions.
AC-16 (5) (CCI-001429)	The organization identifies special dissemination, handling, or distribution instructions for identifying security attributes on output.
AC-16 (5) (CCI-001430)	The organization identifies human-readable, standard naming conventions for identifying security attributes on output.

AC-16 (6)

The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies].

AC-16 (6) (CCI-002291)	The organization defines the security policies to be followed by personnel when associating organization-defined security attributes with organization-defined subjects and objects.
AC-16 (6) (CCI-002292)	The organization defines the security attributes which are to be associated with organization-defined subjects and objects.
AC-16 (6) (CCI-002293)	The organization defines the subjects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies.
AC-16 (6) (CCI-002294)	The organization defines the objects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies.
AC-16 (6) (CCI-002295)	The organization allows personnel to associate organization-defined security attributes with organization-defined subjects in accordance with organization-defined security policies.
AC-16 (6) (CCI-002296)	The organization allows personnel to associate organization-defined security attributes with organization-defined objects in accordance with organization-defined security policies.
AC-16 (6) (CCI-002297)	The organization allows personnel to maintain the association of organization-defined security attributes with organization-defined subjects in accordance with organization-defined security policies.
AC-16 (6) (CCI-002298)	The organization allows personnel to maintain the association of organization-defined security attributes with organization-defined objects in accordance with organization-defined security policies.

AC-16 (7)

The organization provides a consistent interpretation of security attributes transmitted between distributed information system components.

AC-16 (7)
(CCI-002299)

The organization provides a consistent interpretation of security attributes transmitted between distributed information system components.

AC-16 (8)

The information system implements [Assignment: organization-defined techniques or technologies] with [Assignment: organization-defined level of assurance] in associating security attributes to information.

AC-16 (8) (CCI-002300)	The organization defines the techniques or technologies to be implemented when associating security attributes with information.
AC-16 (8) (CCI-002301)	The organization defines the level of assurance to be provided when implementing organization-defined techniques or technologies in associating security attributes to information.
AC-16 (8) (CCI-002302)	The information system implements organization-defined techniques or technologies with an organization-defined level of assurance in associating security attributes to information.

AC-16 (9)

The organization ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using [Assignment: organization-defined techniques or procedures].

AC-16 (9) (CCI-002303)	The organization defines the techniques or procedures to be employed to validate re-grading mechanisms.
AC-16 (9) (CCI-002304)	The organization ensures security attributes associated with information are reassigned only via re-grading mechanisms validated using organization-defined techniques or procedures.

AC-16 (10)

The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects.

AC-16 (10) (CCI-002305)	The organization identifies individuals authorized to define or change the type and value of security attributes available for association with subjects and objects.
AC-16 (10) (CCI-002306)	The information system provides authorized individuals the capability to define or change the type of security attributes available for association with subjects.
AC-16 (10) (CCI-002307)	The information system provides authorized individuals the capability to define or change the value of security attributes available for association with subjects.
AC-16 (10) (CCI-002308)	The information system provides authorized individuals the capability to define or change the type of security attributes available for association with objects.
AC-16 (10) (CCI-002309)	The information system provides authorized individuals the capability to define or change the value of security attributes available for association with objects.

AC-17

The organization:

AC-17a.

Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and

AC-17 a (CCI-000063)	The organization defines allowed methods of remote access to the information system.
AC-17 a (CCI-002310)	The organization establishes and documents usage restrictions for each type of remote access allowed.
AC-17 a (CCI-002311)	The organization establishes and documents configuration/connection requirements for each type of remote access allowed.
AC-17 a (CCI-002312)	The organization establishes and documents implementation guidance for each type of remote access allowed.

AC-17b.

Authorizes remote access to the information system prior to allowing such connections.

AC-17 b
(CCI-000065)

The organization authorizes remote access to the information system prior to allowing such connections.

AC-17 (1)

The information system monitors and controls remote access methods.

AC-17 (1) (CCI-000067)	The information system monitors remote access methods.
AC-17 (1) (CCI-002313)	The information system controls remote access methods.
AC-17 (1) (CCI-002314)	The information system controls remote access methods.

AC-17 (2)

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

AC-17 (2) (CCI-000068)	The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.
AC-17 (2) (CCI-001453)	The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.

AC-17 (3)

The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.

AC-17 (3) (CCI-001561)	The organization defines managed access control points for remote access to the information system.
AC-17 (3) (CCI-000069)	The information system routes all remote accesses through an organization-defined number of managed network access control points.
AC-17 (3) (CCI-002315)	The organization defines the number of managed network access control points through which the information system routes all remote access.

AC-17 (4)

The organization:

AC-17 (4)(a)

Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and

AC-17 (4) (a) (CCI-000070)	The organization authorizes the execution of privileged commands via remote access only for organization-defined needs.
AC-17 (4) (a) (CCI-002316)	The organization authorizes access to security-relevant information via remote access only for organization-defined needs.
AC-17 (4) (a) (CCI-002317)	The organization defines the operational needs for when the execution of privileged commands via remote access is to be authorized.
AC-17 (4) (a) (CCI-002318)	The organization defines the operational needs for when access to security-relevant information via remote access is to be authorized.

AC-17 (4)(b)

Documents the rationale for such access in the security plan for the information system.

AC-17 (4) (b) (CCI-002319)	The organization documents in the security plan for the information system the rationale for authorization of the execution of privilege commands via remote access.
AC-17 (4) (b) (CCI-002320)	The organization documents in the security plan for the information system the rationale for authorization of access to security-relevant information via remote access.

AC-17 (5)

[Withdrawn: Incorporated into SI-4].

AC-17 (6)

The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.

AC-17 (6)
(CCI-000072)

The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.

AC-17 (7)

[Withdrawn: Incorporated into AC-3 (10)].

AC-17 (8)

[Withdrawn: Incorporated into CM-7].

AC-17 (9)

The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [Assignment: organization-defined time period].

AC-17 (9) (CCI-002321)	The organization defines the time period within which it disconnects or disables remote access to the information system.
AC-17 (9) (CCI-002322)	The organization provides the capability to expeditiously disconnect or disable remote access to the information system within the organization-defined time period.

AC-18

The organization:

AC-18a.

Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and

AC-18 a (CCI-001438)	The organization establishes usage restrictions for wireless access.
AC-18 a (CCI-001439)	The organization establishes implementation guidance for wireless access.
AC-18 a (CCI-002323)	The organization establishes configuration/connection requirements for wireless access.

AC-18b.

Authorizes wireless access to the information system prior to allowing such connections.

AC-18 b
(CCI-001441)

The organization authorizes wireless access to the information system prior to allowing such connections.

AC-18 (1)

The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption.

AC-18 (1) (CCI-001443)	The information system protects wireless access to the system using authentication of users and/or devices.
AC-18 (1) (CCI-001444)	The information system protects wireless access to the system using encryption.

AC-18 (2)

[Withdrawn: Incorporated into SI-4].

AC-18 (3)

The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.

AC-18 (3)
(CCI-001449)

The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.

AC-18 (4)

The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.

AC-18 (4)
(CCI-002324)

The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.

AC-18 (5)

The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.

AC-18 (5)
(CCI-001451)

The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.

AC-19

The organization:

AC-19a.

Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and

AC-19 a (CCI-000082)	The organization establishes usage restrictions for organization-controlled mobile devices.
AC-19 a (CCI-000083)	The organization establishes implementation guidance for organization-controlled mobile devices.
AC-19 a (CCI-002325)	The organization establishes configuration requirements for organization-controlled mobile devices.
AC-19 a (CCI-002326)	The organization establishes connection requirements for organization-controlled mobile devices.

AC-19b.

Authorizes the connection of mobile devices to organizational information systems.

AC-19 b
(CCI-000084)

The organization authorizes connection of mobile devices to organizational information systems.

AC-19 (1)

[Withdrawn: Incorporated into MP-7].

AC-19 (2)

[Withdrawn: Incorporated into MP-7].

AC-19 (3)

[Withdrawn: Incorporated into MP-7].

AC-19 (4)

The organization:

AC-19 (4)(a)

Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and

AC-19 (4) (a)
(CCI-001330)

The organization prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official.

AC-19 (4)(b)

Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:

AC-19 (4)(b)(1)

Connection of unclassified mobile devices to classified information systems is prohibited;

AC-19 (4) (b) (1)
(CCI-001331)

The organization prohibits connection of unclassified mobile devices to classified information systems.

AC-19 (4)(b)(2)

Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;

AC-19 (4) (b) (2)
(CCI-001332)

The organization requires approval from the authorizing official for the connection of unclassified mobile devices to unclassified information systems.

AC-19 (4)(b)(3)

Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and

AC-19 (4) (b) (3)
(CCI-001333)

The organization prohibits use of internal or external modems or wireless interfaces within unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information.

AC-19 (4)(b)(4)

Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.

AC-19 (4) (b) (4) (CCI-001458)	The organization requires that if classified information is found on mobile devices, the incident handling policy be followed.
AC-19 (4) (b) (4) (CCI-001334)	The organization requires that unclassified mobile devices used in facilities containing information systems processing, storing, or transmitting classified information and the information stored on those devices be subject to random reviews and inspections by organization-defined security officials.
AC-19 (4) (b) (4) (CCI-001335)	The organization defines security officials to perform reviews and inspections of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information.

AC-19 (4)(c)

Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies].

AC-19 (4) (c) (CCI-002327)	The organization defines the security policies which restrict the connection of classified mobile devices to classified information systems.
AC-19 (4) (c) (CCI-002328)	The organization restricts the connection of classified mobile devices to classified information systems in accordance with organization-defined security policies.

AC-19 (5)

The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].

AC-19 (5) (CCI-002329)	The organization defines the mobile devices that are to employ full-device or container encryption to protect the confidentiality and integrity of the information on the device.
AC-19 (5) (CCI-002330)	The organization employs full-device encryption or container encryption to protect the confidentiality of information on organization-defined mobile devices.
AC-19 (5) (CCI-002331)	The organization employs full-device encryption or container encryption to protect the integrity of information on organization-defined mobile devices.

AC-20

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

AC-20a.

Access the information system from external information systems; and

AC-20 a
(CCI-000093)

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to access the information system from the external information systems.

AC-20b.

Process, store, or transmit organization-controlled information using external information systems.

AC-20 b
(CCI-002332)

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process, store, or transmit organization-controlled information using the external information systems.

AC-20 (1)

The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:

AC-20 (1)(a)

Verifies the implementation of required security controls on the external system as specified in the organization�s information security policy and security plan; or

AC-20 (1) (a) (CCI-002333)	The organization permits authorized individuals to use an external information system to access the information system only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan.
AC-20 (1) (a) (CCI-002334)	The organization permits authorized individuals to use an external information system to process organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan.
AC-20 (1) (a) (CCI-002335)	The organization permits authorized individuals to use an external information system to store organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan.
AC-20 (1) (a) (CCI-002336)	The organization permits authorized individuals to use an external information system to transmit organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization's information security policy and security plan.

AC-20 (1)(b)

Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

AC-20 (1) (b)
(CCI-002337)

The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

AC-20 (2)

The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems.

AC-20 (2)
(CCI-000097)

The organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems.

AC-20 (3)

The organization [Selection: restricts; prohibits] the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information.

AC-20 (3)
(CCI-002338)

The organization restricts or prohibits the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information.

AC-20 (4)

The organization prohibits the use of [Assignment: organization-defined network accessible storage devices] in external information systems.

AC-20 (4) (CCI-002339)	The organization defines the network accessible storage devices that are to be prohibited from being used in external information systems.
AC-20 (4) (CCI-002340)	The organization prohibits the use of organization-defined network accessible storage devices in external information systems.

AC-21

The organization:

AC-21a.

Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and

AC-21 a (CCI-000098)	The organization facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information circumstances where user discretion is required.
AC-21 a (CCI-001470)	The organization defines information sharing circumstances where user discretion is required.

AC-21b.

Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.

AC-21 b (CCI-001471)	The organization employs organization-defined automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions.
AC-21 b (CCI-001472)	The organization defines the automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions.

AC-21 (1)

The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.

AC-21 (1)
(CCI-000099)

The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.

AC-21 (2)

The information system implements information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions].

AC-21 (2) (CCI-002341)	The organization defines the information sharing restrictions to be enforced by the information system for information search and retrieval services.
AC-21 (2) (CCI-002342)	The information system implements information search and retrieval services that enforce organization-defined information sharing restrictions.

AC-22

The organization:

AC-22a.

Designates individuals authorized to post information onto a publicly accessible information system;

AC-22 a
(CCI-001473)

The organization designates individuals authorized to post information onto a publicly accessible information system.

AC-22b.

Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

AC-22 b
(CCI-001474)

The organization trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information.

AC-22c.

Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and

AC-22 c
(CCI-001475)

The organization reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included.

AC-22d.

Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered.

AC-22 d (CCI-001476)	The organization reviews the content on the publicly accessible information system for nonpublic information on an organization-defined frequency.
AC-22 d (CCI-001477)	The organization defines a frequency for reviewing the content on the publicly accessible information system for nonpublic information.
AC-22 d (CCI-001478)	The organization removes nonpublic information from the publicly accessible information system, if discovered.

AC-23

The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining.

AC-23 (CCI-002343)	The organization defines the data mining prevention techniques to be employed to adequately protect organization-defined data storage objects against data mining.
AC-23 (CCI-002344)	The organization defines the data mining detection techniques to be employed to adequately detect data mining attempts against organization-defined data storage objects.
AC-23 (CCI-002345)	The organization defines the data storage objects that are to be protected against data mining attempts.
AC-23 (CCI-002346)	The organization employs organization-defined data mining prevention techniques for organization-defined data storage objects to adequately protect against data mining.
AC-23 (CCI-002347)	The organization employs organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts.

AC-24

The organization establishes procedures to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.

AC-24 (CCI-002348)	The organization defines the access control decisions that are to be applied to each access request prior to access enforcement.
AC-24 (CCI-002349)	The organization establishes procedures to ensure organization-defined access control decisions are applied to each access request prior to access enforcement.

AC-24 (1)

The information system transmits [Assignment: organization-defined access authorization information] using [Assignment: organization-defined security safeguards] to [Assignment: organization-defined information systems] that enforce access control decisions.

AC-24 (1) (CCI-002350)	The organization defines the access authorization information that is to be transmitted using organization-defined security safeguards to organization-defined information systems that enforce access control decisions.
AC-24 (1) (CCI-002351)	The organization defines the security safeguards to be employed when transmitting organization-defined access authorization information to organization-defined information systems that enforce access control decisions.
AC-24 (1) (CCI-002352)	The organization defines the information systems that are to be recipients of organization-defined access authorization information using organization-defined security safeguards.
AC-24 (1) (CCI-002353)	The information system transmits organization-defined access authorization information using organization-defined security safeguards to organization-defined information systems which enforce access control decisions.

AC-24 (2)

The information system enforces access control decisions based on [Assignment: organization-defined security attributes] that do not include the identity of the user or process acting on behalf of the user.

AC-24 (2) (CCI-002354)	The organization defines the security attributes, not to include the identity of the user or process acting on behalf of the user, to be used as the basis for enforcing access control decisions.
AC-24 (2) (CCI-002355)	The information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user.

AC-25

The information system implements a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.

AC-25 (CCI-002356)	The organization defines the access control policies to be implemented by the information system's reference monitor.
AC-25 (CCI-002357)	The information system implements a reference monitor for organization-defined access control policies that is tamperproof.
AC-25 (CCI-002358)	The information system implements a reference monitor for organization-defined access control policies that is always invoked.
AC-25 (CCI-002359)	The information system implements a reference monitor for organization-defined access control policies that is small enough to be subject to analysis and testing, the completeness of which can be assured.

AT-1

The organization:

AT-1a.

Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

AT-1a.1.

A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

AT-1 a 1 (CCI-000100)	The organization develops and documents a security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
AT-1 a 1 (CCI-000101)	The organization disseminates a security awareness and training policy to organization-defined personnel or roles.
AT-1 a 1 (CCI-002048)	The organization defines the personnel or roles to whom the security awareness and training policy is disseminated.

AT-1a.2.

Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and

AT-1 a 2 (CCI-000103)	The organization develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls.
AT-1 a 2 (CCI-000104)	The organization disseminates security awareness and training procedures to organization-defined personnel or roles.
AT-1 a 2 (CCI-002049)	The organization defines the personnel or roles to whom the security awareness and training procedures are disseminated.

AT-1b.

Reviews and updates the current:

AT-1b.1.

Security awareness and training policy [Assignment: organization-defined frequency]; and

AT-1 b 1 (CCI-001564)	The organization defines the frequency of security awareness and training policy reviews and updates.
AT-1 b 1 (CCI-000102)	The organization reviews and updates the current security awareness and training policy in accordance with organization-defined frequency.

AT-1b.2.

Security awareness and training procedures [Assignment: organization-defined frequency].

AT-1 b 2 (CCI-001565)	The organization defines the frequency of security awareness and training procedure reviews and updates.
AT-1 b 2 (CCI-000105)	The organization reviews and updates the current security awareness and training procedures in accordance with an organization-defined frequency.

AT-2

The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):

AT-2
(CCI-001480)

The organization defines the frequency for providing refresher security awareness training to all information system users (including managers, senior executives, and contractors).

AT-2a.

As part of initial training for new users;

AT-2 a
(CCI-000106)

The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users.

AT-2b.

When required by information system changes; and

AT-2 b
(CCI-000112)

The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes.

AT-2c.

[Assignment: organization-defined frequency] thereafter.

AT-2 c
(CCI-001479)

The organization provides refresher security awareness training to all information system users (including managers, senior executives, and contractors) in accordance with the organization-defined frequency.

AT-2 (1)

The organization includes practical exercises in security awareness training that simulate actual cyber attacks.

AT-2 (1)
(CCI-000107)

The organization includes practical exercises in security awareness training that simulate actual cyber attacks.

AT-2 (2)

The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

AT-2 (2)
(CCI-002055)

The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

AT-3

The organization provides role-based security training to personnel with assigned security roles and responsibilities:

AT-3a.

Before authorizing access to the information system or performing assigned duties;

AT-3 a
(CCI-000108)

The organization provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties.

AT-3b.

When required by information system changes; and

AT-3 b
(CCI-000109)

The organization provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes.

AT-3c.

[Assignment: organization-defined frequency] thereafter.

AT-3 c (CCI-000110)	The organization provides refresher role-based security training to personnel with assigned security roles and responsibilities in accordance with organization-defined frequency.
AT-3 c (CCI-000111)	The organization defines a frequency for providing refresher role-based security training.

AT-3 (1)

The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.

AT-3 (1) (CCI-001481)	The organization provides organization-defined personnel or roles with initial training in the employment and operation of environmental controls.
AT-3 (1) (CCI-001482)	The organization provides organization-defined personnel or roles with refresher training in the employment and operation of environmental controls in accordance with the organization-defined frequency.
AT-3 (1) (CCI-001483)	The organization defines a frequency for providing employees with refresher training in the employment and operation of environmental controls.
AT-3 (1) (CCI-002050)	The organization defines the personnel or roles to whom initial and refresher training in the employment and operation of environmental controls is to be provided.

AT-3 (2)

The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.

AT-3 (2) (CCI-001566)	The organization provides organization-defined personnel or roles with initial training in the employment and operation of physical security controls.
AT-3 (2) (CCI-001567)	The organization provides organization-defined personnel or roles with refresher training in the employment and operation of physical security controls in accordance with the organization-defined frequency.
AT-3 (2) (CCI-001568)	The organization defines a frequency for providing employees with refresher training in the employment and operation of physical security controls.
AT-3 (2) (CCI-002051)	The organization defines the personnel or roles to whom initial and refresher training in the employment and operation of physical security controls is to be provided.

AT-3 (3)

The organization includes practical exercises in security training that reinforce training objectives.

AT-3 (3)
(CCI-002052)

The organization includes practical exercises in security training that reinforce training objectives.

AT-3 (4)

The organization provides training to its personnel on [Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems.

AT-3 (4) (CCI-002053)	The organization provides training to its personnel on organization-defined indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems.
AT-3 (4) (CCI-002054)	The organization defines indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems.

AT-4

The organization:

AT-4a.

Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and

AT-4 a (CCI-000113)	The organization documents individual information system security training activities, including basic security awareness training and specific information system security training.
AT-4 a (CCI-000114)	The organization monitors individual information system security training activities, including basic security awareness training and specific information system security training.

AT-4b.

Retains individual training records for [Assignment: organization-defined time period].

AT-4 b (CCI-001336)	The organization retains individual training records for an organization-defined time period.
AT-4 b (CCI-001337)	The organization defines a time period for retaining individual training records.

AT-5

[Withdrawn: Incorporated into PM-15].

AU-1

The organization:

AU-1a.

Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

AU-1a.1.

An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

AU-1 a 1 (CCI-000117)	The organization develops and documents an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
AU-1 a 1 (CCI-001831)	The organization documents an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
AU-1 a 1 (CCI-001832)	The organization disseminates the audit and accountability policy to organization-defined personnel or roles.
AU-1 a 1 (CCI-001930)	The organization defines the organizational personnel or roles to whom the audit and accountability policy is to be disseminated.

AU-1a.2.

Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and

AU-1 a 2 (CCI-000120)	The organization develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.
AU-1 a 2 (CCI-001833)	The organization documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.
AU-1 a 2 (CCI-001834)	The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.
AU-1 a 2 (CCI-001931)	The organization defines the organizational personnel or roles to whom the audit and accountability procedures are to be disseminated.

AU-1b.

Reviews and updates the current:

AU-1b.1.

Audit and accountability policy [Assignment: organization-defined frequency]; and

AU-1 b 1 (CCI-001569)	The organization defines the frequency on which it will review and update the audit and accountability policy.
AU-1 b 1 (CCI-000119)	The organization reviews and updates the audit and accountability policy on an organization-defined frequency.
AU-1 b 1 (CCI-001835)	The organization defines the frequency on which it will review the audit and accountability policy.
AU-1 b 1 (CCI-001836)	The organization defines the frequency on which it will update the audit and accountability policy.
AU-1 b 1 (CCI-001837)	The organization reviews the audit and accountability policy on an organization-defined frequency.
AU-1 b 1 (CCI-001838)	The organization updates the audit and accountability policy on an organization-defined frequency.

AU-1b.2.

Audit and accountability procedures [Assignment: organization-defined frequency].

AU-1 b 2 (CCI-001570)	The organization defines the frequency on which it will review and update the audit and accountability procedures.
AU-1 b 2 (CCI-000122)	The organization reviews and updates the audit and accountability procedures on an organization-defined frequency.
AU-1 b 2 (CCI-001839)	The organization defines the frequency on which it will review the audit and accountability procedures.
AU-1 b 2 (CCI-001840)	The organization defines the frequency on which it will update the audit and accountability procedures.
AU-1 b 2 (CCI-001841)	The organization reviews the audit and accountability procedures on an organization-defined frequency.
AU-1 b 2 (CCI-001842)	The organization updates the audit and accountability procedures on an organization-defined frequency.

AU-2

The organization:

AU-2a.

Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];

AU-2 a (CCI-001571)	The organization defines the information system auditable events.
AU-2 a (CCI-000123)	The organization determines the information system must be capable of auditing an organization-defined list of auditable events.

AU-2b.

Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

AU-2 b
(CCI-000124)

The organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events.

AU-2c.

Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and

AU-2 c
(CCI-000125)

The organization provides a rationale for why the list of auditable events is deemed to be adequate to support after-the-fact investigations of security incidents.

AU-2d.

Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].

AU-2 d (CCI-000126)	The organization determines that the organization-defined subset of the auditable events defined in AU-2 are to be audited within the information system.
AU-2 d (CCI-001484)	The organization defines frequency of (or situation requiring) auditing for each identified event.
AU-2 d (CCI-001485)	The organization defines the events which are to be audited on the information system on an organization-defined frequency of (or situation requiring) auditing for each identified event.

AU-2 (1)

[Withdrawn: Incorporated into AU-12].

AU-2 (2)

[Withdrawn: Incorporated into AU-12].

AU-2 (3)

The organization reviews and updates the audited events [Assignment: organization-defined frequency].

AU-2 (3) (CCI-000127)	The organization reviews and updates the list of organization-defined audited events on an organization-defined frequency.
AU-2 (3) (CCI-001486)	The organization defines a frequency for reviewing and updating the list of organization-defined auditable events.
AU-2 (3) (CCI-001843)	The organization defines a frequency for updating the list of organization-defined auditable events.

AU-2 (4)

[Withdrawn: Incorporated into AC-6 (9)].

AU-3

The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

AU-3 (CCI-000130)	The information system generates audit records containing information that establishes what type of event occurred.
AU-3 (CCI-000131)	The information system generates audit records containing information that establishes when an event occurred.
AU-3 (CCI-000132)	The information system generates audit records containing information that establishes where the event occurred.
AU-3 (CCI-000133)	The information system generates audit records containing information that establishes the source of the event.
AU-3 (CCI-000134)	The information system generates audit records containing information that establishes the outcome of the event.
AU-3 (CCI-001487)	The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event.

AU-3 (1)

The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information].

AU-3 (1) (CCI-000135)	The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records.
AU-3 (1) (CCI-001488)	The organization defines additional, more detailed information to be included in the audit records.

AU-3 (2)

The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].

AU-3 (2) (CCI-001844)	The information system provides centralized management and configuration of the content to be captured in audit records generated by organization-defined information system components.
AU-3 (2) (CCI-001845)	The information system provides centralized configuration of the content to be captured in audit records generated by organization-defined information system components.
AU-3 (2) (CCI-001846)	The organization defines information system components that will generate the audit records which are to be captured for centralized management of the content.
AU-3 (2) (CCI-001847)	The organization defines information system components that will generate the audit records which are to be captured for centralized configuration of the content.

AU-4

The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements].

AU-4 (CCI-001848)	The organization defines the audit record storage requirements.
AU-4 (CCI-001849)	The organization allocates audit record storage capacity in accordance with organization-defined audit record storage requirements.

AU-4 (1)

The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited.

AU-4 (1) (CCI-001850)	The organization defines the frequency on which the information system off-loads audit records onto a different system or media than the system being audited.
AU-4 (1) (CCI-001851)	The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited.

AU-5

The information system:

AU-5a.

Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and

AU-5 a (CCI-001572)	The organization defines the personnel or roles to be alerted in the event of an audit processing failure.
AU-5 a (CCI-000139)	The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure.

AU-5b.

Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].

AU-5 b (CCI-000140)	The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).
AU-5 b (CCI-001490)	The organization defines actions to be taken by the information system upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).

AU-5 (1)

The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity.

AU-5 (1) (CCI-001852)	The organization defines the personnel, roles and/or locations to receive a warning when allocated audit record storage volume reaches a defined percentage of maximum audit records storage capacity.
AU-5 (1) (CCI-001853)	The organization defines the time period within which organization-defined personnel, roles, and/or locations are to receive warnings when allocated audit record storage volume reaches an organization-defined percentage of maximum audit records storage capacity.
AU-5 (1) (CCI-001854)	The organization defines the percentage of maximum audit record storage capacity that is to be reached, at which time the information system will provide a warning to organization-defined personnel, roles, and/or locations.
AU-5 (1) (CCI-001855)	The information system provides a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit record storage volume reaches an organization-defined percentage of repository maximum audit record storage capacity.

AU-5 (2)

The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts].

AU-5 (2) (CCI-000147)	The organization defines the audit failure events requiring real-time alerts.
AU-5 (2) (CCI-001856)	The organization defines the real-time period within which the information system is to provide an alert when organization-defined audit failure events occur.
AU-5 (2) (CCI-001857)	The organization defines the personnel, roles, and/or locations to receive alerts when organization-defined audit failure events occur.
AU-5 (2) (CCI-001858)	The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.

AU-5 (3)

The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds.

AU-5 (3) (CCI-001573)	The organization defines whether to reject or delay network traffic that exceeds organization-defined thresholds.
AU-5 (3) (CCI-000145)	The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity by delaying or rejecting network traffic which exceeds the organization-defined thresholds.
AU-5 (3) (CCI-001859)	The organization defines the network communication traffic volume thresholds reflecting limits on auditing capacity, specifying when the information system will reject or delay network traffic that exceed those thresholds.

AU-5 (4)

The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists.

AU-5 (4) (CCI-001860)	The organization defines the audit failures which, should they occur, will invoke an organization-defined system mode.
AU-5 (4) (CCI-001861)	The information system invokes an organization-defined system mode, in the event of organization-defined audit failures, unless an alternate audit capability exists.
AU-5 (4) (CCI-002907)	The organization defines the system mode to be invoked, such as a full system shutdown, a partial system shutdown, or a degraded operational mode with limited mission/business functionality available, in the event of organization-defined audit failures.

AU-6

The organization:

AU-6a.

Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and

AU-6 a (CCI-000148)	The organization reviews and analyzes information system audit records on an organization-defined frequency for indications of organization-defined inappropriate or unusual activity.
AU-6 a (CCI-000151)	The organization defines the frequency for the review and analysis of information system audit records for organization-defined inappropriate or unusual activity.
AU-6 a (CCI-001862)	The organization defines the types of inappropriate or unusual activity to be reviewed and analyzed in the audit records.

AU-6b.

Reports findings to [Assignment: organization-defined personnel or roles].

AU-6 b (CCI-000149)	The organization reports any findings to organization-defined personnel or roles for indications of organization-defined inappropriate or unusual activity.
AU-6 b (CCI-001863)	The organization defines the personnel or roles to receive the reports of organization-defined inappropriate or unusual activity.

AU-6 (1)

The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.

AU-6 (1) (CCI-001864)	The organization employs automated mechanisms to integrate audit review and analysis to support organizational processes for investigation of and response to suspicious activities.
AU-6 (1) (CCI-001865)	The organization employs automated mechanisms to integrate reporting processes to support organizational investigation of and response to suspicious activities.

AU-6 (2)

[Withdrawn: Incorporated into SI-4].

AU-6 (3)

The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

AU-6 (3)
(CCI-000153)

The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

AU-6 (4)

The information system provides the capability to centrally review and analyze audit records from multiple components within the system.

AU-6 (4)
(CCI-000154)

The information system provides the capability to centrally review and analyze audit records from multiple components within the system.

AU-6 (5)

The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.

AU-6 (5) (CCI-001866)	The organization defines the data/information to be collected from other sources to enhance its ability to identify inappropriate or unusual activity.
AU-6 (5) (CCI-001867)	The organization integrates analysis of audit records with analysis of vulnerability scanning information, performance data, information system monitoring information, and/or organization-defined data/information collected from other sources to further enhance its ability to identify inappropriate or unusual activity.

AU-6 (6)

The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

AU-6 (6)
(CCI-001491)

The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

AU-6 (7)

The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information.

AU-6 (7) (CCI-001868)	The organization specifies the permitted actions for each information system process, role, and/or user associated with the review and analysis of audit information.
AU-6 (7) (CCI-001869)	The organization specifies the permitted actions for each information system process, role, and/or user associated with the reporting of audit information.

AU-6 (8)

The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis.

AU-6 (8)
(CCI-001870)

The organization performs a full-text analysis of audited privileged commands in a physically-distinct component or subsystem of the information system, or other information system that is dedicated to that analysis.

AU-6 (9)

The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness.

AU-6 (9)
(CCI-001871)

The organization correlates information from non-technical sources with audit information to enhance organization-wide situational awareness.

AU-6 (10)

The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

AU-6 (10) (CCI-001872)	The organization adjusts the level of audit review and analysis within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
AU-6 (10) (CCI-001873)	The organization adjusts the level of audit analysis within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
AU-6 (10) (CCI-001874)	The organization adjusts the level of audit reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

AU-7

The information system provides an audit reduction and report generation capability that:

AU-7a.

Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and

AU-7 a (CCI-001875)	The information system provides an audit reduction capability that supports on-demand audit review and analysis.
AU-7 a (CCI-001876)	The information system provides an audit reduction capability that supports on-demand reporting requirements.
AU-7 a (CCI-001877)	The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents.
AU-7 a (CCI-001878)	The information system provides a report generation capability that supports on-demand audit review and analysis.
AU-7 a (CCI-001879)	The information system provides a report generation capability that supports on-demand reporting requirements.
AU-7 a (CCI-001880)	The information system provides a report generation capability that supports after-the-fact investigations of security incidents.

AU-7b.

Does not alter the original content or time ordering of audit records.

AU-7 b (CCI-001881)	The information system provides an audit reduction capability that does not alter original content or time ordering of audit records.
AU-7 b (CCI-001882)	The information system provides a report generation capability that does not alter original content or time ordering of audit records.

AU-7 (1)

The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].

AU-7 (1) (CCI-000158)	The information system provides the capability to process audit records for events of interest based on organization-defined audit fields within audit records.
AU-7 (1) (CCI-001883)	The organization defines the audit fields within audit records to be processed for events of interest by the information system.

AU-7 (2)

The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records].

AU-7 (2) (CCI-001884)	The organization defines the audit fields within audit records to be sorted for events of interest by the information system.
AU-7 (2) (CCI-001885)	The organization defines the audit fields within audit records to be searched for events of interest by the information system.
AU-7 (2) (CCI-001886)	The information system provides the capability to sort audit records for events of interest based on the content of organization-defined audit fields within audit records.
AU-7 (2) (CCI-001887)	The information system provides the capability to search audit records for events of interest based on the content of organization-defined audit fields within audit records.

AU-8

The information system:

AU-8a.

Uses internal system clocks to generate time stamps for audit records; and

AU-8 a
(CCI-000159)

The information system uses internal system clocks to generate time stamps for audit records.

AU-8b.

Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement].

AU-8 b (CCI-001888)	The organization defines the granularity of time measurement for time stamps generated for audit records.
AU-8 b (CCI-001889)	The information system records time stamps for audit records that meet organization-defined granularity of time measurement.
AU-8 b (CCI-001890)	The information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

AU-8 (1)

The information system:

AU-8 (1)(a)

Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and

AU-8 (1) (a) (CCI-000161)	The organization defines the frequency for the synchronization of internal information system clocks.
AU-8 (1) (a) (CCI-001492)	The organization defines an authoritative time source for the synchronization of internal information system clocks.
AU-8 (1) (a) (CCI-001891)	The information system compares internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source.

AU-8 (1)(b)

Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period].

AU-8 (1) (b) (CCI-001892)	The organization defines the time difference which, when exceeded, will require the information system to synchronize the internal information system clocks to the organization-defined authoritative time source.
AU-8 (1) (b) (CCI-002046)	The information system synchronizes the internal system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.

AU-8 (2)

The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source.

AU-8 (2)
(CCI-001893)

The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source.

AU-9

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

AU-9 (CCI-000162)	The information system protects audit information from unauthorized access.
AU-9 (CCI-000163)	The information system protects audit information from unauthorized modification.
AU-9 (CCI-000164)	The information system protects audit information from unauthorized deletion.
AU-9 (CCI-001493)	The information system protects audit tools from unauthorized access.
AU-9 (CCI-001494)	The information system protects audit tools from unauthorized modification.
AU-9 (CCI-001495)	The information system protects audit tools from unauthorized deletion.

AU-9 (1)

The information system writes audit trails to hardware-enforced, write-once media.

AU-9 (1)
(CCI-000165)

The information system writes audit records to hardware-enforced, write-once media.

AU-9 (2)

The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.

AU-9 (2) (CCI-001575)	The organization defines the system or system component for storing audit records that is a different system or system component than the system or component being audited.
AU-9 (2) (CCI-001348)	The information system backs up audit records on an organization-defined frequency onto a different system or system component than the system or component being audited.
AU-9 (2) (CCI-001349)	The organization defines a frequency for backing up system audit records onto a different system or system component than the system or component being audited.

AU-9 (3)

The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.

AU-9 (3) (CCI-001350)	The information system implements cryptographic mechanisms to protect the integrity of audit information.
AU-9 (3) (CCI-001496)	The information system implements cryptographic mechanisms to protect the integrity of audit tools.

AU-9 (4)

The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users].

AU-9 (4) (CCI-001351)	The organization authorizes access to management of audit functionality to only an organization-defined subset of privileged users.
AU-9 (4) (CCI-001894)	The organization defines the subset of privileged users who will be authorized access to the management of audit functionality.

AU-9 (5)

The organization enforces dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information].

AU-9 (5) (CCI-001895)	The organization defines the audit information requiring dual authorization for movement or deletion actions.
AU-9 (5) (CCI-001896)	The organization enforces dual authorization for movement and/or deletion of organization-defined audit information.

AU-9 (6)

The organization authorizes read-only access to audit information to [Assignment: organization-defined subset of privileged users].

AU-9 (6) (CCI-001897)	The organization defines the subset of privileged users who will be authorized read-only access to audit information.
AU-9 (6) (CCI-001898)	The organization authorizes read-only access to audit information to an organization-defined subset of privileged users.

AU-10

The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation].

AU-10 (CCI-000166)	The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
AU-10 (CCI-001899)	The organization defines the actions to be covered by non-repudiation.

AU-10 (1)

The information system:

AU-10 (1)(a)

Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and

AU-10 (1) (a) (CCI-001900)	The organization defines the strength of binding to be applied to the binding of the identity of the information producer with the information.
AU-10 (1) (a) (CCI-001901)	The information system binds the identity of the information producer with the information to an organization-defined strength of binding.

AU-10 (1)(b)

Provides the means for authorized individuals to determine the identity of the producer of the information.

AU-10 (1) (b)
(CCI-001902)

The information system provides the means for authorized individuals to determine the identity of the producer of the information.

AU-10 (2)

The information system:

AU-10 (2)(a)

Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and

AU-10 (2) (a) (CCI-001903)	The organization defines the frequency on which the information system is to validate the binding of the information producer identity to the information.
AU-10 (2) (a) (CCI-001904)	The information system validates the binding of the information producer identity to the information at an organization-defined frequency.

AU-10 (2)(b)

Performs [Assignment: organization-defined actions] in the event of a validation error.

AU-10 (2) (b) (CCI-001905)	The organization defines the actions to be performed in the event of an error when validating the binding of the information producer identity to the information.
AU-10 (2) (b) (CCI-001906)	The information system performs organization-defined actions in the event of an error when validating the binding of the information producer identity to the information.

AU-10 (3)

The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.

AU-10 (3)
(CCI-001340)

The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.

AU-10 (4)

The information system:

AU-10 (4)(a)

Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and

AU-10 (4) (a) (CCI-001341)	The information system validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between organization-defined security domains.
AU-10 (4) (a) (CCI-001907)	The organization defines the security domains which will require the information system validate the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer.

AU-10 (4)(b)

Performs [Assignment: organization-defined actions] in the event of a validation error.

AU-10 (4) (b) (CCI-001908)	The organization defines the action the information system is to perform in the event of an information reviewer identity binding validation error.
AU-10 (4) (b) (CCI-001909)	The information system performs organization-defined actions in the event of an information reviewer identity binding validation error.

AU-10 (5)

[Withdrawn: Incorporated into SI-7].

AU-11

The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

AU-11 (CCI-000167)	The organization retains audit records for an organization-defined time period to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
AU-11 (CCI-000168)	The organization defines the time period for retention of audit records, which is consistent with its records retention policy, to provide support for after-the-fact investigations of security incidents and meet regulatory and organizational information retention requirements.

AU-11 (1)

The organization employs [Assignment: organization-defined measures] to ensure that long-term audit records generated by the information system can be retrieved.

AU-11 (1) (CCI-002044)	The organization defines measures to be employed to ensure that long-term audit records generated by the information system can be retrieved.
AU-11 (1) (CCI-002045)	The organization employs organization-defined measures to ensure that long-term audit records generated by the information system can be retrieved.

AU-12

The information system:

AU-12a.

Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components];

AU-12 a (CCI-000169)	The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.
AU-12 a (CCI-001459)	The organization defines information system components that provide audit record generation capability.

AU-12b.

Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and

AU-12 b (CCI-000171)	The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system.
AU-12 b (CCI-001910)	The organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system.

AU-12c.

Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

AU-12 c
(CCI-000172)

The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

AU-12 (1)

The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail].

AU-12 (1) (CCI-001576)	The information system produces a system-wide (logical or physical) audit trail of information system audit records.
AU-12 (1) (CCI-001577)	The organization defines the information system components from which audit records are to be compiled into the system-wide audit trail.
AU-12 (1) (CCI-000173)	The organization defines the level of tolerance for relationship between time stamps of individual records in the audit trail that will be used for correlation.
AU-12 (1) (CCI-000174)	The information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail.

AU-12 (2)

The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format.

AU-12 (2)
(CCI-001353)

The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format.

AU-12 (3)

The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds].

AU-12 (3) (CCI-001911)	The organization defines the selectable event criteria to be used as the basis for changes to the auditing to be performed on organization-defined information system components, by organization-defined individuals or roles, within organization-defined time thresholds.
AU-12 (3) (CCI-001912)	The organization defines the time thresholds for organization-defined individuals or roles to change the auditing to be performed based on organization-defined selectable event criteria.
AU-12 (3) (CCI-001913)	The organization defines the individuals or roles that are to be provided the capability to change the auditing to be performed based on organization-defined selectable event criteria, within organization-defined time thresholds.
AU-12 (3) (CCI-001914)	The information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds.
AU-12 (3) (CCI-002047)	The organization defines the information system components on which the auditing that is to be performed can be changed by organization-defined individuals or roles.

AU-13

The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information.

AU-13 (CCI-001460)	The organization monitors organization-defined open source information and/or information sites per organization-defined frequency for evidence of unauthorized exfiltration or disclosure of organizational information.
AU-13 (CCI-001461)	The organization defines a frequency for monitoring open source information and/or information sites for evidence of unauthorized exfiltration or disclosure of organizational information.
AU-13 (CCI-001915)	The organization defines the open source information and/or information sites to be monitored for evidence of unauthorized exfiltration or disclosure of organizational information.

AU-13 (1)

The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner.

AU-13 (1)
(CCI-001916)

The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner.

AU-13 (2)

The organization reviews the open source information sites being monitored [Assignment: organization-defined frequency].

AU-13 (2) (CCI-001917)	The organization defines the frequency for reviewing the open source information sites being monitored.
AU-13 (2) (CCI-001918)	The organization reviews the open source information sites being monitored per organization-defined frequency.

AU-14

The information system provides the capability for authorized users to select a user session to capture/record or view/hear.

AU-14
(CCI-001919)

The information system provides the capability for authorized users to select a user session to capture/record or view/hear.

AU-14 (1)

The information system initiates session audits at system start-up.

AU-14 (1)
(CCI-001464)

The information system initiates session audits at system start-up.

AU-14 (2)

The information system provides the capability for authorized users to capture/record and log content related to a user session.

AU-14 (2)
(CCI-001462)

The information system provides the capability for authorized users to capture/record and log content related to a user session.

AU-14 (3)

The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time.

AU-14 (3)
(CCI-001920)

The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time.

AU-15

The organization provides an alternate audit capability in the event of a failure in primary audit capability that provides [Assignment: organization-defined alternate audit functionality].

AU-15 (CCI-001921)	The organization defines the alternative audit functionality to be provided in the event of a failure in the primary audit capability.
AU-15 (CCI-001922)	The organization provides an alternative audit capability in the event of a failure in primary audit capability that provides organization-defined alternative audit functionality.

AU-16

The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.

AU-16 (CCI-001923)	The organization defines the audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries.
AU-16 (CCI-001924)	The organization defines the methods to be employed when coordinating audit information among external organizations when audit information is transmitted across organizational boundaries.
AU-16 (CCI-001925)	The organization employs organization-defined methods for coordinating organization-defined audit information among external organizations when audit information is transmitted across organizational boundaries.

AU-16 (1)

The organization requires that the identity of individuals be preserved in cross-organizational audit trails.

AU-16 (1)
(CCI-001926)

The organization requires that the identity of individuals be preserved in cross-organizational audit trails.

AU-16 (2)

The organization provides cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements].

AU-16 (2) (CCI-001927)	The organization defines the organizations that will be provided cross-organizational audit information.
AU-16 (2) (CCI-001928)	The organization defines the cross-organizational sharing agreements to be established with organization-defined organizations authorized to be provided cross-organizational sharing of audit information.
AU-16 (2) (CCI-001929)	The organization provides cross-organizational audit information to organization-defined organizations based on organization-defined cross organizational sharing agreements.

CA-1

The organization:

CA-1a.

Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

CA-1a.1.

A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

CA-1 a 1 (CCI-000239)	The organization develops and documents a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CA-1 a 1 CA-1 a 1 (CCI-000240)	The organization disseminates to organization-defined personnel or roles a security assessment and authorization policy.
CA-1 a 1 (CCI-002060)	The organization develops and documents a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CA-1 a 1 (CCI-002061)	The organization defines the personnel or roles to whom security assessment and authorization policy is to be disseminated.

CA-1a.2.

Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and

CA-1 a 2 (CCI-000242)	The organization develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls.
CA-1 a 2 (CCI-000243)	The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls.
CA-1 a 2 (CCI-002062)	The organization defines the personnel or roles to whom the security assessment and authorization procedures are to be disseminated.

CA-1b.

Reviews and updates the current:

CA-1b.1.

Security assessment and authorization policy [Assignment: organization-defined frequency]; and

CA-1 b 1 (CCI-000238)	The organization defines the frequency to review and update the current security assessment and authorization policy.
CA-1 b 1 (CCI-000241)	The organization reviews and updates the current security assessment and authorization policy in accordance with organization-defined frequency.

CA-1b.2.

Security assessment and authorization procedures [Assignment: organization-defined frequency].

CA-1 b 2 (CCI-001578)	The organization defines the frequency to review and update the current security assessment and authorization procedures.
CA-1 b 2 (CCI-000244)	The organization reviews and updates the current security assessment and authorization procedures in accordance with organization-defined frequency.

CA-2

The organization:

CA-2a.

Develops a security assessment plan that describes the scope of the assessment including:

CA-2 a
(CCI-000245)

The organization develops a security assessment plan for the information system and its environment of operation.

CA-2a.1.

Security controls and control enhancements under assessment;

CA-2 a 1
(CCI-000246)

The organization's security assessment plan describes the security controls and control enhancements under assessment.

CA-2a.2.

Assessment procedures to be used to determine security control effectiveness; and

CA-2 a 2
(CCI-000247)

The organization's security assessment plan describes assessment procedures to be used to determine security control effectiveness.

CA-2a.3.

Assessment environment, assessment team, and assessment roles and responsibilities;

CA-2 a 3 (CCI-000248)	The organization's security assessment plan describes assessment environment.
CA-2 a 3 (CCI-002070)	The organization's security assessment plan describes the assessment team, and assessment roles and responsibilities.

CA-2b.

Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

CA-2 b (CCI-000251)	The organization assesses, on an organization-defined frequency, the security controls in the information system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements.
CA-2 b (CCI-000252)	The organization defines the frequency on which the security controls in the information system and its environment of operation are assessed.

CA-2c.

Produces a security assessment report that documents the results of the assessment; and

CA-2 c
(CCI-000253)

The organization produces a security assessment report that documents the results of the assessment against the information system and its environment of operation.

CA-2d.

Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].

CA-2 d (CCI-000254)	The organization provides the results of the security control assessment against the information system and its environment of operation to organization-defined individuals or roles.
CA-2 d (CCI-002071)	The organization defines the individuals or roles to whom the results of the security control assessment are to be provided.

CA-2 (1)

The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments.

CA-2 (1) (CCI-000255)	The organization employs assessors or assessment teams with an organization-defined level of independence to conduct security control assessments of organizational information systems.
CA-2 (1) (CCI-002063)	The organization defines the level of independence for assessors or assessment teams to conduct security control assessments of organizational information systems.

CA-2 (2)

The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]].

CA-2 (2) (CCI-000256)	The organization includes, as part of security control assessments announced or unannounced, one or more of the following: in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; and organization-defined other forms of security assessment on an organization-defined frequency.
CA-2 (2) (CCI-001582)	The organization defines other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; and performance/load testing that should be included as part of security control assessments.
CA-2 (2) (CCI-001583)	The organization selects announced or unannounced assessments for each form of security control assessment.
CA-2 (2) (CCI-001681)	The organization defines the frequency at which each form of security control assessment should be conducted.
CA-2 (2) (CCI-002064)	The organization selects one or more security assessment techniques to be conducted.
CA-2 (2) (CCI-002065)	The organization defines the frequency at which to conduct security control assessments.

CA-2 (3)

The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements].

CA-2 (3) (CCI-002066)	The organization accepts the results of an assessment of the organization-defined information system performed by an organization-defined external organization when the assessment meets organization-defined requirements.
CA-2 (3) (CCI-002067)	The organization defines the information systems for which they will accept the results of an assessment performed by an external organization.
CA-2 (3) (CCI-002068)	The organization defines the external organizations from which assessment results for organization-defined information systems will be accepted.
CA-2 (3) (CCI-002069)	The organization defines the requirements the assessments for organization-defined information systems from organization-defined external organizations must meet.

CA-3

The organization:

CA-3a.

Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;

CA-3 a
(CCI-000257)

The organization authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements.

CA-3b.

Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and

CA-3 b (CCI-000258)	The organization documents, for each interconnection, the interface characteristics.
CA-3 b (CCI-000259)	The organization documents, for each interconnection, the security requirements.
CA-3 b (CCI-000260)	The organization documents, for each interconnection, the nature of the information communicated.

CA-3c.

Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].

CA-3 c (CCI-002083)	The organization reviews and updates Interconnection Security Agreements on an organization-defined frequency.
CA-3 c (CCI-002084)	The organization defines the frequency at which reviews and updates to the Interconnection Security Agreements must be conducted.

CA-3 (1)

The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].

CA-3 (1) (CCI-000262)	The organization prohibits the direct connection of an organization-defined unclassified, national security system to an external network without the use of an organization-defined boundary protection device.
CA-3 (1) (CCI-002072)	The organization defines the unclassified, national security systems that are prohibited from directly connecting to an external network without the use of an organization-defined boundary protection device.
CA-3 (1) (CCI-002073)	The organization defines the boundary protection device to be used to connect organization-defined unclassified, national security systems to an external network.

CA-3 (2)

The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment: organization-defined boundary protection device].

CA-3 (2) (CCI-000263)	The organization prohibits the direct connection of a classified, national security system to an external network without the use of organization-defined boundary protection device.
CA-3 (2) (CCI-002074)	The organization defines the boundary protection device to be used for the direct connection of classified, national security system to an external network.

CA-3 (3)

The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device].

CA-3 (3) (CCI-002075)	The organization prohibits the direct connection of an organization-defined unclassified, non-national security system to an external network without the use of organization-defined boundary protection device.
CA-3 (3) (CCI-002076)	The organization defines the unclassified, non-national security system that is prohibited from directly connecting to an external network without the use of an organization-defined boundary protection device.
CA-3 (3) (CCI-002077)	The organization defines the boundary protection device to be used to directly connect an organization-defined unclassified, non-national security system to an external network.

CA-3 (4)

The organization prohibits the direct connection of an [Assignment: organization-defined information system] to a public network.

CA-3 (4) (CCI-002078)	The organization prohibits the direct connection of an organization-defined information system to a public network.
CA-3 (4) (CCI-002079)	The organization defines the information system that is prohibited from directly connecting to a public network.

CA-3 (5)

The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems.

CA-3 (5) (CCI-002080)	The organization employs either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems.
CA-3 (5) (CCI-002081)	The organization defines the information systems that employ either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing connections to external information systems.
CA-3 (5) (CCI-002082)	The organization selects either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems.

CA-4

[Withdrawn: Incorporated into CA-2].

CA-5

The organization:

CA-5a.

Develops a plan of action and milestones for the information system to document the organization�s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and

CA-5 a
(CCI-000264)

The organization develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system.

CA-5b.

Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

CA-5 b (CCI-000265)	The organization defines the frequency with which to update the existing plan of action and milestones for the information system.
CA-5 b (CCI-000266)	The organization updates, on an organization-defined frequency, the existing plan of action and milestones for the information system based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

CA-5 (1)

The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available.

CA-5 (1) (CCI-000267)	The organization employs automated mechanisms to help ensure the plan of action and milestones for the information system is accurate.
CA-5 (1) (CCI-000268)	The organization employs automated mechanisms to help ensure the plan of action and milestones for the information system is up to date.
CA-5 (1) (CCI-000269)	The organization employs automated mechanisms to help ensure the plan of action and milestones for the information system is readily available.

CA-6

The organization:

CA-6a.

Assigns a senior-level executive or manager as the authorizing official for the information system;

CA-6 a
(CCI-000270)

The organization assigns a senior-level executive or manager as the authorizing official for the information system.

CA-6b.

Ensures that the authorizing official authorizes the information system for processing before commencing operations; and

CA-6 b
(CCI-000271)

The organization ensures the authorizing official authorizes the information system for processing before commencing operations.

CA-6c.

Updates the security authorization [Assignment: organization-defined frequency].

CA-6 c (CCI-000272)	The organization updates the security authorization on an organization-defined frequency.
CA-6 c (CCI-000273)	The organization defines the frequency with which to update the security authorization.

CA-7

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

CA-7
(CCI-000274)

The organization develops a continuous monitoring strategy.

CA-7a.

Establishment of [Assignment: organization-defined metrics] to be monitored;

CA-7 a
(CCI-002087)

The organization establishes and defines the metrics to be monitored for the continuous monitoring program.

CA-7b.

Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;

CA-7 b (CCI-002088)	The organization establishes and defines the frequencies for continuous monitoring.
CA-7 b (CCI-002089)	The organization establishes and defines the frequencies for assessments supporting continuous monitoring.

CA-7c.

Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;

CA-7 c
(CCI-000279)

The organization implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy.

CA-7d.

Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

CA-7 d
(CCI-002090)

The organization implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy.

CA-7e.

Correlation and analysis of security-related information generated by assessments and monitoring;

CA-7 e
(CCI-002091)

The organization implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring.

CA-7f.

Response actions to address results of the analysis of security-related information; and

CA-7 f
(CCI-002092)

The organization implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information.

CA-7g.

Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].

CA-7 g (CCI-001581)	The organization defines personnel or roles to whom the security status of the organization and the information system should be reported.
CA-7 g (CCI-000280)	The organization implements a continuous monitoring program that includes reporting the security status of the organization and the information system to organization-defined personnel or roles on an organization-defined frequency.
CA-7 g (CCI-000281)	The organization defines the frequency with which to report the security status of the organization and the information system to organization-defined personnel or roles.

CA-7 (1)

The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis.

CA-7 (1) (CCI-000282)	The organization employs assessors or assessment teams with an organization-defined level of independence to monitor the security controls in the information system on an ongoing basis.
CA-7 (1) (CCI-002085)	The organization defines the level of independence the assessors or assessment teams must have to monitor the security controls in the information system on an ongoing basis.

CA-7 (2)

[Withdrawn: Incorporated into CA-2.]

CA-7 (3)

The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data.

CA-7 (3)
(CCI-002086)

The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data.

CA-8

The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components].

CA-8 (CCI-002093)	The organization conducts penetration testing in accordance with organization-defined frequency on organization-defined information systems or system components.
CA-8 (CCI-002094)	The organization defines the frequency for conducting penetration testing on organization-defined information systems or system components.
CA-8 (CCI-002095)	The organization defines the information systems or system components on which penetration testing will be conducted.

CA-8 (1)

The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.

CA-8 (1)
(CCI-002096)

The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.

CA-8 (2)

The organization employs [Assignment: organization-defined red team exercises] to simulate attempts by adversaries to compromise organizational information systems in accordance with [Assignment: organization-defined rules of engagement].

CA-8 (2) (CCI-002097)	The organization defines red team exercises to simulate attempts by adversaries to compromise organizational information systems.
CA-8 (2) (CCI-002098)	The organization defines rules of engagement for red team exercises to simulate attempts by adversaries to compromise organizational information systems.
CA-8 (2) (CCI-002099)	The organization employs organization-defined red team exercises to simulate attempts by adversaries to compromise organizational information systems in accordance with organization-defined rules of engagement.

CA-9

The organization:

CA-9a.

Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and

CA-9b.

Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.

CA-9 (1)

The information system performs security compliance checks on constituent system components prior to the establishment of the internal connection.

CA-9 (1)
(CCI-002100)

The information system performs security compliance checks on constituent components prior to the establishment of the internal connection.

CM-1

The organization:

CM-1a.

Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

CM-1a.1.

A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

CM-1 a 1 (CCI-000287)	The organization develops and documents a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CM-1 a 1 (CCI-001820)	The organization documents a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CM-1 a 1 (CCI-001821)	The organization defines the organizational personnel or roles to whom the configuration management policy is to be disseminated.
CM-1 a 1 (CCI-001822)	The organization disseminates the configuration management policy to organization-defined personnel or roles.

CM-1a.2.

Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and

CM-1 a 2 (CCI-000290)	The organization develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.
CM-1 a 2 (CCI-001823)	The organization documents the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.
CM-1 a 2 (CCI-001824)	The organization defines the organizational personnel or roles to whom the configuration management procedures are to be disseminated.
CM-1 a 2 (CCI-001825)	The organization disseminates to organization-defined personnel or roles the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.

CM-1b.

Reviews and updates the current:

CM-1b.1.

Configuration management policy [Assignment: organization-defined frequency]; and

CM-1 b 1 (CCI-000286)	The organization defines a frequency with which to review and update the configuration management policies.
CM-1 b 1 (CCI-000289)	The organization reviews and updates, on an organization-defined frequency, the configuration management policy.

CM-1b.2.

Configuration management procedures [Assignment: organization-defined frequency].

CM-1 b 2 (CCI-001584)	The organization defines the frequency with which to review and update configuration management procedures.
CM-1 b 2 (CCI-000292)	The organization reviews and updates, on an organization-defined frequency, the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.

CM-2

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

CM-2 (CCI-000293)	The organization develops a current baseline configuration of the information system.
CM-2 (CCI-000294)	The organization documents a baseline configuration of the information system.
CM-2 (CCI-000295)	The organization maintains, under configuration control, a current baseline configuration of the information system.

CM-2 (1)

The organization reviews and updates the baseline configuration of the information system:

CM-2 (1)(a)

[Assignment: organization-defined frequency];

CM-2 (1) (a) (CCI-000296)	The organization reviews and updates the baseline configuration of the information system at an organization-defined frequency.
CM-2 (1) (a) (CCI-001497)	The organization defines a frequency for the reviews and updates to the baseline configuration of the information system.

CM-2 (1)(b)

When required due to [Assignment organization-defined circumstances]; and

CM-2 (1) (b) (CCI-001585)	The organization defines the circumstances that require reviews and updates to the baseline configuration of the information system.
CM-2 (1) (b) (CCI-000297)	The organization reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances.

CM-2 (1)(c)

As an integral part of information system component installations and upgrades.

CM-2 (1) (c) (CCI-000298)	The organization reviews and updates the baseline configuration of the information system as an integral part of information system component installations.
CM-2 (1) (c) (CCI-000299)	The organization reviews and updates the baseline configuration of the information system as an integral part of information system component upgrades.

CM-2 (2)

The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

CM-2 (2) (CCI-000300)	The organization employs automated mechanisms to maintain a complete baseline configuration of the information system.
CM-2 (2) (CCI-000301)	The organization employs automated mechanisms to maintain an up-to-date baseline configuration of the information system.
CM-2 (2) (CCI-000302)	The organization employs automated mechanisms to maintain an accurate baseline configuration of the information system.
CM-2 (2) (CCI-000303)	The organization employs automated mechanisms to maintain a readily available baseline configuration of the information system.

CM-2 (3)

The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback.

CM-2 (3) (CCI-000304)	The organization retains organization-defined previous versions of baseline configurations of the information system to support rollback.
CM-2 (3) (CCI-001736)	The organization defines the previous versions of the baseline configuration of the information system required to support rollback.

CM-2 (4)

[Withdrawn: Incorporated into CM-7].

CM-2 (5)

[Withdrawn: Incorporated into CM-7].

CM-2 (6)

The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration.

CM-2 (6) (CCI-000311)	The organization maintains a baseline configuration for information system development environments that is managed separately from the operational baseline configuration.
CM-2 (6) (CCI-000312)	The organization maintains a baseline configuration for information system test environments that is managed separately from the operational baseline configuration.

CM-2 (7)

The organization:

CM-2 (7)(a)

Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and

CM-2 (7) (a) (CCI-001737)	The organization defines the information systems, system components, or devices that are to have organization-defined configurations applied when located in areas of significant risk.
CM-2 (7) (a) (CCI-001738)	The organization defines the security configurations to be implemented on information systems, system components, or devices when they are located in areas of significant risk.
CM-2 (7) (a) (CCI-001739)	The organization issues organization-defined information systems, system components, or devices with organization-defined configurations to individuals traveling to locations the organization deems to be of significant risk.

CM-2 (7)(b)

Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return.

CM-2 (7) (b) (CCI-001815)	The organization defines the security safeguards to be applied to devices when they return from areas of significant risk.
CM-2 (7) (b) (CCI-001816)	The organization applies organization-defined security safeguards to devices when individuals return from areas of significant risk.

CM-3

The organization:

CM-3a.

Determines the types of changes to the information system that are configuration-controlled;

CM-3 a
(CCI-000313)

The organization determines the types of changes to the information system that are configuration controlled.

CM-3b.

Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;

CM-3 b (CCI-000314)	The organization approves or disapproves configuration-controlled changes to the information system, with explicit consideration for security impact analysis.
CM-3 b (CCI-001740)	The organization reviews proposed configuration-controlled changes to the information system.

CM-3c.

Documents configuration change decisions associated with the information system;

CM-3 c
(CCI-001741)

The organization documents configuration change decisions associated with the information system.

CM-3d.

Implements approved configuration-controlled changes to the information system;

CM-3 d
(CCI-001819)

The organization implements approved configuration-controlled changes to the information system.

CM-3e.

Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];

CM-3 e (CCI-000316)	The organization retains records of configuration-controlled changes to the information system for an organization-defined time period.
CM-3 e (CCI-002056)	The organization defines the time period the records of configuration-controlled changes are to be retained.

CM-3f.

Audits and reviews activities associated with configuration-controlled changes to the information system; and

CM-3 f
(CCI-000318)

The organization audits and reviews activities associated with configuration-controlled changes to the system.

CM-3g.

Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].

CM-3 g (CCI-001586)	The organization defines the configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities.
CM-3 g (CCI-000319)	The organization coordinates and provides oversight for configuration change control activities through an organization-defined configuration change control element (e.g., committee, board) that convenes at the organization-defined frequency and/or for any organization-defined configuration change conditions.
CM-3 g (CCI-000320)	The organization defines the frequency with which to convene the configuration change control element.
CM-3 g (CCI-000321)	The organization defines configuration change conditions that prompt the configuration change control element to convene.

CM-3 (1)

The organization employs automated mechanisms to:

CM-3 (1)(a)

Document proposed changes to the information system;

CM-3 (1) (a)
(CCI-000322)

The organization employs automated mechanisms to document proposed changes to the information system.

CM-3 (1)(b)

Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;

CM-3 (1) (b) (CCI-000323)	The organization employs automated mechanisms to notify organization-defined approval authorities of proposed changes to the information system and request change approval.
CM-3 (1) (b) (CCI-001742)	The organization defines the approval authorities to be notified when proposed changes to the information system are received.

CM-3 (1)(c)

Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];

CM-3 (1) (c) (CCI-000324)	The organization employs automated mechanisms to highlight proposed changes to the information system that have not been approved or disapproved by an organization-defined time period.
CM-3 (1) (c) (CCI-001498)	The organization defines a time period after which proposed changes to the information system that have not been approved or disapproved are highlighted.

CM-3 (1)(d)

Prohibit changes to the information system until designated approvals are received;

CM-3 (1) (d)
(CCI-000325)

The organization employs automated mechanisms to prohibit changes to the information system until designated approvals are received.

CM-3 (1)(e)

Document all changes to the information system; and

CM-3 (1) (e)
(CCI-000326)

The organization employs automated mechanisms to document all changes to the information system.

CM-3 (1)(f)

Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed.

CM-3 (1) (f) (CCI-002057)	The organization defines the personnel to be notified when approved changes to the information system are completed.
CM-3 (1) (f) (CCI-002058)	The organization employs automated mechanisms to notify organization-defined personnel when approved changes to the information system are completed.

CM-3 (2)

The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.

CM-3 (2) (CCI-000327)	The organization tests changes to the information system before implementing the changes on the operational system.
CM-3 (2) (CCI-000328)	The organization validates changes to the information system before implementing the changes on the operational system.
CM-3 (2) (CCI-000329)	The organization documents changes to the information system before implementing the changes on the operational system.

CM-3 (3)

The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base.

CM-3 (3) (CCI-000330)	The organization employs automated mechanisms to implement changes to the current information system baseline.
CM-3 (3) (CCI-000331)	The organization deploys the updated information system baseline across the installed base.

CM-3 (4)

The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element].

CM-3 (4)
(CCI-000332)

The organization requires an information security representative to be a member of the organization-defined configuration change control element.

CM-3 (5)

The information system implements [Assignment: organization-defined security responses] automatically if baseline configurations are changed in an unauthorized manner.

CM-3 (5) (CCI-001743)	The organization defines the security responses to be automatically implemented by the information system if baseline configurations are changed in an unauthorized manner.
CM-3 (5) (CCI-001744)	The information system implements organization-defined security responses automatically if baseline configurations are changed in an unauthorized manner.

CM-3 (6)

The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management.

CM-3 (6) (CCI-001745)	The organization defines the security safeguards that are to be provided by the cryptographic mechanisms which are employed by the organization.
CM-3 (6) (CCI-001746)	The organization ensures that cryptographic mechanisms used to provide organization-defined security safeguards are under configuration management.

CM-4

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

CM-4
(CCI-000333)

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

CM-4 (1)

The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

CM-4 (1) (CCI-001817)	The organization, when analyzing changes to the information system, looks for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.
CM-4 (1) (CCI-001818)	The organization analyzes changes to the information system in a separate test environment before installation in an operational environment.

CM-4 (2)

The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system.

CM-4 (2) (CCI-000335)	The organization, after the information system is changed, checks the security functions to verify the functions are implemented correctly.
CM-4 (2) (CCI-000336)	The organization, after the information system is changed, checks the security functions to verify the functions are operating as intended.
CM-4 (2) (CCI-000337)	The organization, after the information system is changed, checks the security functions to verify the functions are producing the desired outcome with regard to meeting the security requirements for the system.

CM-5

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

CM-5 (CCI-000338)	The organization defines physical access restrictions associated with changes to the information system.
CM-5 (CCI-000339)	The organization documents physical access restrictions associated with changes to the information system.
CM-5 (CCI-000340)	The organization approves physical access restrictions associated with changes to the information system.
CM-5 (CCI-000341)	The organization enforces physical access restrictions associated with changes to the information system.
CM-5 (CCI-000342)	The organization defines logical access restrictions associated with changes to the information system.
CM-5 (CCI-000343)	The organization documents logical access restrictions associated with changes to the information system.
CM-5 (CCI-000344)	The organization approves logical access restrictions associated with changes to the information system.
CM-5 (CCI-000345)	The organization enforces logical access restrictions associated with changes to the information system.

CM-5 (1)

The information system enforces access restrictions and supports auditing of the enforcement actions.

CM-5 (1) (CCI-001813)	The information system enforces access restrictions.
CM-5 (1) (CCI-001814)	The Information system supports auditing of the enforcement actions.

CM-5 (2)

The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.

CM-5 (2) (CCI-000348)	The organization defines a frequency with which to conduct reviews of information system changes.
CM-5 (2) (CCI-000349)	The organization reviews information system changes per organization-defined frequency to determine whether unauthorized changes have occurred.
CM-5 (2) (CCI-000350)	The organization reviews information system changes upon organization-defined circumstances to determine whether unauthorized changes have occurred.
CM-5 (2) (CCI-001826)	The organization defines the circumstances upon which the organization reviews the information system changes to determine whether unauthorized changes have occurred.

CM-5 (3)

The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

CM-5 (3) (CCI-001747)	The organization defines critical software components the information system will prevent from being installed without verification the component has been digitally signed using a certificate that is recognized and approved by the organization.
CM-5 (3) (CCI-001748)	The organization defines critical firmware components the information system will prevent from being installed without verification the component has been digitally signed using a certificate that is recognized and approved by the organization.
CM-5 (3) (CCI-001749)	The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
CM-5 (3) (CCI-001750)	The information system prevents the installation of organization-defined firmware components without verification the firmware component has been digitally signed using a certificate that is recognized and approved by the organization.

CM-5 (4)

The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information].

CM-5 (4) (CCI-000353)	The organization defines information system components requiring enforcement of a dual authorization for information system changes.
CM-5 (4) (CCI-000354)	The organization enforces dual authorization for changes to organization-defined information system components.
CM-5 (4) (CCI-001751)	The organization defines system-level information requiring enforcement of a dual authorization for information system changes.
CM-5 (4) (CCI-001752)	The organization enforces dual authorization for changes to organization-defined system-level information.

CM-5 (5)

The organization:

CM-5 (5)(a)

Limits privileges to change information system components and system-related information within a production or operational environment; and

CM-5 (5) (a) (CCI-001753)	The organization limits privileges to change information system components within a production or operational environment.
CM-5 (5) (a) (CCI-001754)	The organization limits privileges to change system-related information within a production or operational environment.

CM-5 (5)(b)

Reviews and reevaluates privileges [Assignment: organization-defined frequency].

CM-5 (5) (b) (CCI-001827)	The organization defines the frequency with which to review information system privileges.
CM-5 (5) (b) (CCI-001828)	The organization defines the frequency with which to reevaluate information system privileges.
CM-5 (5) (b) (CCI-001829)	The organization reviews information system privileges per an organization-defined frequency.
CM-5 (5) (b) (CCI-001830)	The organization reevaluates information system privileges per an organization-defined frequency.

CM-5 (6)

The organization limits privileges to change software resident within software libraries.

CM-5 (6)
(CCI-001499)

The organization limits privileges to change software resident within software libraries.

CM-5 (7)

[Withdrawn: Incorporated into SI-7].

CM-6

The organization:

CM-6a.

Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;

CM-6 a (CCI-001588)	The organization-defined security configuration checklists reflect the most restrictive mode consistent with operational requirements.
CM-6 a (CCI-000363)	The organization defines security configuration checklists to be used to establish and document configuration settings for the information system technology products employed.
CM-6 a (CCI-000364)	The organization establishes configuration settings for information technology products employed within the information system using organization-defined security configuration checklists.
CM-6 a (CCI-000365)	The organization documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements.

CM-6b.

Implements the configuration settings;

CM-6 b
(CCI-000366)

The organization implements the security configuration settings.

CM-6c.

Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and

CM-6 c (CCI-000367)	The organization identifies any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
CM-6 c (CCI-000368)	The organization documents any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
CM-6 c (CCI-000369)	The organization approves any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
CM-6 c (CCI-001755)	The organization defines the information system components for which any deviation from the established configuration settings are to be identified, documented, and approved.
CM-6 c (CCI-001756)	The organization defines the operational requirements on which the configuration settings for the organization-defined information system components are to be based.

CM-6d.

Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

CM-6 d (CCI-001502)	The organization monitors changes to the configuration settings in accordance with organizational policies and procedures.
CM-6 d (CCI-001503)	The organization controls changes to the configuration settings in accordance with organizational policies and procedures.

CM-6 (1)

The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components].

CM-6 (1) (CCI-000370)	The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components.
CM-6 (1) (CCI-000371)	The organization employs automated mechanisms to centrally apply configuration settings for organization-defined information system components.
CM-6 (1) (CCI-000372)	The organization employs automated mechanisms to centrally verify configuration settings for organization-defined information system components.
CM-6 (1) (CCI-002059)	The organization defines the information system components for which the organization will employ automated mechanisms to centrally manage, apply, and verify configuration settings.

CM-6 (2)

The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings].

CM-6 (2) (CCI-001757)	The organization defines the security safeguards the organization is to employ when responding to unauthorized changes to the organization-defined configuration settings.
CM-6 (2) (CCI-001758)	The organization defines configuration settings for which the organization will employ organization-defined security safeguards in response to unauthorized changes.
CM-6 (2) (CCI-001759)	The organization employs organization-defined security safeguards to respond to unauthorized changes to organization-defined configuration settings.

CM-6 (3)

[Withdrawn: Incorporated into SI-7].

CM-6 (4)

[Withdrawn: Incorporated into CM-4].

CM-7

The organization:

CM-7a.

Configures the information system to provide only essential capabilities; and

CM-7 a
(CCI-000381)

The organization configures the information system to provide only essential capabilities.

CM-7b.

Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].

CM-7 b (CCI-000380)	The organization defines prohibited or restricted functions, ports, protocols, and/or services for the information system.
CM-7 b (CCI-000382)	The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

CM-7 (1)

The organization:

CM-7 (1)(a)

Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and

CM-7 (1) (a) (CCI-000384)	The organization reviews the information system per organization-defined frequency to identify unnecessary and nonsecure functions, ports, protocols, and services.
CM-7 (1) (a) (CCI-001760)	The organization defines the frequency of information system reviews to identify unnecessary and/or nonsecure functions, ports, protocols, and services.

CM-7 (1)(b)

Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure].

CM-7 (1) (b) (CCI-001761)	The organization defines the functions, ports, protocols, and services within the information system that are to be disabled when deemed unnecessary and/or nonsecure.
CM-7 (1) (b) (CCI-001762)	The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.

CM-7 (2)

The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].

CM-7 (2) (CCI-001592)	The organization defines the rules authorizing the terms and conditions of software program usage on the information system.
CM-7 (2) (CCI-001763)	The organization defines the policies regarding software program usage and restrictions.
CM-7 (2) (CCI-001764)	The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.

CM-7 (3)

The organization ensures compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services].

CM-7 (3) (CCI-000387)	The organization defines registration requirements for functions, ports, protocols, and services.
CM-7 (3) (CCI-000388)	The organization ensures compliance with organization-defined registration requirements for functions, ports, protocols, and services.

CM-7 (4)

The organization:

CM-7 (4)(a)

Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];

CM-7 (4) (a) (CCI-001765)	The organization defines the software programs not authorized to execute on the information system.
CM-7 (4) (a) (CCI-001766)	The organization identifies the organization-defined software programs not authorized to execute on the information system.

CM-7 (4)(b)

Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and

CM-7 (4) (b)
(CCI-001767)

The organization employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system.

CM-7 (4)(c)

Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency].

CM-7 (4) (c) (CCI-001768)	The organization defines the frequency on which it will review and update the list of unauthorized software programs.
CM-7 (4) (c) (CCI-001769)	The organization defines the frequency on which it will update the list of unauthorized software programs.
CM-7 (4) (c) (CCI-001770)	The organization reviews and updates the list of unauthorized software programs per organization-defined frequency.
CM-7 (4) (c) (CCI-001771)	The organization updates the list of unauthorized software programs per organization-defined frequency.

CM-7 (5)

The organization:

CM-7 (5)(a)

Identifies [Assignment: organization-defined software programs authorized to execute on the information system];

CM-7 (5) (a) (CCI-001772)	The organization defines the software programs authorized to execute on the information system.
CM-7 (5) (a) (CCI-001773)	The organization identifies the organization-defined software programs authorized to execute on the information system.

CM-7 (5)(b)

Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and

CM-7 (5) (b)
(CCI-001774)

The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system.

CM-7 (5)(c)

Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency].

CM-7 (5) (c) (CCI-001775)	The organization defines the frequency on which it will review and update the list of authorized software programs.
CM-7 (5) (c) (CCI-001776)	The organization defines the frequency on which it will update the list of authorized software programs.
CM-7 (5) (c) (CCI-001777)	The organization reviews and updates the list of authorized software programs per organization-defined frequency.
CM-7 (5) (c) (CCI-001778)	The organization updates the list of authorized software programs per organization-defined frequency.

CM-8

The organization:

CM-8a.

Develops and documents an inventory of information system components that:

CM-8a.1.

Accurately reflects the current information system;

CM-8 a 1 (CCI-000389)	The organization develops an inventory of information system components that accurately reflects the current information system.
CM-8 a 1 (CCI-000390)	The organization documents an inventory of information system components that accurately reflects the current information system.

CM-8a.2.

Includes all components within the authorization boundary of the information system;

CM-8 a 2 (CCI-000392)	The organization develops an inventory of information system components that includes all components within the authorization boundary of the information system.
CM-8 a 2 (CCI-000393)	The organization documents an inventory of information system components that includes all components within the authorization boundary of the information system.

CM-8a.3.

Is at the level of granularity deemed necessary for tracking and reporting; and

CM-8 a 3 (CCI-000395)	The organization develops an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting.
CM-8 a 3 (CCI-000396)	The organization documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting.

CM-8a.4.

Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and

CM-8 a 4 (CCI-000398)	The organization defines information deemed necessary to achieve effective information system component accountability.
CM-8 a 4 (CCI-000399)	The organization develops an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability.
CM-8 a 4 (CCI-000400)	The organization documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability.

CM-8b.

Reviews and updates the information system component inventory [Assignment: organization-defined frequency].

CM-8 b (CCI-001779)	The organization defines the frequency on which the information system component inventory is to be reviewed and updated.
CM-8 b (CCI-001780)	The organization reviews and updates the information system component inventory per organization-defined frequency.
CM-8 b (CCI-001781)	The organization defines the frequency on which the information system component inventory is to be updated.
CM-8 b (CCI-001782)	The organization updates the information system component inventory per organization-defined frequency.

CM-8 (1)

The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

CM-8 (1) (CCI-000408)	The organization updates the inventory of information system components as an integral part of component installations.
CM-8 (1) (CCI-000409)	The organization updates the inventory of information system components as an integral part of component removals.
CM-8 (1) (CCI-000410)	The organization updates the inventory of information system components as an integral part of information system updates.

CM-8 (2)

The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.

CM-8 (2) (CCI-000411)	The organization employs automated mechanisms to help maintain an up-to-date inventory of information system components.
CM-8 (2) (CCI-000412)	The organization employs automated mechanisms to help maintain a complete inventory of information system components.
CM-8 (2) (CCI-000413)	The organization employs automated mechanisms to help maintain an accurate inventory of information system components.
CM-8 (2) (CCI-000414)	The organization employs automated mechanisms to help maintain a readily available inventory of information system components.

CM-8 (3)

The organization:

CM-8 (3)(a)

Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and

CM-8 (3) (a) (CCI-000415)	The organization defines the frequency of employing automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system.
CM-8 (3) (a) (CCI-000416)	The organization employs automated mechanisms, per organization-defined frequency, to detect the presence of unauthorized hardware, software, and firmware components within the information system.

CM-8 (3)(b)

Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]].

CM-8 (3) (b) (CCI-001783)	The organization defines the personnel or roles to be notified when unauthorized hardware, software, and firmware components are detected within the information system.
CM-8 (3) (b) (CCI-001784)	When unauthorized hardware, software, and firmware components are detected within the information system, the organization takes action to disable network access by such components, isolates the components, and/or notifies organization-defined personnel or roles.

CM-8 (4)

The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components.

CM-8 (4)
(CCI-000418)

The organization includes, in the information system component inventory information, a means for identifying by name, position, and/or role, individuals responsible/accountable for administering those components.

CM-8 (5)

The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.

CM-8 (5)
(CCI-000419)

The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.

CM-8 (6)

The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.

CM-8 (6)
(CCI-000420)

The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.

CM-8 (7)

The organization provides a centralized repository for the inventory of information system components.

CM-8 (7)
(CCI-001785)

The organization provides a centralized repository for the inventory of information system components.

CM-8 (8)

The organization employs automated mechanisms to support tracking of information system components by geographic location.

CM-8 (8)
(CCI-001786)

The organization employs automated mechanisms to support tracking of information system components by geographic location.

CM-8 (9)

The organization:

CM-8 (9)(a)

Assigns [Assignment: organization-defined acquired information system components] to an information system; and

CM-8 (9) (a) (CCI-001787)	The organization defines the acquired information system components that are to be assigned to an information system.
CM-8 (9) (a) (CCI-001788)	The organization assigns organization-defined acquired information system components to an information system.

CM-8 (9)(b)

Receives an acknowledgement from the information system owner of this assignment.

CM-8 (9) (b)
(CCI-001789)

The organization receives an acknowledgement from the information system owner of the assignment of the acquired information system components to an information system.

CM-9

The organization develops, documents, and implements a configuration management plan for the information system that:

CM-9a.

Addresses roles, responsibilities, and configuration management processes and procedures;

CM-9 a (CCI-000421)	The organization develops a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures.
CM-9 a (CCI-000422)	The organization documents a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures.
CM-9 a (CCI-000423)	The organization implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures.

CM-9b.

Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;

CM-9 b (CCI-001790)	The organization develops a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle.
CM-9 b (CCI-001791)	The organization documents a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle.
CM-9 b (CCI-001792)	The organization implements a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle.
CM-9 b (CCI-001793)	The organization develops a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.
CM-9 b (CCI-001794)	The organization documents a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.
CM-9 b (CCI-001795)	The organization implements a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.

CM-9c.

Defines the configuration items for the information system and places the configuration items under configuration management; and

CM-9 c (CCI-000424)	The organization develops a configuration management plan for the information system that defines the configuration items for the information system.
CM-9 c (CCI-000425)	The organization documents a configuration management plan for the information system that defines the configuration items for the information system.
CM-9 c (CCI-000426)	The organization implements a configuration management plan for the information system that defines the configuration items for the information system.
CM-9 c (CCI-001796)	The organization develops a configuration management plan for the information system that places the configuration items under configuration management.
CM-9 c (CCI-001797)	The organization documents a configuration management plan for the information system that places the configuration items under configuration management.
CM-9 c (CCI-001798)	The organization implements a configuration management plan for the information system that places the configuration items under configuration management.

CM-9d.

Protects the configuration management plan from unauthorized disclosure and modification.

CM-9 d (CCI-001799)	The organization develops and documents a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification.
CM-9 d (CCI-001800)	The organization documents a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification.
CM-9 d (CCI-001801)	The organization implements a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification.

CM-9 (1)

The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development.

CM-9 (1)
(CCI-000436)

The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development.

CM-10

The organization:

CM-10a.

Uses software and associated documentation in accordance with contract agreements and copyright laws;

CM-10 a (CCI-001726)	The organization uses software in accordance with contract agreements.
CM-10 a (CCI-001727)	The organization uses software documentation in accordance with contract agreements.
CM-10 a (CCI-001728)	The organization uses software in accordance with copyright laws.
CM-10 a (CCI-001729)	The organization uses software documentation in accordance with copyright laws.

CM-10b.

Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

CM-10 b (CCI-001730)	The organization tracks the use of software protected by quantity licenses to control copying of the software.
CM-10 b (CCI-001731)	The organization tracks the use of software documentation protected by quantity licenses to control distribution of the software documentation.
CM-10 b (CCI-001802)	The organization tracks the use of software documentation protected by quantity licenses to control copying of the software documentation.
CM-10 b (CCI-001803)	The organization tracks the use of software protected by quantity licenses to control distribution of the software.

CM-10c.

Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

CM-10 c (CCI-001732)	The organization controls the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
CM-10 c (CCI-001733)	The organization documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

CM-10 (1)

The organization establishes the following restrictions on the use of open source software: [Assignment: organization-defined restrictions].

CM-10 (1) (CCI-001734)	The organization defines the restrictions to be followed on the use of open source software.
CM-10 (1) (CCI-001735)	The organization establishes organization-defined restrictions on the use of open source software.

CM-11

The organization:

CM-11a.

Establishes [Assignment: organization-defined policies] governing the installation of software by users;

CM-11 a (CCI-001804)	The organization defines the policies for governing the installation of software by users.
CM-11 a (CCI-001805)	The organization establishes organization-defined policies governing the installation of software by users.

CM-11b.

Enforces software installation policies through [Assignment: organization-defined methods]; and

CM-11 b (CCI-001806)	The organization defines methods to be employed to enforce the software installation policies.
CM-11 b (CCI-001807)	The organization enforces software installation policies through organization-defined methods.

CM-11c.

Monitors policy compliance at [Assignment: organization-defined frequency].

CM-11 c (CCI-001808)	The organization defines the frequency on which it will monitor software installation policy compliance.
CM-11 c (CCI-001809)	The organization monitors software installation policy compliance per an organization-defined frequency.

CM-11 (1)

The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected.

CM-11 (1) (CCI-001810)	The organization defines the personnel or roles to be notified when unauthorized software is detected.
CM-11 (1) (CCI-001811)	The information system alerts organization-defined personnel or roles when the unauthorized installation of software is detected.

CM-11 (2)

The information system prohibits user installation of software without explicit privileged status.

CM-11 (2)
(CCI-001812)

The information system prohibits user installation of software without explicit privileged status.

CP-1

The organization:

CP-1a.

Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

CP-1a.1.

A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

CP-1 a 1 (CCI-000438)	The organization develops and documents a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CP-1 a 1 (CCI-000439)	The organization disseminates a contingency planning policy to organization-defined personnel or roles.
CP-1 a 1 (CCI-002825)	The organization defines personnel or roles to whom the contingency planning policy is to be disseminated.

CP-1a.2.

Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and

CP-1 a 2 (CCI-001597)	The organization disseminates contingency planning procedures to organization-defined personnel or roles.
CP-1 a 2 (CCI-000441)	The organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls.
CP-1 a 2 (CCI-002826)	The organization defines personnel or roles to whom the contingency planning procedures are disseminated.

CP-1b.

Reviews and updates the current:

CP-1b.1.

Contingency planning policy [Assignment: organization-defined frequency]; and

CP-1 b 1 (CCI-000437)	The organization defines the frequency with which to review and update the current contingency planning policy.
CP-1 b 1 (CCI-000440)	The organization reviews and updates the current contingency planning policy in accordance with an organization-defined frequency.

CP-1b.2.

Contingency planning procedures [Assignment: organization-defined frequency].

CP-1 b 2 (CCI-001596)	The organization defines the frequency with which to review and update the current contingency planning procedures.
CP-1 b 2 (CCI-001598)	The organization reviews and updates the current contingency planning procedures in accordance with the organization-defined frequency.

CP-2

The organization:

CP-2a.

Develops a contingency plan for the information system that:

CP-2a.1.

Identifies essential missions and business functions and associated contingency requirements;

CP-2 a 1 (CCI-000443)	The organization develops a contingency plan for the information system that identifies essential missions.
CP-2 a 1 (CCI-000444)	The organization develops a contingency plan for the information system that identifies essential business functions.
CP-2 a 1 (CCI-000445)	The organization develops a contingency plan for the information system that identifies associated contingency requirements.

CP-2a.2.

Provides recovery objectives, restoration priorities, and metrics;

CP-2 a 2 (CCI-000446)	The organization develops a contingency plan for the information system that provides recovery objectives.
CP-2 a 2 (CCI-000447)	The organization develops a contingency plan for the information system that provides restoration priorities.
CP-2 a 2 (CCI-000448)	The organization develops a contingency plan for the information system that provides metrics.

CP-2a.3.

Addresses contingency roles, responsibilities, assigned individuals with contact information;

CP-2 a 3
(CCI-000449)

The organization develops a contingency plan for the information system that addresses contingency roles, responsibilities, assigned individuals with contact information.

CP-2a.4.

Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;

CP-2 a 4 (CCI-000450)	The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system disruption.
CP-2 a 4 (CCI-000451)	The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system disruption.
CP-2 a 4 (CCI-000452)	The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system compromise.
CP-2 a 4 (CCI-000453)	The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system compromise.
CP-2 a 4 (CCI-000454)	The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system failure.
CP-2 a 4 (CCI-000455)	The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system failure.

CP-2a.5.

Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and

CP-2 a 5
(CCI-000456)

The organization develops a contingency plan for the information system that addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented.

CP-2a.6.

Is reviewed and approved by [Assignment: organization-defined personnel or roles];

CP-2 a 6 (CCI-000457)	The organization develops a contingency plan for the information system that is reviewed and approved by organization-defined personnel or roles.
CP-2 a 6 (CCI-002830)	The organization defines the personnel or roles who review and approve the contingency plan for the information system.

CP-2b.

Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];

CP-2 b (CCI-000458)	The organization defines a list of key contingency personnel (identified by name and/or by role) and organizational elements designated to receive copies of the contingency plan.
CP-2 b (CCI-000459)	The organization distributes copies of the contingency plan to an organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements.

CP-2c.

Coordinates contingency planning activities with incident handling activities;

CP-2 c
(CCI-000460)

The organization coordinates contingency planning activities with incident handling activities.

CP-2d.

Reviews the contingency plan for the information system [Assignment: organization-defined frequency];

CP-2 d (CCI-000461)	The organization defines the frequency with which to review the contingency plan for the information system.
CP-2 d (CCI-000462)	The organization reviews the contingency plan for the information system in accordance with organization-defined frequency.

CP-2e.

Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;

CP-2 e (CCI-000463)	The organization updates the contingency plan to address changes to the organization.
CP-2 e (CCI-000464)	The organization updates the contingency plan to address changes to the information system.
CP-2 e (CCI-000465)	The organization updates the contingency plan to address changes to the environment of operation.
CP-2 e (CCI-000466)	The organization updates the contingency plan to address problems encountered during contingency plan implementation, execution, or testing.

CP-2f.

Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and

CP-2 f (CCI-000468)	The organization communicates contingency plan changes to an organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements.
CP-2 f (CCI-002831)	The organization defines a list of key contingency personnel (identified by name and/or by role) and organizational elements to whom contingency plan changes are to be communicated.

CP-2g.

Protects the contingency plan from unauthorized disclosure and modification.

CP-2 g
(CCI-002832)

The organization protects the contingency plan from unauthorized disclosure and modification.

CP-2 (1)

The organization coordinates contingency plan development with organizational elements responsible for related plans.

CP-2 (1)
(CCI-000469)

The organization coordinates contingency plan development with organizational elements responsible for related plans.

CP-2 (2)

The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

CP-2 (2) (CCI-000470)	The organization conducts capacity planning so that necessary capacity for information processing exists during contingency operations.
CP-2 (2) (CCI-000471)	The organization conducts capacity planning so that necessary capacity for telecommunications exists during contingency operations.
CP-2 (2) (CCI-000472)	The organization conducts capacity planning so that necessary capacity for environmental support exists during contingency operations.

CP-2 (3)

The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.

CP-2 (3) (CCI-000473)	The organization defines the time period for planning the resumption of essential missions as a result of contingency plan activation.
CP-2 (3) (CCI-000474)	The organization defines the time period for planning the resumption of essential business functions as a result of contingency plan activation.
CP-2 (3) (CCI-000475)	The organization plans for the resumption of essential missions within the organization-defined time period of contingency plan activation.
CP-2 (3) (CCI-000476)	The organization plans for the resumption of essential business functions within the organization-defined time period of contingency plan activation.

CP-2 (4)

The organization plans for the resumption of all missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.

CP-2 (4) (CCI-000477)	The organization defines the time period for planning the resumption of all missions as a result of contingency plan activation.
CP-2 (4) (CCI-000478)	The organization defines the time period for planning the resumption of all business functions as a result of contingency plan activation.
CP-2 (4) (CCI-000479)	The organization plans for the resumption of all missions within an organization-defined time period of contingency plan activation.
CP-2 (4) (CCI-000480)	The organization plans for the resumption of all business functions within an organization-defined time period of contingency plan activation.

CP-2 (5)

The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites.

CP-2 (5) (CCI-001599)	The organization sustains operational continuity of essential missions until full information system restoration at primary processing and/or storage sites.
CP-2 (5) (CCI-001600)	The organization sustains operational continuity of essential business functions until full information system restoration at primary processing and/or storage sites.
CP-2 (5) (CCI-000481)	The organization plans for the continuance of essential missions with little or no loss of operational continuity.
CP-2 (5) (CCI-000482)	The organization plans for the continuance of essential business functions with little or no loss of operational continuity.

CP-2 (6)

The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites.

CP-2 (6) (CCI-001601)	The organization sustains operational continuity of essential missions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites.
CP-2 (6) (CCI-001602)	The organization sustains operational continuity of essential business functions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites.
CP-2 (6) (CCI-000483)	The organization plans for the transfer of essential missions to alternate processing and/or storage sites with little or no loss of operational continuity.
CP-2 (6) (CCI-000484)	The organization plans for the transfer of essential business functions to alternate processing and/or storage sites with little or no loss of operational continuity.

CP-2 (7)

The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.

CP-2 (7)
(CCI-002827)

The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.

CP-2 (8)

The organization identifies critical information system assets supporting essential missions and business functions.

CP-2 (8) (CCI-002828)	The organization identifies critical information system assets supporting essential missions.
CP-2 (8) (CCI-002829)	The organization identifies critical information system assets supporting essential business functions.

CP-3

The organization provides contingency training to information system users consistent with assigned roles and responsibilities:

CP-3a.

Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;

CP-3 a (CCI-000486)	The organization provides contingency training to information system users consistent with assigned roles and responsibilities within an organization-defined time period of assuming a contingency role or responsibility.
CP-3 a (CCI-002833)	The organization defines the time period that contingency training is to be provided to information system users consistent with assigned roles and responsibilities within assuming a contingency role or responsibility.

CP-3b.

When required by information system changes; and

CP-3 b
(CCI-002834)

The organization provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes.

CP-3c.

[Assignment: organization-defined frequency] thereafter.

CP-3 c (CCI-000485)	The organization defines the frequency of refresher contingency training to information system users.
CP-3 c (CCI-000487)	The organization provides refresher contingency training to information system users consistent with assigned roles and responsibilities in accordance with organization-defined frequency.

CP-3 (1)

The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.

CP-3 (1)
(CCI-000488)

The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.

CP-3 (2)

The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment.

CP-3 (2)
(CCI-000489)

The organization employs automated mechanisms to provide a more thorough and realistic contingency training environment.

CP-4

The organization:

CP-4a.

Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;

CP-4 a (CCI-000490)	The organization defines the frequency with which to test the contingency plan for the information system.
CP-4 a (CCI-000492)	The organization defines contingency plan tests to be conducted for the information system.
CP-4 a (CCI-000494)	The organization tests the contingency plan for the information system in accordance with organization-defined frequency using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan.

CP-4b.

Reviews the contingency plan test results; and

CP-4 b
(CCI-000496)

The organization reviews the contingency plan test results.

CP-4c.

Initiates corrective actions, if needed.

CP-4 c
(CCI-000497)

The organization initiates corrective actions, if needed, after reviewing the contingency plan test results.

CP-4 (1)

The organization coordinates contingency plan testing with organizational elements responsible for related plans.

CP-4 (1)
(CCI-000498)

The organization coordinates contingency plan testing with organizational elements responsible for related plans.

CP-4 (2)

The organization tests the contingency plan at the alternate processing site:

CP-4 (2)(a)

To familiarize contingency personnel with the facility and available resources; and

CP-4 (2) (a)
(CCI-000500)

The organization tests the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources.

CP-4 (2)(b)

To evaluate the capabilities of the alternate processing site to support contingency operations.

CP-4 (2) (b)
(CCI-002835)

The organization tests the contingency plan at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.

CP-4 (3)

The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan.

CP-4 (3)
(CCI-000502)

The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan.

CP-4 (4)

The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing.

CP-5

[Withdrawn: Incorporated into CP-2].

CP-6

The organization:

CP-6a.

Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and

CP-6 a
(CCI-000505)

The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information.

CP-6b.

Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.

CP-6 b
(CCI-002836)

The organization ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.

CP-6 (1)

The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.

CP-6 (1)
(CCI-000507)

The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.

CP-6 (2)

The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

CP-6 (2)
(CCI-000508)

The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

CP-6 (3)

The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

CP-6 (3) (CCI-001604)	The organization outlines explicit mitigation actions for organization identified accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.
CP-6 (3) (CCI-000509)	The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.

CP-7

The organization:

CP-7a.

Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;

CP-7 a (CCI-000510)	The organization defines the time period consistent with recovery time and recovery point objectives for essential missions/business functions to permit the transfer and resumption of organization-defined information system operations at an alternate processing site when the primary processing capabilities are unavailable.
CP-7 a (CCI-000513)	The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable.
CP-7 a (CCI-000514)	The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential business functions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable.
CP-7 a (CCI-002839)	The organization defines information system operations that are permitted to transfer and resume at an alternate processing site for essential missions/business functions when the primary processing capabilities are unavailable.

CP-7b.

Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and

CP-7 b
(CCI-000515)

The organization ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption.

CP-7c.

Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.

CP-7 c
(CCI-000521)

The organization ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.

CP-7 (1)

The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.

CP-7 (1)
(CCI-000516)

The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats.

CP-7 (2)

The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

CP-7 (2) (CCI-001606)	The organization outlines explicit mitigation actions for organization-identified potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.
CP-7 (2) (CCI-000517)	The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.

CP-7 (3)

The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives).

CP-7 (3)
(CCI-000518)

The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with the organizational availability requirements (including recovery time objectives).

CP-7 (4)

The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions.

CP-7 (4) (CCI-000519)	The organization prepares the alternate processing site so that it is ready to be used as the operational site supporting essential missions.
CP-7 (4) (CCI-000520)	The organization prepares the alternate processing site so that it is ready to be used as the operational site supporting essential business functions.

CP-7 (5)

[Withdrawn: Incorporated into CP-7].

CP-7 (6)

The organization plans and prepares for circumstances that preclude returning to the primary processing site.

CP-7 (6) (CCI-002837)	The organization plans for circumstances that preclude returning to the primary processing site.
CP-7 (6) (CCI-002838)	The organization prepares for circumstances that preclude returning to the primary processing site.

CP-8

The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

CP-8 (CCI-000522)	The organization defines the time period within which to permit the resumption of organization-defined information system operations for essential missions when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CP-8 (CCI-000523)	The organization defines the time period within which to permit the resumption of organization-defined information system operations for essential business functions when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CP-8 (CCI-000524)	The organization establishes alternate telecommunication services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions within an organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CP-8 (CCI-000525)	The organization establishes alternate telecommunication services including necessary agreements to permit the resumption of organization-defined information system operations for essential business functions within an organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CP-8 (CCI-002840)	The organization defines the information system operations to be resumed for essential missions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CP-8 (CCI-002841)	The organization defines the information system operations to be resumed for essential business functions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

CP-8 (1)

The organization:

CP-8 (1)(a)

Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and

CP-8 (1) (a) (CCI-000526)	The organization develops primary telecommunications service agreements that contain priority-of-service provisions in accordance with the organization's availability requirements (including recovery time objectives).
CP-8 (1) (a) (CCI-000527)	The organization develops alternate telecommunications service agreements that contain priority-of-service provisions in accordance with the organization's availability requirements (including recovery time objectives).

CP-8 (1)(b)

Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.

CP-8 (1) (b) (CCI-000528)	The organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary telecommunications services are provided by a common carrier.
CP-8 (1) (b) (CCI-000529)	The organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the alternate telecommunications services are provided by a common carrier.

CP-8 (2)

The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

CP-8 (2)
(CCI-000530)

The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

CP-8 (3)

The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

CP-8 (3)
(CCI-000531)

The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

CP-8 (4)

The organization:

CP-8 (4)(a)

Requires primary and alternate telecommunications service providers to have contingency plans;

CP-8 (4) (a) (CCI-000532)	The organization requires primary telecommunications service providers to have contingency plans.
CP-8 (4) (a) (CCI-000533)	The organization requires alternate telecommunications service providers to have contingency plans.

CP-8 (4)(b)

Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and

CP-8 (4) (b)
(CCI-002842)

The organization reviews provider contingency plans to ensure that the plans meet organizational contingency requirements.

CP-8 (4)(c)

Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency].

CP-8 (5)

The organization tests alternate telecommunication services [Assignment: organization-defined frequency].

CP-8 (5) (CCI-002847)	The organization defines the frequency with which to test alternate telecommunication services.
CP-8 (5) (CCI-002848)	The organization tests alternate telecommunication services per organization-defined frequency.

CP-9

The organization:

CP-9a.

Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];

CP-9b.

Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];

CP-9c.

Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and

CP-9d.

Protects the confidentiality, integrity, and availability of backup information at storage locations.

CP-9 (1)

The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.

CP-9 (1) (CCI-000541)	The organization defines the frequency with which to test backup information to verify media reliability and information integrity.
CP-9 (1) (CCI-000542)	The organization tests backup information per an organization-defined frequency to verify media reliability and information integrity.

CP-9 (2)

The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.

CP-9 (2)
(CCI-000543)

The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.

CP-9 (3)

The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.

CP-9 (3) (CCI-002849)	The organization defines critical information system software and other security-related information, of which backup copies must be stored in a separate facility or in a fire-rated container.
CP-9 (3) (CCI-002850)	The organization stores backup copies of organization-defined critical information system software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the operational system.

CP-9 (4)

[Withdrawn: Incorporated into CP-9].

CP-9 (5)

The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives].

CP-9 (5) (CCI-000547)	The organization defines the time period and transfer rate of the information system backup information to the alternate storage site consistent with the recovery time and recovery point objectives.
CP-9 (5) (CCI-000548)	The organization transfers information system backup information to the alternate storage site in accordance with the organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives.

CP-9 (6)

The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.

CP-9 (6) (CCI-001609)	The organization can activate the redundant secondary information system that is not collocated with the primary system without loss of information or disruption to operations.
CP-9 (6) (CCI-000549)	The organization maintains a redundant secondary information system that is not collocated with the primary system.

CP-9 (7)

The organization enforces dual authorization for the deletion or destruction of [Assignment: organization-defined backup information].

CP-9 (7) (CCI-002851)	The organization defines the backup information that requires dual authorization for deletion or destruction.
CP-9 (7) (CCI-002852)	The organization enforces dual authorization for the deletion or destruction of organization-defined backup information.

CP-10

The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.

CP-10 (CCI-000550)	The organization provides for the recovery and reconstitution of the information system to a known state after a disruption.
CP-10 (CCI-000551)	The organization provides for the recovery and reconstitution of the information system to a known state after a compromise.
CP-10 (CCI-000552)	The organization provides for the recovery and reconstitution of the information system to a known state after a failure.

CP-10 (1)

[Withdrawn: Incorporated into CP-4].

CP-10 (2)

The information system implements transaction recovery for systems that are transaction-based.

CP-10 (2)
(CCI-000553)

The information system implements transaction recovery for systems that are transaction-based.

CP-10 (3)

[Withdrawn: Addressed through tailoring procedures].

CP-10 (4)

The organization provides the capability to restore information system components within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components.

CP-10 (4) (CCI-000556)	The organization defines restoration time periods within which to restore information system components from configuration-controlled and integrity-protected information representing a known, operational state for the components.
CP-10 (4) (CCI-000557)	The organization provides the capability to restore information system components within organization-defined restoration time periods from configuration-controlled and integrity-protected information representing a known, operational state for the components.

CP-10 (5)

[Withdrawn: Incorporated into SI-13].

CP-10 (6)

The organization protects backup and restoration hardware, firmware, and software.

CP-10 (6) (CCI-000560)	The organization protects backup and restoration hardware.
CP-10 (6) (CCI-000561)	The organization protects backup and restoration firmware.
CP-10 (6) (CCI-000562)	The organization protects backup and restoration software.

CP-11

The information system provides the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations.

CP-11 (CCI-002853)	The information system provides the capability to employ organization-defined alternative communications protocols in support of maintaining continuity of operations.
CP-11 (CCI-002854)	The organization defines the alternative communications protocols the information system must be capable of providing in support of maintaining continuity of operations.

CP-12

The information system, when [Assignment: organization-defined conditions] are detected, enters a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation].

CP-12 (CCI-002855)	The information system, when organization-defined conditions are detected, enters a safe mode of operation with organization-defined restrictions of safe mode of operation.
CP-12 (CCI-002856)	The organization defines the conditions that, when detected, the information system enters a safe mode of operation with organization-defined restrictions of safe mode of operation.
CP-12 (CCI-002857)	The organization defines the restrictions of the safe mode of operation that the information system will enter when organization-defined conditions are detected.

CP-13

The organization employs [Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised.

CP-13 (CCI-002858)	The organization employs organization-defined alternative or supplemental security mechanisms for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised.
CP-13 (CCI-002859)	The organization defines the alternative or supplemental security mechanisms that will be employed for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised.
CP-13 (CCI-002860)	The organization defines the security functions that must be satisfied when the primary means of implementing the security function is unavailable or compromised.

IA-1

The organization:

IA-1a.

Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

IA-1a.1.

An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

IA-1 a 1 (CCI-000756)	The organization develops an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
IA-1 a 1 (CCI-000757)	The organization disseminates to organization-defined personnel or roles an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
IA-1 a 1 (CCI-001932)	The organization documents an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
IA-1 a 1 (CCI-001933)	The organization defines the personnel or roles to be recipients of the identification and authentication policy and the procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.

IA-1a.2.

Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and

IA-1 a 2 (CCI-000760)	The organization develops procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
IA-1 a 2 (CCI-000761)	The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
IA-1 a 2 (CCI-001934)	The organization documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.

IA-1b.

Reviews and updates the current:

IA-1b.1.

Identification and authentication policy [Assignment: organization-defined frequency]; and

IA-1 b 1 (CCI-000758)	The organization reviews and updates identification and authentication policy in accordance with the organization-defined frequency.
IA-1 b 1 (CCI-000759)	The organization defines a frequency for reviewing and updating the identification and authentication policy.

IA-1b.2.

Identification and authentication procedures [Assignment: organization-defined frequency].

IA-1 b 2 (CCI-000762)	The organization reviews and updates identification and authentication procedures in accordance with the organization-defined frequency.
IA-1 b 2 (CCI-000763)	The organization defines a frequency for reviewing and updating the identification and authentication procedures.

IA-2

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

IA-2
(CCI-000764)

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

IA-2 (1)

The information system implements multifactor authentication for network access to privileged accounts.

IA-2 (1)
(CCI-000765)

The information system implements multifactor authentication for network access to privileged accounts.

IA-2 (2)

The information system implements multifactor authentication for network access to non-privileged accounts.

IA-2 (2)
(CCI-000766)

The information system implements multifactor authentication for network access to non-privileged accounts.

IA-2 (3)

The information system implements multifactor authentication for local access to privileged accounts.

IA-2 (3)
(CCI-000767)

The information system implements multifactor authentication for local access to privileged accounts.

IA-2 (4)

The information system implements multifactor authentication for local access to non-privileged accounts.

IA-2 (4)
(CCI-000768)

The information system implements multifactor authentication for local access to non-privileged accounts.

IA-2 (5)

The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.

IA-2 (5)
(CCI-000770)

The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.

IA-2 (6)

The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].

IA-2 (6) (CCI-001935)	The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access to privileged accounts.
IA-2 (6) (CCI-001936)	The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
IA-2 (6) (CCI-001937)	The device used in the information system implementation of multifactor authentication for network access to privileged accounts meets organization-defined strength of mechanism requirements.

IA-2 (7)

The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].

IA-2 (7) (CCI-001938)	The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access to non-privileged accounts.
IA-2 (7) (CCI-001939)	The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
IA-2 (7) (CCI-001940)	The device used in the information system implementation of multifactor authentication for network access to non-privileged accounts meets organization-defined strength of mechanism requirements.

IA-2 (8)

The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

IA-2 (8)
(CCI-001941)

The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

IA-2 (9)

The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

IA-2 (9)
(CCI-001942)

The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

IA-2 (10)

The information system provides a single sign-on capability for [Assignment: organization-defined list of information system accounts and services].

IA-2 (10) (CCI-001943)	The organization defines the information system accounts for which single sign-on capability will be provided.
IA-2 (10) (CCI-001944)	The organization defines the information system services for which single sign-on capability will be provided.
IA-2 (10) (CCI-001945)	The information system provides a single sign-on capability for an organization-defined list of information system accounts.
IA-2 (10) (CCI-001946)	The information system provides a single sign-on capability for an organization-defined list of information system services.

IA-2 (11)

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].

IA-2 (11) (CCI-001947)	The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access and is to provide one factor of a multifactor authentication for remote access to privileged accounts.
IA-2 (11) (CCI-001948)	The information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
IA-2 (11) (CCI-001949)	The device used in the information system implementation of multifactor authentication for remote access to privileged accounts meets organization-defined strength of mechanism requirements.
IA-2 (11) (CCI-001950)	The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access and is to provide one factor of a multifactor authentication for remote access to non-privileged accounts.
IA-2 (11) (CCI-001951)	The information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
IA-2 (11) (CCI-001952)	The device used in the information system implementation of multifactor authentication for remote access to non-privileged accounts meets organization-defined strength of mechanism requirements.

IA-2 (12)

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.

IA-2 (12) (CCI-001953)	The information system accepts Personal Identity Verification (PIV) credentials.
IA-2 (12) (CCI-001954)	The information system electronically verifies Personal Identity Verification (PIV) credentials.

IA-2 (13)

The information system implements [Assignment: organization-defined out-of-band authentication] under [Assignment: organization-defined conditions].

IA-2 (13) (CCI-001955)	The organization defines the out-of-band authentication to be implemented by the information system under organization-defined conditions.
IA-2 (13) (CCI-001956)	The organization defines the conditions for which the information system implements organization-defined out-of-band authentication.
IA-2 (13) (CCI-001957)	The information system implements organization-defined out-of-band authentication under organization-defined conditions.

IA-3

The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.

IA-3 (CCI-000777)	The organization defines a list of specific and/or types of devices for which identification and authentication is required before establishing a connection to the information system.
IA-3 (CCI-000778)	The information system uniquely identifies an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection.
IA-3 (CCI-001958)	The information system authenticates an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection.

IA-3 (1)

The information system authenticates [Assignment: organization-defined specific devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based.

IA-3 (1) (CCI-001959)	The organization defines the specific devices and/or type of devices the information system is to authenticate before establishing a connection.
IA-3 (1) (CCI-001967)	The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

IA-3 (2)

[Withdrawn: Incorporated into IA-3 (1)].

IA-3 (3)

The organization:

IA-3 (3)(a)

Standardizes dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and

IA-3 (3) (a) (CCI-001960)	The organization defines the lease information to be assigned to devices.
IA-3 (3) (a) (CCI-001961)	The organization defines the lease duration to be assigned to devices.
IA-3 (3) (a) (CCI-001962)	The organization standardizes dynamic address allocation lease information assigned to devices in accordance with organization-defined lease information.
IA-3 (3) (a) (CCI-001963)	The organization standardizes dynamic address allocation lease duration assigned to devices in accordance with organization-defined lease duration.

IA-3 (3)(b)

Audits lease information when assigned to a device.

IA-3 (3) (b)
(CCI-000783)

The organization audits lease information when assigned to a device.

IA-3 (4)

The organization ensures that device identification and authentication based on attestation is handled by [Assignment: organization-defined configuration management process].

IA-3 (4) (CCI-001964)	The organization defines the configuration management process that is to handle the device identification procedures.
IA-3 (4) (CCI-001965)	The organization defines the configuration management process that is to handle the device authentication procedures.
IA-3 (4) (CCI-001966)	The organization ensures that device identification based on attestation is handled by the organization-defined configuration management process.
IA-3 (4) (CCI-001968)	The organization defines the configuration management process that is to handle the device identification procedures.
IA-3 (4) (CCI-001969)	The organization ensures that device authentication based on attestation is handled by the organization-defined configuration management process.

IA-4

The organization manages information system identifiers by:

IA-4a.

Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;

IA-4 a (CCI-001970)	The organization defines the personnel or roles that authorize the assignment of individual, group, role, and device identifiers.
IA-4 a (CCI-001971)	The organization manages information system identifiers by receiving authorization from organization-defined personnel or roles to assign an individual, group, role, or device identifier.

IA-4b.

Selecting an identifier that identifies an individual, group, role, or device;

IA-4 b
(CCI-001972)

The organization manages information system identifiers by selecting an identifier that identifies an individual, group, role, or device.

IA-4c.

Assigning the identifier to the intended individual, group, role, or device;

IA-4 c
(CCI-001973)

The organization manages information system identifiers by assigning the identifier to the intended individual, group, role, or device.

IA-4d.

Preventing reuse of identifiers for [Assignment: organization-defined time period]; and

IA-4 d (CCI-001974)	The organization defines the time period for which the reuse of identifiers is prohibited.
IA-4 d (CCI-001975)	The organization manages information system identifiers by preventing reuse of identifiers for an organization-defined time period.

IA-4e.

Disabling the identifier after [Assignment: organization-defined time period of inactivity].

IA-4 e (CCI-000794)	The organization defines a time period of inactivity after which the identifier is disabled.
IA-4 e (CCI-000795)	The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity.

IA-4 (1)

The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts.

IA-4 (1)
(CCI-000796)

The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts.

IA-4 (2)

The organization requires that the registration process to receive an individual identifier includes supervisor authorization.

IA-4 (2)
(CCI-002040)

The organization requires that the registration process to receive an individual identifier includes supervisor authorization.

IA-4 (3)

The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority.

IA-4 (3)
(CCI-000799)

The organization requires multiple forms of certification of individual identification, such as documentary evidence or a combination of documents and biometrics, be presented to the registration authority.

IA-4 (4)

The organization manages individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].

IA-4 (4) (CCI-000800)	The organization defines characteristics for identifying individual status.
IA-4 (4) (CCI-000801)	The organization manages individual identifiers by uniquely identifying each individual by organization-defined characteristics identifying individual status.

IA-4 (5)

The information system dynamically manages identifiers.

IA-4 (5)
(CCI-001976)

The information system dynamically manages identifiers.

IA-4 (6)

The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of identifiers.

IA-4 (6) (CCI-001977)	The organization defines the external organizations with which it will coordinate for cross-management of identifiers.
IA-4 (6) (CCI-001978)	The organization coordinates with organization-defined external organizations for cross-organization management of identifiers.

IA-4 (7)

The organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority.

IA-4 (7)
(CCI-001979)

The organization requires the registration process to receive an individual identifier be conducted in person before a designated registration authority.

IA-5

The organization manages information system authenticators by:

IA-5a.

Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;

IA-5 a
(CCI-001980)

The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator.

IA-5b.

Establishing initial authenticator content for authenticators defined by the organization;

IA-5 b
(CCI-000176)

The organization manages information system authenticators by establishing initial authenticator content for authenticators defined by the organization.

IA-5c.

Ensuring that authenticators have sufficient strength of mechanism for their intended use;

IA-5 c
(CCI-001544)

The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use.

IA-5d.

Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;

IA-5 d (CCI-001981)	The organization manages information system authenticators by establishing administrative procedures for initial authenticator distribution.
IA-5 d (CCI-001982)	The organization manages information system authenticators by establishing administrative procedures for lost/compromised authenticators.
IA-5 d (CCI-001983)	The organization manages information system authenticators by establishing administrative procedures for damaged authenticators.
IA-5 d (CCI-001984)	The organization manages information system authenticators by establishing administrative procedures for revoking authenticators.
IA-5 d (CCI-001985)	The organization manages information system authenticators by implementing administrative procedures for initial authenticator distribution.
IA-5 d (CCI-001986)	The organization manages information system authenticators by implementing administrative procedures for lost/compromised authenticators.
IA-5 d (CCI-001987)	The organization manages information system authenticators by implementing administrative procedures for damaged authenticators.
IA-5 d (CCI-001988)	The organization manages information system authenticators by implementing administrative procedures for revoking authenticators.

IA-5e.

Changing default content of authenticators prior to information system installation;

IA-5 e
(CCI-001989)

The organization manages information system authenticators by changing default content of authenticators prior to information system installation.

IA-5f.

Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;

IA-5 f (CCI-000179)	The organization manages information system authenticators by establishing minimum lifetime restrictions for authenticators.
IA-5 f (CCI-000180)	The organization manages information system authenticators by establishing maximum lifetime restrictions for authenticators.
IA-5 f (CCI-000181)	The organization manages information system authenticators by establishing reuse conditions for authenticators.

IA-5g.

Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];

IA-5 g (CCI-001610)	The organization defines the time period (by authenticator type) for changing/refreshing authenticators.
IA-5 g (CCI-000182)	The organization manages information system authenticators by changing/refreshing authenticators in accordance with the organization-defined time period by authenticator type.

IA-5h.

Protecting authenticator content from unauthorized disclosure and modification;

IA-5 h (CCI-000183)	The organization manages information system authenticators by protecting authenticator content from unauthorized disclosure.
IA-5 h (CCI-002042)	The organization manages information system authenticators by protecting authenticator content from unauthorized modification.

IA-5i.

Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and

IA-5 i (CCI-000184)	The organization manages information system authenticators by requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators.
IA-5 i (CCI-002365)	The organization manages information system authenticators by requiring individuals to take specific security safeguards to protect authenticators.
IA-5 i (CCI-002366)	The organization manages information system authenticators by having devices implement specific security safeguards to protect authenticators.

IA-5j.

Changing authenticators for group/role accounts when membership to those accounts changes.

IA-5 j
(CCI-001990)

The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes.

IA-5 (1)

The information system, for password-based authentication:

IA-5 (1)(a)

Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];

IA-5 (1) (a) (CCI-001611)	The organization defines the minimum number of special characters for password complexity enforcement.
IA-5 (1) (a) (CCI-001612)	The organization defines the minimum number of upper case characters for password complexity enforcement.
IA-5 (1) (a) (CCI-001613)	The organization defines the minimum number of lower case characters for password complexity enforcement.
IA-5 (1) (a) (CCI-001614)	The organization defines the minimum number of numeric characters for password complexity enforcement.
IA-5 (1) (a) (CCI-001619)	The information system enforces password complexity by the minimum number of special characters used.
IA-5 (1) (a) (CCI-000192)	The information system enforces password complexity by the minimum number of upper case characters used.
IA-5 (1) (a) (CCI-000193)	The information system enforces password complexity by the minimum number of lower case characters used.
IA-5 (1) (a) (CCI-000194)	The information system enforces password complexity by the minimum number of numeric characters used.
IA-5 (1) (a) (CCI-000205)	The information system enforces minimum password length.

IA-5 (1)(b)

Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];

IA-5 (1) (b) (CCI-001615)	The organization defines the minimum number of characters that are changed when new passwords are created.
IA-5 (1) (b) (CCI-000195)	The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed.

IA-5 (1)(c)

Stores and transmits only cryptographically-protected passwords;

IA-5 (1) (c) (CCI-000196)	The information system, for password-based authentication, stores only cryptographically-protected passwords.
IA-5 (1) (c) (CCI-000197)	The information system, for password-based authentication, transmits only cryptographically-protected passwords.

IA-5 (1)(d)

Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];

IA-5 (1) (d) (CCI-001616)	The organization defines minimum password lifetime restrictions.
IA-5 (1) (d) (CCI-001617)	The organization defines maximum password lifetime restrictions.
IA-5 (1) (d) (CCI-000198)	The information system enforces minimum password lifetime restrictions.
IA-5 (1) (d) (CCI-000199)	The information system enforces maximum password lifetime restrictions.

IA-5 (1)(e)

Prohibits password reuse for [Assignment: organization-defined number] generations; and

IA-5 (1) (e) (CCI-001618)	The organization defines the number of generations for which password reuse is prohibited.
IA-5 (1) (e) (CCI-000200)	The information system prohibits password reuse for the organization-defined number of generations.

IA-5 (1)(f)

Allows the use of a temporary password for system logons with an immediate change to a permanent password.

IA-5 (1) (f)
(CCI-002041)

The information system allows the use of a temporary password for system logons with an immediate change to a permanent password.

IA-5 (2)

The information system, for PKI-based authentication:

IA-5 (2)(a)

Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;

IA-5 (2) (a)
(CCI-000185)

The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

IA-5 (2)(b)

Enforces authorized access to the corresponding private key;

IA-5 (2) (b)
(CCI-000186)

The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.

IA-5 (2)(c)

Maps the authenticated identity to the account of the individual or group; and

IA-5 (2) (c)
(CCI-000187)

The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group.

IA-5 (2)(d)

Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

IA-5 (2) (d)
(CCI-001991)

The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

IA-5 (3)

The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles].

IA-5 (3) (CCI-001992)	The organization defines the personnel or roles responsible for authorizing the organization's registration authority accountable for the authenticator registration process.
IA-5 (3) (CCI-001993)	The organization defines the registration authority accountable for the authenticator registration process.
IA-5 (3) (CCI-001994)	The organization defines the types of and/or specific authenticators that are subject to the authenticator registration process.
IA-5 (3) (CCI-001995)	The organization requires that the registration process, to receive organization-defined types of and/or specific authenticators, be conducted in person, or by a trusted third-party, before an organization-defined registration authority with authorization by organization-defined personnel or roles.

IA-5 (4)

The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].

IA-5 (4) (CCI-001996)	The organization defines the requirements required by the automated tools to determine if password authenticators are sufficiently strong.
IA-5 (4) (CCI-001997)	The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy organization-defined requirements.

IA-5 (5)

The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation.

IA-5 (5)
(CCI-001998)

The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation.

IA-5 (6)

The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.

IA-5 (6)
(CCI-000201)

The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.

IA-5 (7)

The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.

IA-5 (7) (CCI-000202)	The organization ensures unencrypted static authenticators are not embedded in access scripts.
IA-5 (7) (CCI-000203)	The organization ensures unencrypted static authenticators are not stored on function keys.
IA-5 (7) (CCI-002367)	The organization ensures unencrypted static authenticators are not embedded in applications.

IA-5 (8)

The organization implements [Assignment: organization-defined security safeguards] to manage the risk of compromise due to individuals having accounts on multiple information systems.

IA-5 (8) (CCI-001621)	The organization implements organization-defined security safeguards to manage the risk of compromise due to individuals having accounts on multiple information systems.
IA-5 (8) (CCI-000204)	The organization defines the security safeguards required to manage the risk of compromise due to individuals having accounts on multiple information systems.

IA-5 (9)

The organization coordinates with [Assignment: organization-defined external organizations] for cross-organization management of credentials.

IA-5 (9) (CCI-001999)	The organization defines the external organizations to be coordinated with for cross-organization management of credentials.
IA-5 (9) (CCI-002000)	The organization coordinates with organization-defined external organizations for cross-organization management of credentials.

IA-5 (10)

The information system dynamically provisions identities.

IA-5 (10)
(CCI-002001)

The information system dynamically provisions identities.

IA-5 (11)

The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements].

IA-5 (11) (CCI-002002)	The organization defines the token quality requirements to be employed by the information system mechanisms for token-based authentication.
IA-5 (11) (CCI-002003)	The information system, for token-based authentication, employs mechanisms that satisfy organization-defined token quality requirements.

IA-5 (12)

The information system, for biometric-based authentication, employs mechanisms that satisfy [Assignment: organization-defined biometric quality requirements].

IA-5 (12) (CCI-002004)	The organization defines the biometric quality requirements to be employed by the information system mechanisms for biometric-based authentication.
IA-5 (12) (CCI-002005)	The information system, for biometric-based authentication, employs mechanisms that satisfy organization-defined biometric quality requirements.

IA-5 (13)

The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period].

IA-5 (13) (CCI-002006)	The organization defines the time period after which the use of cached authenticators is prohibited.
IA-5 (13) (CCI-002007)	The information system prohibits the use of cached authenticators after an organization-defined time period.

IA-5 (14)

The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications.

IA-5 (14)
(CCI-002008)

The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications.

IA-5 (15)

The organization uses only FICAM-approved path discovery and validation products and services.

IA-5 (15)
(CCI-002043)

The organization uses only FICAM-approved path discovery and validation products and services.

IA-6

The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

IA-6
(CCI-000206)

The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

IA-7

The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

IA-7
(CCI-000803)

The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

IA-8

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

IA-8
(CCI-000804)

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

IA-8 (1)

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

IA-8 (1) (CCI-002009)	The information system accepts Personal Identity Verification (PIV) credentials from other federal agencies.
IA-8 (1) (CCI-002010)	The information system electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

IA-8 (2)

The information system accepts only FICAM-approved third-party credentials.

IA-8 (2)
(CCI-002011)

The information system accepts FICAM-approved third-party credentials.

IA-8 (3)

The organization employs only FICAM-approved information system components in [Assignment: organization-defined information systems] to accept third-party credentials.

IA-8 (3) (CCI-002012)	The organization defines the information systems which will employ only FICAM-approved information system components.
IA-8 (3) (CCI-002013)	The organization employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials.

IA-8 (4)

The information system conforms to FICAM-issued profiles.

IA-8 (4)
(CCI-002014)

The information system conforms to FICAM-issued profiles.

IA-8 (5)

The information system accepts and electronically verifies Personal Identity Verification-I (PIV-I) credentials.

IA-8 (5) (CCI-002015)	The information system accepts Personal Identity Verification-I (PIV-I) credentials.
IA-8 (5) (CCI-002016)	The information system electronically verifies Personal Identity Verification-I (PIV-I) credentials.

IA-9

The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards].

IA-9 (CCI-002017)	The organization defines the information system services requiring identification.
IA-9 (CCI-002018)	The organization defines the information system services requiring authentication.
IA-9 (CCI-002019)	The organization defines the security safeguards to be used when identifying information system services.
IA-9 (CCI-002020)	The organization defines the security safeguards to be used when authenticating information system services.
IA-9 (CCI-002021)	The organization identifies organization-defined information system services using organization-defined security safeguards.
IA-9 (CCI-002022)	The organization authenticates organization-defined information system services using organization-defined security safeguards.

IA-9 (1)

The organization ensures that service providers receive, validate, and transmit identification and authentication information.

IA-9 (1) (CCI-002023)	The organization ensures that service providers receive identification information.
IA-9 (1) (CCI-002024)	The organization ensures that service providers validate identification information.
IA-9 (1) (CCI-002025)	The organization ensures that service providers transmit identification information.
IA-9 (1) (CCI-002026)	The organization ensures that service providers receive authentication information.
IA-9 (1) (CCI-002027)	The organization ensures that service providers validate authentication information.
IA-9 (1) (CCI-002028)	The organization ensures that service providers transmit authentication information.

IA-9 (2)

The organization ensures that identification and authentication decisions are transmitted between [Assignment: organization-defined services] consistent with organizational policies.

IA-9 (2) (CCI-002029)	The organization defines the services between which identification decisions are to be transmitted.
IA-9 (2) (CCI-002030)	The organization defines the services between which authentication decisions are to be transmitted.
IA-9 (2) (CCI-002031)	The organization ensures that identification decisions are transmitted between organization-defined services consistent with organizational policies.
IA-9 (2) (CCI-002032)	The organization ensures that authentication decisions are transmitted between organization-defined services consistent with organizational policies.

IA-10

The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations].

IA-10 (CCI-002033)	The organization defines the specific circumstances or situations when individuals accessing an information system employ organization-defined supplemental authentication techniques or mechanisms.
IA-10 (CCI-002034)	The organization defines the supplemental authentication techniques or mechanisms to be employed in specific organization-defined circumstances or situations by individuals accessing the information system.
IA-10 (CCI-002035)	The organization requires that individuals accessing the information system employ organization-defined supplemental authentication techniques or mechanisms under specific organization-defined circumstances or situations.

IA-11

The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].

IA-11 (CCI-002036)	The organization defines the circumstances or situations under which users will be required to reauthenticate.
IA-11 (CCI-002037)	The organization defines the circumstances or situations under which devices will be required to reauthenticate.
IA-11 (CCI-002038)	The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.
IA-11 (CCI-002039)	The organization requires devices to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.

IR-1

The organization:

IR-1a.

Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

IR-1a.1.

An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

IR-1 a 1 (CCI-000805)	The organization develops and documents an incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
IR-1 a 1 (CCI-000806)	The organization disseminates an incident response policy to organization-defined personnel or roles.
IR-1 a 1 (CCI-002776)	The organization defines the personnel or roles to whom the incident response policy is disseminated.

IR-1a.2.

Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and

IR-1 a 2 (CCI-000809)	The organization develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls.
IR-1 a 2 (CCI-000810)	The organization disseminates incident response procedures to organization-defined personnel or roles.
IR-1 a 2 (CCI-002777)	The organization defines the personnel or roles to whom the incident response procedures are disseminated.

IR-1b.

Reviews and updates the current:

IR-1b.1.

Incident response policy [Assignment: organization-defined frequency]; and

IR-1 b 1 (CCI-000807)	The organization reviews and updates the current incident response policy in accordance with organization-defined frequency.
IR-1 b 1 (CCI-000808)	The organization defines the frequency with which to review and update the current incident response policy.

IR-1b.2.

Incident response procedures [Assignment: organization-defined frequency].

IR-1 b 2 (CCI-000811)	The organization reviews and updates the current incident response procedures in accordance with organization-defined frequency.
IR-1 b 2 (CCI-000812)	The organization defines the frequency with which to review and update the current incident response procedures.

IR-2

The organization provides incident response training to information system users consistent with assigned roles and responsibilities:

IR-2a.

Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;

IR-2 a (CCI-000813)	The organization provides incident response training to information system users consistent with assigned roles and responsibilities within an organization-defined time period of assuming an incident response role or responsibility.
IR-2 a (CCI-002778)	The organization defines the time period in which information system users who assume an incident response role or responsibility receive incident response training.

IR-2b.

When required by information system changes; and

IR-2 b
(CCI-002779)

The organization provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes.

IR-2c.

[Assignment: organization-defined frequency] thereafter.

IR-2 c (CCI-000814)	The organization provides incident response training in accordance with organization-defined frequency.
IR-2 c (CCI-000815)	The organization defines a frequency for incident response training.

IR-2 (1)

The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.

IR-2 (1)
(CCI-000816)

The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.

IR-2 (2)

The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.

IR-2 (2)
(CCI-000817)

The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.

IR-3

The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.

IR-3 (CCI-001624)	The organization documents the results of incident response tests.
IR-3 (CCI-000818)	The organization tests the incident response capability for the information system on an organization-defined frequency using organization-defined tests to determine the incident response effectiveness.
IR-3 (CCI-000819)	The organization defines a frequency for incident response tests.
IR-3 (CCI-000820)	The organization defines tests for incident response.

IR-3 (1)

The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability.

IR-3 (1)
(CCI-000821)

The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability.

IR-3 (2)

The organization coordinates incident response testing with organizational elements responsible for related plans.

IR-3 (2)
(CCI-002780)

The organization coordinates incident response testing with organizational elements responsible for related plans.

IR-4

The organization:

IR-4a.

Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;

IR-4 a
(CCI-000822)

The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.

IR-4b.

Coordinates incident handling activities with contingency planning activities; and

IR-4 b
(CCI-000823)

The organization coordinates incident handling activities with contingency planning activities.

IR-4c.

Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.

IR-4 c (CCI-001625)	The organization implements the resulting incident handling activity changes to incident response procedures, training, and testing/exercises accordingly.
IR-4 c (CCI-000824)	The organization incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises.

IR-4 (1)

The organization employs automated mechanisms to support the incident handling process.

IR-4 (1)
(CCI-000825)

The organization employs automated mechanisms to support the incident handling process.

IR-4 (2)

The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability.

IR-4 (2) (CCI-000826)	The organization includes dynamic reconfiguration of organization-defined information system components as part of the incident response capability.
IR-4 (2) (CCI-002781)	The organization defines the information system components for dynamic reconfiguration as part of the incident response capability.

IR-4 (3)

The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions.

IR-4 (3) (CCI-000827)	The organization defines and identifies classes of incidents for which organization-defined actions are to be taken to ensure continuation of organizational mission and business functions.
IR-4 (3) (CCI-000828)	The organization defines and identifies actions to take in response to organization-defined classes of incidents to ensure continuation of organizational missions and business functions.

IR-4 (4)

The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

IR-4 (4)
(CCI-000829)

The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

IR-4 (5)

The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected.

IR-4 (5) (CCI-000830)	The organization defines security violations that, if detected, initiate a configurable capability to automatically disable the information system.
IR-4 (5) (CCI-000831)	The organization implements a configurable capability to automatically disable the information system if organization-defined security violations are detected.

IR-4 (6)

The organization implements incident handling capability for insider threats.

IR-4 (6)
(CCI-002782)

The organization implements an incident handling capability for insider threats.

IR-4 (7)

The organization coordinates incident handling capability for insider threats across [Assignment: organization-defined components or elements of the organization].

IR-4 (7) (CCI-002783)	The organization coordinates an incident handling capability for insider threats across organization-defined components or elements of the organization.
IR-4 (7) (CCI-002784)	The organization defines components or elements of the organization across which an incident handling capability for insider threats will be coordinated.

IR-4 (8)

The organization coordinates with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses.

IR-4 (8) (CCI-002785)	The organization coordinates with organization-defined external organizations to correlate and share organization-defined incident information to achieve a cross-organization perspective on incident awareness and more effective incident responses.
IR-4 (8) (CCI-002786)	The organization defines external organizations with which to correlate and share organization-defined incident information.
IR-4 (8) (CCI-002787)	The organization defines incident information to correlate and share with organization-defined external organizations.

IR-4 (9)

The organization employs [Assignment: organization-defined dynamic response capabilities] to effectively respond to security incidents.

IR-4 (9) (CCI-002788)	The organization employs organization-defined dynamic response capabilities to effectively respond to security incidents.
IR-4 (9) (CCI-002789)	The organization defines dynamic response capabilities to effectively respond to security incidents.

IR-4 (10)

The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain.

IR-4 (10)
(CCI-002790)

The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain.

IR-5

The organization tracks and documents information system security incidents.

IR-5
(CCI-000832)

The organization tracks and documents information system security incidents.

IR-5 (1)

The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.

IR-5 (1) (CCI-001626)	The organization employs automated mechanisms to assist in the collection of security incident information.
IR-5 (1) (CCI-001627)	The organization employs automated mechanisms to assist in the analysis of security incident information.
IR-5 (1) (CCI-000833)	The organization employs automated mechanisms to assist in the tracking of security incidents.

IR-6

The organization:

IR-6a.

Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and

IR-6 a (CCI-000834)	The organization defines a time period for personnel to report suspected security incidents to the organizational incident response capability.
IR-6 a (CCI-000835)	The organization requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period.

IR-6b.

Reports security incident information to [Assignment: organization-defined authorities].

IR-6 b (CCI-000836)	The organization reports security incident information to organization-defined authorities.
IR-6 b (CCI-002791)	The organization defines authorities to whom security incident information is reported.

IR-6 (1)

The organization employs automated mechanisms to assist in the reporting of security incidents.

IR-6 (1)
(CCI-000837)

The organization employs automated mechanisms to assist in the reporting of security incidents.

IR-6 (2)

The organization reports information system vulnerabilities associated with reported security incidents to [Assignment: organization-defined personnel or roles].

IR-6 (2) (CCI-000838)	The organization reports information system vulnerabilities associated with reported security incidents to organization-defined personnel or roles.
IR-6 (2) (CCI-002792)	The organization defines personnel or roles to whom information system vulnerabilities associated with reported security incident information are reported.

IR-6 (3)

The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident.

IR-6 (3)
(CCI-002793)

The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident.

IR-7

The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

IR-7
(CCI-000839)

The organization provides an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

IR-7 (1)

The organization employs automated mechanisms to increase the availability of incident response-related information and support.

IR-7 (1)
(CCI-000840)

The organization employs automated mechanisms to increase the availability of incident response-related information and support.

IR-7 (2)

The organization:

IR-7 (2)(a)

Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and

IR-7 (2) (a)
(CCI-000841)

The organization establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability.

IR-7 (2)(b)

Identifies organizational incident response team members to the external providers.

IR-7 (2) (b)
(CCI-000842)

The organization identifies organizational incident response team members to the external providers.

IR-8

The organization:

IR-8a.

Develops an incident response plan that:

IR-8 a
(CCI-002794)

The organization develops an incident response plan.

IR-8a.1.

Provides the organization with a roadmap for implementing its incident response capability;

IR-8 a 1
(CCI-002795)

The organization's incident response plan provides the organization with a roadmap for implementing its incident response capability.

IR-8a.2.

Describes the structure and organization of the incident response capability;

IR-8 a 2
(CCI-002796)

The organization's incident response plan describes the structure and organization of the incident response capability.

IR-8a.3.

Provides a high-level approach for how the incident response capability fits into the overall organization;

IR-8 a 3
(CCI-002797)

The organization's incident response plan provides a high-level approach for how the incident response capability fits into the overall organization.

IR-8a.4.

Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;

IR-8 a 4
(CCI-002798)

The organization's incident response plan meets the unique requirements of the organization, which relate to mission, size, structure, and functions.

IR-8a.5.

Defines reportable incidents;

IR-8 a 5
(CCI-002799)

The organization's incident response plan defines reportable incidents.

IR-8a.6.

Provides metrics for measuring the incident response capability within the organization;

IR-8 a 6
(CCI-002800)

The organization's incident response plan provides metrics for measuring the incident response capability within the organization.

IR-8a.7.

Defines the resources and management support needed to effectively maintain and mature an incident response capability; and

IR-8 a 7
(CCI-002801)

The organization's incident response plan defines the resources and management support needed to effectively maintain and mature an incident response capability.

IR-8a.8.

Is reviewed and approved by [Assignment: organization-defined personnel or roles];

IR-8 a 8 (CCI-000844)	The organization develops an incident response plan that is reviewed and approved by organization-defined personnel or roles.
IR-8 a 8 (CCI-002802)	The organization defines personnel or roles to review and approve the incident response plan.

IR-8b.

Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];

IR-8 b (CCI-000845)	The organization defines incident response personnel (identified by name and/or by role) and organizational elements to whom copies of the incident response plan are distributed.
IR-8 b (CCI-000846)	The organization distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements.

IR-8c.

Reviews the incident response plan [Assignment: organization-defined frequency];

IR-8 c (CCI-000847)	The organization defines the frequency for reviewing the incident response plan.
IR-8 c (CCI-000848)	The organization reviews the incident response plan on an organization-defined frequency.

IR-8d.

Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;

IR-8 d
(CCI-000849)

The organization updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing.

IR-8e.

Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and

IR-8 e (CCI-000850)	The organization communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements.
IR-8 e (CCI-002803)	The organization defines incident response personnel (identified by name and/or by role) and organizational elements to whom incident response plan changes will be communicated.

IR-8f.

Protects the incident response plan from unauthorized disclosure and modification.

IR-8 f
(CCI-002804)

The organization protects the incident response plan from unauthorized disclosure and modification.

IR-9

The organization responds to information spills by:

IR-9a.

Identifying the specific information involved in the information system contamination;

IR-9 a
(CCI-002805)

The organization responds to information spills by identifying the specific information involved in the information system contamination.

IR-9b.

Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;

IR-9 b (CCI-002806)	The organization responds to information spills by alerting organization-defined personnel or roles of the information spill using a method of communication not associated with the spill.
IR-9 b (CCI-002807)	The organization defines personnel or roles to be alerted of information spills using a method of communication not associated with the spill.

IR-9c.

Isolating the contaminated information system or system component;

IR-9 c
(CCI-002808)

The organization responds to information spills by isolating the contaminated information system or system component.

IR-9d.

Eradicating the information from the contaminated information system or component;

IR-9 d
(CCI-002809)

The organization responds to information spills by eradicating the information from the contaminated information system or component.

IR-9e.

Identifying other information systems or system components that may have been subsequently contaminated; and

IR-9 e
(CCI-002810)

The organization responds to information spills by identifying other information systems or system components that may have been subsequently contaminated.

IR-9f.

Performing other [Assignment: organization-defined actions].

IR-9 f (CCI-002811)	The organization responds to information spills by performing other organization-defined actions.
IR-9 f (CCI-002812)	The organization defines other actions required to respond to information spills.

IR-9 (1)

The organization assigns [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills.

IR-9 (1) (CCI-002813)	The organization assigns organization-defined personnel or roles with responsibility for responding to information spills.
IR-9 (1) (CCI-002814)	The organization assigns organization-defined personnel or roles with responsibility for responding to information spills.
IR-9 (1) (CCI-002815)	The organization defines personnel or roles to whom responsibility for responding to information spills will be assigned.

IR-9 (2)

The organization provides information spillage response training [Assignment: organization-defined frequency].

IR-9 (2) (CCI-002816)	The organization provides information spillage response training according to an organization-defined frequency.
IR-9 (2) (CCI-002817)	The organization defines the frequency with which to provide information spillage response training.

IR-9 (3)

The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

IR-9 (3) (CCI-002818)	The organization implements organization-defined procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.
IR-9 (3) (CCI-002819)	The organization defines procedures to implement to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

IR-9 (4)

The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations.

IR-9 (4) (CCI-002820)	The organization employs organization-defined security safeguards for personnel exposed to information not within assigned access authorizations.
IR-9 (4) (CCI-002821)	The organization defines security safeguards to employ for personnel exposed to information not within assigned access authorizations.

IR-10

The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel.

IR-10
(CCI-002822)

The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel.

MA-1

The organization:

MA-1a.

Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

MA-1a.1.

A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

MA-1 a 1 (CCI-000852)	The organization develops and documents a system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
MA-1 a 1 (CCI-000853)	The organization disseminates to organization-defined personnel or roles a system maintenance policy.
MA-1 a 1 (CCI-002861)	The organization defines the personnel or roles to whom a system maintenance policy is disseminated.

MA-1a.2.

Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and

MA-1 a 2 (CCI-000855)	The organization develops and documents procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls.
MA-1 a 2 (CCI-000856)	The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls.
MA-1 a 2 (CCI-002862)	The organization defines the personnel or roles to whom system maintenance procedures are to be disseminated.

MA-1b.

Reviews and updates the current:

MA-1b.1.

System maintenance policy [Assignment: organization-defined frequency]; and

MA-1 b 1 (CCI-000854)	The organization reviews and updates the current system maintenance policy in accordance with organization-defined frequency.
MA-1 b 1 (CCI-000851)	The organization defines the frequency with which to review and update the current system maintenance policy.

MA-1b.2.

System maintenance procedures [Assignment: organization-defined frequency].

MA-1 b 2 (CCI-001628)	The organization defines a frequency with which to review and update the current system maintenance procedures.
MA-1 b 2 (CCI-000857)	The organization reviews and updates the current system maintenance procedures in accordance with organization-defined frequency.

MA-2

The organization:

MA-2a.

Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;

MA-2 a (CCI-002866)	The organization schedules maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
MA-2 a (CCI-002868)	The organization documents maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
MA-2 a (CCI-002869)	The organization reviews records of maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
MA-2 a (CCI-002870)	The organization schedules repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
MA-2 a (CCI-002871)	The organization performs repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
MA-2 a (CCI-002872)	The organization documents repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
MA-2 a (CCI-002873)	The organization reviews records of repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.

MA-2b.

Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

MA-2 b
(CCI-000859)

The organization approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location.

MA-2c.

Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

MA-2 c (CCI-000860)	The organization requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs.
MA-2 c (CCI-002874)	The organization defines the personnel or roles who can explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs.

MA-2d.

Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;

MA-2 d
(CCI-000861)

The organization sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs.

MA-2e.

Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and

MA-2 e
(CCI-000862)

The organization checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.

MA-2f.

Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.

MA-2 f (CCI-002875)	The organization includes organization-defined maintenance-related information in organizational maintenance records.
MA-2 f (CCI-002876)	The organization defines the maintenance-related information to include in organizational maintenance records.

MA-2 (1)

[Withdrawn: Incorporated into MA-2].

MA-2 (2)

The organization:

MA-2 (2)(a)

Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and

MA-2 (2) (a) (CCI-002863)	The organization employs automated mechanisms to schedule, conduct, and document repairs.
MA-2 (2) (a) (CCI-002905)	The organization employs automated mechanisms to schedule, conduct, and document maintenance.

MA-2 (2)(b)

Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed.

MA-2 (2) (b) (CCI-002864)	The organization produces up-to date, accurate, and complete records of all maintenance requested, scheduled, in process, and completed.
MA-2 (2) (b) (CCI-002865)	The organization produces up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed.

MA-3

The organization approves, controls, and monitors information system maintenance tools.

MA-3 (CCI-000865)	The organization approves information system maintenance tools.
MA-3 (CCI-000866)	The organization controls information system maintenance tools.
MA-3 (CCI-000867)	The organization monitors information system maintenance tools.

MA-3 (1)

The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

MA-3 (1)
(CCI-000869)

The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

MA-3 (2)

The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

MA-3 (2)
(CCI-000870)

The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

MA-3 (3)

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

MA-3 (3)
(CCI-000871)

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (a) verifying that there is no organizational information contained on the equipment; (b) sanitizing or destroying the equipment; (c) retaining the equipment within the facility; or (d) obtaining an exemption from organization-defined personnel or roles explicitly authorizing removal of the equipment from the facility.

MA-3 (3)(a)

Verifying that there is no organizational information contained on the equipment;

MA-3 (3) (a)
(CCI-002877)

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by verifying that there is no organizational information contained on the equipment.

MA-3 (3)(b)

Sanitizing or destroying the equipment;

MA-3 (3) (b)
(CCI-002878)

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by sanitizing or destroying the equipment.

MA-3 (3)(c)

Retaining the equipment within the facility; or

MA-3 (3) (c) (CCI-002879)	The organization prevents the unauthorized removal of maintenance equipment containing organizational information by retaining the equipment within the facility.
MA-3 (3) (c) (CCI-002880)	The organization prevents the unauthorized removal of maintenance equipment containing organizational information by retaining the equipment within the facility.

MA-3 (3)(d)

Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.

MA-3 (3) (d) (CCI-002881)	The organization prevents the unauthorized removal of maintenance equipment containing organizational information by obtaining an exemption from organization-defined personnel or roles explicitly authorizing removal of the equipment from the facility.
MA-3 (3) (d) (CCI-002882)	The organization defines the personnel or roles who can provide an exemption that explicitly authorizes removal of equipment from the facility.

MA-3 (4)

The information system restricts the use of maintenance tools to authorized personnel only.

MA-3 (4)
(CCI-002883)

The information system restricts the use of maintenance tools to authorized personnel only.

MA-4

The organization:

MA-4a.

Approves and monitors nonlocal maintenance and diagnostic activities;

MA-4 a (CCI-000873)	The organization approves nonlocal maintenance and diagnostic activities.
MA-4 a (CCI-000874)	The organization monitors nonlocal maintenance and diagnostic activities.

MA-4b.

Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;

MA-4 b
(CCI-000876)

The organization allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system.

MA-4c.

Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;

MA-4 c
(CCI-000877)

The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

MA-4d.

Maintains records for nonlocal maintenance and diagnostic activities; and

MA-4 d
(CCI-000878)

The organization maintains records for nonlocal maintenance and diagnostic activities.

MA-4e.

Terminates session and network connections when nonlocal maintenance is completed.

MA-4 e
(CCI-000879)

The organization terminates sessions and network connections when nonlocal maintenance is completed.

MA-4 (1)

The organization:

MA-4 (1)(a)

Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events]; and

MA-4 (1) (a) (CCI-002884)	The organization audits nonlocal maintenance and diagnostic sessions' organization-defined audit events.
MA-4 (1) (a) (CCI-002885)	The organization defines the nonlocal maintenance and diagnostic session audit events to audit.

MA-4 (1)(b)

Reviews the records of the maintenance and diagnostic sessions.

MA-4 (1) (b)
(CCI-002886)

The organization reviews the records of the nonlocal maintenance and diagnostic sessions.

MA-4 (2)

The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.

MA-4 (2)
(CCI-000881)

The organization documents, in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.

MA-4 (3)

The organization:

MA-4 (3)(a)

Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or

MA-4 (3) (a)
(CCI-000882)

The organization requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced.

MA-4 (3)(b)

Removes the component to be serviced from the information system and prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system.

MA-4 (3) (b) (CCI-001631)	The organization, before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system.
MA-4 (3) (b) (CCI-000883)	The organization removes the component to be serviced from the information system and prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities.

MA-4 (4)

The organization protects nonlocal maintenance sessions by:

MA-4 (4)(a)

Employing [Assignment: organization-defined authenticators that are replay resistant]; and

MA-4 (4) (a) (CCI-000884)	The organization protects nonlocal maintenance sessions by employing organization-defined authenticators that are replay resistant.
MA-4 (4) (a) (CCI-002887)	The organization defines the authenticators that are replay resistant which will be employed to protect nonlocal maintenance sessions.

MA-4 (4)(b)

Separating the maintenance sessions from other network sessions with the information system by either:

MA-4 (4) (b)
(CCI-001632)

The organization protects nonlocal maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths based upon encryption.

MA-4 (4)(b)(1)

Physically separated communications paths; or

MA-4 (4)(b)(2)

Logically separated communications paths based upon encryption.

MA-4 (5)

The organization:

MA-4 (5)(a)

Requires the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and

MA-4 (5) (a) (CCI-000887)	The organization requires the approval of each nonlocal maintenance session by organization-defined personnel or roles.
MA-4 (5) (a) (CCI-002888)	The organization defines the personnel or roles authorized to approve each nonlocal maintenance session.

MA-4 (5)(b)

Notifies [Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance.

MA-4 (5) (b) (CCI-000886)	The organization defines the personnel or roles to be notified of the date and time of planned nonlocal maintenance.
MA-4 (5) (b) (CCI-002889)	The organization notifies organization-defined personnel or roles of the date and time of planned nonlocal maintenance.

MA-4 (6)

The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.

MA-4 (6) (CCI-002890)	The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
MA-4 (6) (CCI-003123)	The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

MA-4 (7)

The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.

MA-4 (7)
(CCI-002891)

The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.

MA-5

The organization:

MA-5a.

Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;

MA-5 a (CCI-000890)	The organization establishes a process for maintenance personnel authorization.
MA-5 a (CCI-000891)	The organization maintains a list of authorized maintenance organizations or personnel.

MA-5b.

Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and

MA-5 b
(CCI-002894)

The organization ensures that non-escorted personnel performing maintenance on the information system have required access authorizations.

MA-5c.

Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

MA-5 c
(CCI-002895)

The organization designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

MA-5 (1)

The organization:

MA-5 (1)(a)

Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:

MA-5 (1) (a)
(CCI-000893)

The organization implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens.

MA-5 (1)(a)(1)

Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;

MA-5 (1) (a) (1)
(CCI-000894)

The organization requires maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals to be escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified.

MA-5 (1)(a)(2)

Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and

MA-5 (1) (a) (2)
(CCI-000895)

The organization requires that, prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system be sanitized and all nonvolatile storage media be removed or physically disconnected from the system and secured.

MA-5 (1)(b)

Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.

MA-5 (1) (b)
(CCI-002892)

The organization develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.

MA-5 (2)

The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system.

MA-5 (2)
(CCI-000897)

The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system.

MA-5 (3)

The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens.

MA-5 (3)
(CCI-000898)

The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens.

MA-5 (4)

The organization ensures that:

MA-5 (4)(a)

Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and

MA-5 (4) (a)
(CCI-000899)

The organization ensures that cleared foreign nationals (i.e., foreign nationals with appropriate security clearances) are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments.

MA-5 (4)(b)

Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memoranda of Agreements.

MA-5 (4) (b)
(CCI-000900)

The organization ensures that approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memoranda of Agreements.

MA-5 (5)

The organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorizations.

MA-5 (5)
(CCI-002893)

The organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorization.

MA-6

The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure.

MA-6 (CCI-000903)	The organization obtains maintenance support and/or spare parts for organization-defined information system components within an organization-defined time period of failure.
MA-6 (CCI-002896)	The organization defines the information system components for which it obtains maintenance support and/or spare parts.
MA-6 (CCI-002897)	The organization defines a time period for obtaining maintenance support and/or spare parts for organization-defined information system components after a failure.

MA-6 (1)

The organization performs preventive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals].

MA-6 (1) (CCI-002898)	The organization performs preventive maintenance on organization-defined information system components at organization-defined time intervals.
MA-6 (1) (CCI-002899)	The organization defines information system components on which to perform preventive maintenance.
MA-6 (1) (CCI-002900)	The organization defines time intervals at which to perform preventive maintenance on organization-defined information system components.

MA-6 (2)

The organization performs predictive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals].

MA-6 (2) (CCI-002901)	The organization performs predictive maintenance on organization-defined information system components at organization-defined intervals.
MA-6 (2) (CCI-002902)	The organization defines information system components on which to perform predictive maintenance.
MA-6 (2) (CCI-002903)	The organization defines time intervals at which to perform predictive maintenance on organization-defined information system components.

MA-6 (3)

The organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system.

MA-6 (3)
(CCI-002904)

The organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system.

MP-1

The organization:

MP-1a.

Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

MP-1a.1.

A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

MP-1 a 1 (CCI-000995)	The organization develops and documents a media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
MP-1 a 1 (CCI-000996)	The organization disseminates to organization-defined personnel or roles a media protection policy.
MP-1 a 1 (CCI-002566)	The organization defines personnel or roles to whom a documented media protection policy and procedures will be disseminated.

MP-1a.2.

Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and

MP-1 a 2 (CCI-000999)	The organization develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls.
MP-1 a 2 (CCI-001000)	The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the media protection policy and associated media protection controls.

MP-1b.

Reviews and updates the current:

MP-1b.1.

Media protection policy [Assignment: organization-defined frequency]; and

MP-1 b 1 (CCI-000997)	The organization reviews and updates the current media protection policy in accordance with organization-defined frequency.
MP-1 b 1 (CCI-000998)	The organization defines a frequency for reviewing and updating the current media protection policy.

MP-1b.2.

Media protection procedures [Assignment: organization-defined frequency].

MP-1 b 2 (CCI-001001)	The organization reviews and updates the current media protection procedures in accordance with organization-defined frequency.
MP-1 b 2 (CCI-001002)	The organization defines a frequency for reviewing and updating the current media protection procedures.

MP-2

The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].

MP-2 (CCI-001003)	The organization restricts access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles.
MP-2 (CCI-001004)	The organization defines types of digital and/or non-digital media for which the organization restricts access.
MP-2 (CCI-001005)	The organization defines personnel or roles from which to restrict access to organization-defined types of digital and/or non-digital media.

MP-2 (1)

[Withdrawn: Incorporated into MP-4 (2)].

MP-2 (2)

[Withdrawn: Incorporated into SC-28 (1)].

MP-3

The organization:

MP-3a.

Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and

MP-3 a
(CCI-001010)

The organization marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information.

MP-3b.

Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas].

MP-3 b (CCI-001011)	The organization exempts organization-defined types of information system media from marking as long as the media remain within organization-defined controlled areas.
MP-3 b (CCI-001012)	The organization defines types of information system media to exempt from marking as long as the media remain within organization-defined controlled areas.
MP-3 b (CCI-001013)	The organization defines controlled areas where organization-defined types of information system media are exempt from being marked.

MP-4

The organization:

MP-4a.

Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and

MP-4 a (CCI-001014)	The organization physically controls and securely stores organization-defined types of digital and/or non-digital media within organization-defined controlled areas.
MP-4 a (CCI-001015)	The organization defines types of digital and/or non-digital media to physically control and securely store within organization-defined controlled areas.
MP-4 a (CCI-001016)	The organization defines controlled areas where organization-defined types of digital and/or non-digital media are physically controlled and securely stored.

MP-4b.

Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

MP-4 b
(CCI-001018)

The organization protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

MP-4 (1)

[Withdrawn: Incorporated into SC-28 (1)].

MP-4 (2)

The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted.

MP-4 (2) (CCI-001007)	The organization employs automated mechanisms to restrict access to media storage areas.
MP-4 (2) (CCI-001008)	The organization employs automated mechanisms to audit access attempts and access granted to media storage areas.

MP-5

The organization:

MP-5a.

Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];

MP-5 a (CCI-001020)	The organization protects and controls organization-defined types of information system media during transport outside of controlled areas using organization-defined security safeguards.
MP-5 a (CCI-001021)	The organization defines types of information system media protected and controlled during transport outside of controlled areas.
MP-5 a (CCI-001022)	The organization defines security safeguards to be used to protect and control organization-defined types of information system media during transport outside of controlled areas.

MP-5b.

Maintains accountability for information system media during transport outside of controlled areas;

MP-5 b
(CCI-001023)

The organization maintains accountability for information system media during transport outside of controlled areas.

MP-5c.

Documents activities associated with the transport of information system media; and

MP-5 c
(CCI-001025)

The organization documents activities associated with the transport of information system media.

MP-5d.

Restricts the activities associated with the transport of information system media to authorized personnel.

MP-5 d
(CCI-001024)

The organization restricts the activities associated with the transport of information system media to authorized personnel.

MP-5 (1)

[Withdrawn: Incorporated into MP-5].

MP-5 (2)

[Withdrawn: Incorporated into MP-5].

MP-5 (3)

The organization employs an identified custodian during transport of information system media outside of controlled areas.

MP-5 (3)
(CCI-001026)

The organization employs an identified custodian during transport of information system media outside of controlled areas.

MP-5 (4)

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

MP-5 (4)
(CCI-001027)

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

MP-6

The organization:

MP-6a.

Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and

MP-6 a (CCI-001028)	The organization sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques and procedures in accordance with applicable federal and organizational standards and policies.
MP-6 a (CCI-002578)	The organization defines information system media to sanitize prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques and procedures in accordance with applicable federal and organizational standards and policies.
MP-6 a (CCI-002579)	The organization defines the sanitization techniques and procedures to be used to sanitize organization-defined information system media prior to disposal, release out of organizational control, or release for reuse in accordance with applicable federal and organization standards and policies.

MP-6b.

Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

MP-6 b
(CCI-002580)

The organization employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

MP-6 (1)

The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions.

MP-6 (1) (CCI-002567)	The organization reviews and approves media sanitization.
MP-6 (1) (CCI-002568)	The organization tracks and documents media sanitization.
MP-6 (1) (CCI-002569)	The organization verifies media sanitization.
MP-6 (1) (CCI-002570)	The organization reviews and approves media disposal actions.
MP-6 (1) (CCI-002571)	The organization tracks and documents media disposal actions.
MP-6 (1) (CCI-002572)	The organization verifies media disposal actions.

MP-6 (2)

The organization tests sanitization equipment and procedures [Assignment: organization-defined frequency] to verify that the intended sanitization is being achieved.

MP-6 (2) (CCI-001030)	The organization tests sanitization equipment and procedures in accordance with the organization-defined frequency to verify that the intended sanitization is being achieved.
MP-6 (2) (CCI-001031)	The organization defines a frequency for testing sanitization equipment and procedures to verify that the intended sanitization is being achieved.

MP-6 (3)

The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices].

MP-6 (3) (CCI-001032)	The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system in accordance with organization-defined circumstances requiring sanitization of portable storage devices.
MP-6 (3) (CCI-001033)	The organization defines circumstances requiring sanitization of portable storage devices prior to connecting such devices to the information system.

MP-6 (4)

[Withdrawn: Incorporated into MP-6].

MP-6 (5)

[Withdrawn: Incorporated into MP-6].

MP-6 (6)

[Withdrawn: Incorporated into MP-6].

MP-6 (7)

The organization enforces dual authorization for the sanitization of [Assignment: organization-defined information system media].

MP-6 (7) (CCI-002573)	The organization enforces dual authorization for the sanitization of organization-defined information system media.
MP-6 (7) (CCI-002574)	The organization defines the information system media that dual authorization is enforced for sanitization.

MP-6 (8)

The organization provides the capability to purge/wipe information from [Assignment: organization-defined information systems, system components, or devices] either remotely or under the following conditions: [Assignment: organization-defined conditions].

MP-6 (8) (CCI-002575)	The organization defines information systems, system components, or devices from which information is to be purged/wiped, either remotely or under the organization-defined conditions.
MP-6 (8) (CCI-002576)	The organization defines conditions under which information from organization-defined information systems, system components, or devices should be purged/wiped.
MP-6 (8) (CCI-002577)	The organization provides the capability to purge/wipe information from organization-defined information systems, system components, or devices either remotely or under organization-defined conditions.

MP-7

The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards].

MP-7 (CCI-002581)	The organization defines the types of information system media to restrict or prohibit on organization-defined information systems or system components using organization-defined security safeguards.
MP-7 (CCI-002582)	The organization defines the information systems or system components on which to restrict or prohibit the use of organization-defined types of information system media using organization-defined security safeguards.
MP-7 (CCI-002583)	The organization defines the security safeguards to use for restricting or prohibiting the use of organization-defined types of information system media on organization-defined information systems or system components.
MP-7 (CCI-002584)	The organization restricts or prohibits the use of organization-defined types of information system media on organization-defined information systems or system components using organization-defined security safeguards.

MP-7 (1)

The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

MP-7 (1)
(CCI-002585)

The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

MP-7 (2)

The organization prohibits the use of sanitization-resistant media in organizational information systems.

MP-7 (2)
(CCI-002586)

The organization prohibits the use of sanitization-resistant media in organizational information systems.

MP-8

The organization:

MP-8a.

Establishes [Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [Assignment: organization-defined strength and integrity];

MP-8 a (CCI-002595)	The organization establishes an organization-defined information system media downgrading process that includes employing downgrading mechanisms with organization-defined strength and integrity.
MP-8 a (CCI-002596)	The organization establishes and defines an information system media downgrading process that includes employing downgrading mechanisms with organization-defined strength and integrity.
MP-8 a (CCI-002597)	The organization defines strength and integrity for downgrading mechanisms to establish an organization-defined information system media downgrading process.

MP-8b.

Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;

MP-8 b
(CCI-002598)

The organization ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information.

MP-8c.

Identifies [Assignment: organization-defined information system media requiring downgrading]; and

MP-8 c
(CCI-002599)

The organization defines and identifies the information system media requiring downgrading.

MP-8d.

Downgrades the identified information system media using the established process.

MP-8 d
(CCI-002600)

The organization downgrades the identified information system media using the established process.

MP-8 (1)

The organization documents information system media downgrading actions.

MP-8 (1)
(CCI-002587)

The organization documents information system media downgrading actions.

MP-8 (2)

The organization employs [Assignment: organization-defined tests] of downgrading equipment and procedures to verify correct performance [Assignment: organization-defined frequency].

MP-8 (2) (CCI-002588)	The organization employs organization-defined tests of downgrading equipment in accordance with organization-defined frequency.
MP-8 (2) (CCI-002589)	The organization employs procedures to verify correct performance of organization-defined tests of downgrading equipment in accordance with organization-defined frequency.
MP-8 (2) (CCI-002590)	The organization defines tests to employ for downgrading equipment.
MP-8 (2) (CCI-002591)	The organization defines the frequency with which to employ tests of downgrading equipment and procedures to verify correct performance.

MP-8 (3)

The organization downgrades information system media containing [Assignment: organization-defined Controlled Unclassified Information (CUI)] prior to public release in accordance with applicable federal and organizational standards and policies.

MP-8 (3) (CCI-002592)	The organization defines Controlled Unclassified Information (CUI).
MP-8 (3) (CCI-002593)	The organization downgrades information system media containing organization-defined Controlled Unclassified Information (CUI) prior to public release in accordance with applicable federal and organizational standards and policies.

MP-8 (4)

The organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies.

MP-8 (4)
(CCI-002594)

The organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies.

PE-1

The organization:

PE-1a.

Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

PE-1a.1.

A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

PE-1 a 1 (CCI-000904)	The organization develops and documents a physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
PE-1 a 1 (CCI-000905)	The organization disseminates a physical and environmental protection policy to organization-defined personnel or roles.
PE-1 a 1 (CCI-002908)	The organization defines the personnel or roles to whom a physical and environmental protection policy is disseminated.

PE-1a.2.

Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and

PE-1 a 2 (CCI-000908)	The organization develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls.
PE-1 a 2 (CCI-000909)	The organization disseminates physical and environmental protection procedures to organization-defined personnel or roles.
PE-1 a 2 (CCI-002909)	The organization defines the personnel or roles to whom the physical and environmental protection procedures are disseminated.

PE-1b.

Reviews and updates the current:

PE-1b.1.

Physical and environmental protection policy [Assignment: organization-defined frequency]; and

PE-1 b 1 (CCI-000906)	The organization reviews and updates the current physical and environmental protection policy in accordance with organization-defined frequency.
PE-1 b 1 (CCI-000907)	The organization defines the frequency with which to review and update the physical and environmental protection policy.

PE-1b.2.

Physical and environmental protection procedures [Assignment: organization-defined frequency].

PE-1 b 2 (CCI-000910)	The organization reviews and updates the current physical and environmental protection procedures in accordance with organization-defined frequency.
PE-1 b 2 (CCI-000911)	The organization defines the frequency with which to review and update the physical and environmental protection procedures.

PE-2

The organization:

PE-2a.

Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;

PE-2 a (CCI-000912)	The organization develops a list of individuals with authorized access to the facility where the information system resides.
PE-2 a (CCI-002910)	The organization approves a list of individuals with authorized access to the facility where the information system resides.
PE-2 a (CCI-002911)	The organization maintains a list of individuals with authorized access to the facility where the information system resides.

PE-2b.

Issues authorization credentials for facility access;

PE-2 b
(CCI-000913)

The organization issues authorization credentials for facility access.

PE-2c.

Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and

PE-2 c (CCI-000914)	The organization reviews the access list detailing authorized facility access by individuals in accordance with organization-defined frequency.
PE-2 c (CCI-000915)	The organization defines the frequency with which to review the access list detailing authorized facility access by individuals.

PE-2d.

Removes individuals from the facility access list when access is no longer required.

PE-2 d
(CCI-001635)

The organization removes individuals from the facility access list when access is no longer required.

PE-2 (1)

The organization authorizes physical access to the facility where the information system resides based on position or role.

PE-2 (1)
(CCI-000916)

The organization authorizes physical access to the facility where the information system resides based on position or role.

PE-2 (2)

The organization requires two forms of identification from [Assignment: organization-defined list of acceptable forms of identification] for visitor access to the facility where the information system resides.

PE-2 (2) (CCI-000917)	The organization requires two forms of identification from an organization-defined list of acceptable forms of identification for visitor access to the facility where the information system resides.
PE-2 (2) (CCI-002912)	The organization defines a list of acceptable forms of identification for visitor access to the facility where the information system resides.

PE-2 (3)

The organization restricts unescorted access to the facility where the information system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined credentials]].

PE-2 (3) (CCI-002913)	The organization restricts unescorted access to the facility where the information system resides to personnel with one or more of the following: security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; organization-defined credentials.
PE-2 (3) (CCI-002914)	The organization defines the credentials required for personnel to have unescorted access to the facility where the information system resides.

PE-3

The organization:

PE-3a.

Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;

PE-3 a (CCI-000919)	The organization enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides.
PE-3 a (CCI-002915)	The organization defines the entry/exit points to the facility where the information system resides.

PE-3a.1.

Verifying individual access authorizations before granting access to the facility; and

PE-3 a 1
(CCI-000920)

The organization verifies individual access authorizations before granting access to the facility.

PE-3a.2.

Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];

PE-3 a 2 (CCI-000921)	The organization controls ingress/egress to the facility where the information system resides using one or more organization-defined physical access control systems/devices or guards.
PE-3 a 2 (CCI-002916)	The organization defines the physical access control systems/devices or guards that control ingress/egress to the facility where the information system resides.

PE-3b.

Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];

PE-3 b (CCI-002917)	The organization maintains physical access audit logs for organization-defined entry/exit points to the facility where the information system resides.
PE-3 b (CCI-002918)	The organization defines entry/exit points to the facility where the information system resides that require physical access audit logs be maintained.

PE-3c.

Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;

PE-3 c (CCI-002919)	The organization provides organization-defined security safeguards to control access to areas within the facility where the information system resides officially designated as publicly accessible.
PE-3 c (CCI-002920)	The organization defines security safeguards to control access to areas within the facility where the information system resides officially designated as publicly accessible.

PE-3d.

Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];

PE-3 d (CCI-002921)	The organization escorts visitors in the facility where the information system resides during organization-defined circumstances requiring visitor escorts.
PE-3 d (CCI-002922)	The organization defines circumstances requiring visitor escorts in the facility where the information system resides.
PE-3 d (CCI-002923)	The organization monitors visitor activity in the facility where the information system resides during organization-defined circumstances requiring visitor monitoring.
PE-3 d (CCI-002924)	The organization defines circumstances requiring visitor monitoring in the facility where the information system resides.

PE-3e.

Secures keys, combinations, and other physical access devices;

PE-3 e
(CCI-000923)

The organization secures keys, combinations, and other physical access devices.

PE-3f.

Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and

PE-3 f (CCI-000924)	The organization inventories organization-defined physical access devices on an organization-defined frequency.
PE-3 f (CCI-000925)	The organization defines the frequency for conducting inventories of organization-defined physical access devices.
PE-3 f (CCI-002925)	The organization defines the physical access devices to inventory.

PE-3g.

Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

PE-3 g (CCI-000926)	The organization changes combinations and keys in accordance with organization-defined frequency and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
PE-3 g (CCI-000927)	The organization defines a frequency for changing combinations and keys.

PE-3 (1)

The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system].

PE-3 (1) (CCI-000928)	The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility where the information system resides at organization-defined physical spaces containing one or more components of the information system.
PE-3 (1) (CCI-002926)	The organization defines the physical spaces containing one or more components of the information system that require physical access authorizations and controls at the facility where the information system resides.

PE-3 (2)

The organization performs security checks [Assignment: organization-defined frequency] at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.

PE-3 (2) (CCI-000929)	The organization performs security checks in accordance with organization-defined frequency at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.
PE-3 (2) (CCI-002927)	The organization defines the frequency with which to perform security checks at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.

PE-3 (3)

The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.

PE-3 (3)
(CCI-000930)

The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.

PE-3 (4)

The organization uses lockable physical casings to protect [Assignment: organization-defined information system components] from unauthorized physical access.

PE-3 (4) (CCI-000931)	The organization uses lockable physical casings to protect organization-defined information system components from unauthorized physical access.
PE-3 (4) (CCI-000932)	The organization defines information system components to be protected from unauthorized physical access using lockable physical casings.

PE-3 (5)

The organization employs [Assignment: organization-defined security safeguards] to [Selection (one or more): detect; prevent] physical tampering or alteration of [Assignment: organization-defined hardware components] within the information system.

PE-3 (5) (CCI-000933)	The organization employs organization-defined security safeguards to deter and/or prevent physical tampering or alteration of organization-defined hardware components within the information system.
PE-3 (5) (CCI-002928)	The organization defines security safeguards to detect and prevent physical tampering or alteration of organization-defined hardware components within the information system.
PE-3 (5) (CCI-002929)	The organization defines hardware components within the information system for which to employ organization-defined security safeguards to detect and prevent physical tampering or alteration.

PE-3 (6)

The organization employs a penetration testing process that includes [Assignment: organization-defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility.

PE-3 (6) (CCI-000934)	The organization employs a penetration testing process that includes unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility on an organization-defined frequency.
PE-3 (6) (CCI-000935)	The organization defines the frequency of unannounced attempts to be included in a penetration testing process to bypass or circumvent security controls associated with physical access points to the facility.

PE-4

The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards].

PE-4 (CCI-000936)	The organization controls physical access to organization-defined information system distribution and transmission lines within organizational facilities using organization-defined security safeguards.
PE-4 (CCI-002930)	The organization defines information system distribution and transmission lines within organizational facilities to control physical access to using organization-defined security safeguards.
PE-4 (CCI-002931)	The organization defines security safeguards to control physical access to organization-defined information system distribution and transmission lines within organizational facilities.

PE-5

The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

PE-5
(CCI-000937)

The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

PE-5 (1)

The organization:

PE-5 (1)(a)

Controls physical access to output from [Assignment: organization-defined output devices]; and

PE-5 (1) (a) (CCI-002932)	The organization controls physical access to output from organization-defined output devices.
PE-5 (1) (a) (CCI-002933)	The organization defines output devices for which physical access to output is controlled.

PE-5 (1)(b)

Ensures that only authorized individuals receive output from the device.

PE-5 (1) (b)
(CCI-002934)

The organization ensures that only authorized individuals receive output from organization-defined output devices.

PE-5 (2)

The information system:

PE-5 (2)(a)

Controls physical access to output from [Assignment: organization-defined output devices]; and

PE-5 (2) (a)
(CCI-002935)

The information system controls physical access to output from organization-defined output devices.

PE-5 (2)(b)

Links individual identity to receipt of the output from the device.

PE-5 (2) (b)
(CCI-002936)

The information system links individual identity to receipt of output from organization-defined output devices.

PE-5 (3)

The organization marks [Assignment: organization-defined information system output devices] indicating the appropriate security marking of the information permitted to be output from the device.

PE-5 (3) (CCI-002937)	The organization marks organization-defined information system output devices indicating the appropriate security marking of the information permitted to be output from the device.
PE-5 (3) (CCI-002938)	The organization defines the information system output devices marked indicating the appropriate security marking of the information permitted to be output from the device.

PE-6

The organization:

PE-6a.

Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

PE-6 a
(CCI-002939)

The organization monitors physical access to the facility where the information system resides to detect and respond to physical security incidents.

PE-6b.

Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and

PE-6 b (CCI-000939)	The organization reviews physical access logs in accordance with organization-defined frequency.
PE-6 b (CCI-000940)	The organization defines a frequency for reviewing physical access logs.
PE-6 b (CCI-002940)	The organization reviews physical access logs upon occurrence of organization-defined events or potential indications of events.
PE-6 b (CCI-002941)	The organization defines events or potential indications of events requiring review of physical access logs.

PE-6c.

Coordinates results of reviews and investigations with the organizational incident response capability.

PE-6 c
(CCI-000941)

The organization coordinates results of reviews and investigations with the organization's incident response capability.

PE-6 (1)

The organization monitors physical intrusion alarms and surveillance equipment.

PE-6 (1)
(CCI-000942)

The organization monitors physical intrusion alarms and surveillance equipment.

PE-6 (2)

The organization employs automated mechanisms to recognize [Assignment: organization-defined classes/types of intrusions] and initiate [Assignment: organization-defined response actions].

PE-6 (2) (CCI-002942)	The organization employs automated mechanisms to recognize organization-defined classes/types of intrusions.
PE-6 (2) (CCI-002943)	The organization defines classes/types of intrusions to recognize using automated mechanisms.
PE-6 (2) (CCI-002944)	The organization employs automated mechanisms to initiate organization-defined response actions to organization-defined classes/types of intrusions.
PE-6 (2) (CCI-002945)	The organization defines response actions to initiate when organization-defined classes/types of intrusions are recognized.

PE-6 (3)

The organization employs video surveillance of [Assignment: organization-defined operational areas] and retains video recordings for [Assignment: organization-defined time period].

PE-6 (3) (CCI-002946)	The organization employs video surveillance of organization-defined operational areas.
PE-6 (3) (CCI-002947)	The organization defines the operational areas in which to employ video surveillance.
PE-6 (3) (CCI-002948)	The organization retains video surveillance recordings for an organization-defined time period.
PE-6 (3) (CCI-002949)	The organization defines the time period to retain video surveillance recordings.

PE-6 (4)

The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system].

PE-6 (4) (CCI-002950)	The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as organization-defined physical spaces containing one or more components of the information system.
PE-6 (4) (CCI-002951)	The organization defines physical spaces containing one or more components of the information system in which physical access is monitored.

PE-7

[Withdrawn: Incorporated into PE-2 and PE-3].

PE-8

The organization:

PE-8a.

Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and

PE-8 a (CCI-000947)	The organization maintains visitor access records to the facility where the information system resides for an organization-defined time period.
PE-8 a (CCI-002952)	The organization defines the time period to maintain visitor access records to the facility where the information system resides.

PE-8b.

Reviews visitor access records [Assignment: organization-defined frequency].

PE-8 b (CCI-000948)	The organization reviews visitor access records in accordance with organization-defined frequency.
PE-8 b (CCI-000949)	The organization defines the frequency with which to review the visitor access records for the facility where the information system resides.

PE-8 (1)

The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records.

PE-8 (1)
(CCI-000950)

The organization employs automated mechanisms to facilitate the maintenance and review of access records.

PE-8 (2)

[Withdrawn: Incorporated into PE-2].

PE-9

The organization protects power equipment and power cabling for the information system from damage and destruction.

PE-9
(CCI-000952)

The organization protects power equipment and power cabling for the information system from damage and destruction.

PE-9 (1)

The organization employs redundant power cabling paths that are physically separated by [Assignment: organization-defined distance].

PE-9 (1) (CCI-002953)	The organization employs redundant power cabling paths that are physically separated by an organization-defined distance.
PE-9 (1) (CCI-002954)	The organization defines the distance by which to physically separate redundant power cabling paths.

PE-9 (2)

The organization employs automatic voltage controls for [Assignment: organization-defined critical information system components].

PE-9 (2) (CCI-000954)	The organization employs automatic voltage controls for organization-defined critical information system components.
PE-9 (2) (CCI-000955)	The organization defines critical information system components that require automatic voltage controls.

PE-10

The organization:

PE-10a.

Provides the capability of shutting off power to the information system or individual system components in emergency situations;

PE-10 a
(CCI-000956)

The organization provides the capability of shutting off power to the information system or individual system components in emergency situations.

PE-10b.

Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and

PE-10 b (CCI-000957)	The organization places emergency shutoff switches or devices in an organization-defined location by information system or system component to facilitate safe and easy access for personnel.
PE-10 b (CCI-000958)	The organization defines a location for emergency shutoff switches or devices by information system or system component.

PE-10c.

Protects emergency power shutoff capability from unauthorized activation.

PE-10 c
(CCI-000959)

The organization protects emergency power shutoff capability from unauthorized activation.

PE-10 (1)

[Withdrawn: Incorporated into PE-10].

PE-11

The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss.

PE-11
(CCI-002955)

The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system and/or transition of the information system to long-term alternate power in the event of a primary power source loss.

PE-11 (1)

The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.

PE-11 (1)
(CCI-000961)

The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.

PE-11 (2)

The organization provides a long-term alternate power supply for the information system that is:

PE-11 (2)(a)

Self-contained;

PE-11 (2) (a)
(CCI-002956)

The organization provides a long-term alternate power supply for the information system that is self-contained.

PE-11 (2)(b)

Not reliant on external power generation; and

PE-11 (2) (b)
(CCI-002957)

The organization provides a long-term alternate power supply for the information system that is not reliant on external power generation.

PE-11 (2)(c)

Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source.

PE-11 (2) (c)
(CCI-002958)

The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability or full operational capability in the event of an extended loss of the primary power source.

PE-12

The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

PE-12
(CCI-000963)

The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

PE-12 (1)

The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions.

PE-12 (1) (CCI-002959)	The organization provides emergency lighting for all areas within the facility supporting essential missions.
PE-12 (1) (CCI-002960)	The organization provides emergency lighting for all areas within the facility supporting essential business functions.

PE-13

The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

PE-13
(CCI-000965)

The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

PE-13 (1)

The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.

PE-13 (1) (CCI-002961)	The organization employs fire detection devices/systems for the information system that activate automatically.
PE-13 (1) (CCI-002962)	The organization employs fire detection devices/systems for the information system that automatically activate to notify organization-defined personnel or roles and organization-defined emergency responders in the event of a fire.
PE-13 (1) (CCI-002963)	The organization defines the personnel or roles to be notified in the event of a fire.
PE-13 (1) (CCI-002964)	The organization defines the emergency responders to be notified in the event of a fire.

PE-13 (2)

The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders].

PE-13 (2) (CCI-002965)	The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to organization-defined personnel or roles and organization-defined emergency responders.
PE-13 (2) (CCI-002966)	The organization defines the personnel or roles to be automatically notified of any activation of fire suppression devices/systems for the information system.
PE-13 (2) (CCI-002967)	The organization defines the emergency responders to be automatically notified of any activation of fire suppression devices/systems for the information system.

PE-13 (3)

The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

PE-13 (3)
(CCI-000968)

The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

PE-13 (4)

The organization ensures that the facility undergoes [Assignment: organization-defined frequency] inspections by authorized and qualified inspectors and resolves identified deficiencies within [Assignment: organization-defined time period].

PE-13 (4) (CCI-002968)	The organization ensures that the facility undergoes, on an organization-defined frequency, fire protection inspections by authorized and qualified inspectors.
PE-13 (4) (CCI-002969)	The organization defines a frequency with which the facility undergoes fire protection inspections.
PE-13 (4) (CCI-002970)	The organization resolves deficiencies identified during facility fire protection inspections within an organization-defined time period.
PE-13 (4) (CCI-002971)	The organization defines the time period within which to resolve deficiencies identified during facility fire protection inspections.

PE-14

The organization:

PE-14a.

Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and

PE-14 a (CCI-000971)	The organization maintains temperature and humidity levels within the facility where the information system resides at organization-defined acceptable levels.
PE-14 a (CCI-000972)	The organization defines acceptable temperature and humidity levels to be maintained within the facility where the information system resides.

PE-14b.

Monitors temperature and humidity levels [Assignment: organization-defined frequency].

PE-14 b (CCI-000973)	The organization monitors temperature and humidity levels in accordance with organization-defined frequency.
PE-14 b (CCI-000974)	The organization defines a frequency for monitoring temperature and humidity levels.

PE-14 (1)

The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system.

PE-14 (1)
(CCI-000975)

The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system.

PE-14 (2)

The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.

PE-14 (2)
(CCI-000976)

The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.

PE-15

The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

PE-15 (CCI-000977)	The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible.
PE-15 (CCI-000978)	The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are working properly.
PE-15 (CCI-000979)	Key personnel have knowledge of the master water shutoff or isolation valves.

PE-15 (1)

The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts [Assignment: organization-defined personnel or roles].

PE-15 (1) (CCI-002972)	The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts organization-defined personnel or roles.
PE-15 (1) (CCI-002973)	The organization defines the personnel or roles to be alerted when automated mechanisms detect the presence of water in the vicinity of the information system.

PE-16

The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items.

PE-16 (CCI-000981)	The organization authorizes organization-defined types of information system components entering and exiting the facility.
PE-16 (CCI-000982)	The organization monitors organization-defined types of information system components entering and exiting the facility.
PE-16 (CCI-000983)	The organization controls organization-defined types of information system components entering and exiting the facility.
PE-16 (CCI-000984)	The organization maintains records of information system components entering and exiting the facility.
PE-16 (CCI-002974)	The organization defines types of information system components to authorize, monitor, and control entering and exiting the facility and to maintain records.

PE-17

The organization:

PE-17a.

Employs [Assignment: organization-defined security controls] at alternate work sites;

PE-17 a (CCI-000985)	The organization employs organization-defined security controls at alternate work sites.
PE-17 a (CCI-002975)	The organization defines security controls to employ at alternate work sites.

PE-17b.

Assesses as feasible, the effectiveness of security controls at alternate work sites; and

PE-17 b
(CCI-000987)

The organization assesses as feasible, the effectiveness of security controls at alternate work sites.

PE-17c.

Provides a means for employees to communicate with information security personnel in case of security incidents or problems.

PE-17 c
(CCI-000988)

The organization provides a means for employees to communicate with information security personnel in case of security incidents or problems.

PE-18

The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access.

PE-18 (CCI-000989)	The organization positions information system components within the facility to minimize potential damage from organization-defined physical and environmental hazards.
PE-18 (CCI-000991)	The organization positions information system components within the facility to minimize the opportunity for unauthorized access.
PE-18 (CCI-002976)	The organization defines physical and environmental hazards that could cause potential damage to information system components within the facility.

PE-18 (1)

The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy.

PE-18 (1) (CCI-002977)	The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards.
PE-18 (1) (CCI-002978)	The organization considers the physical and environmental hazards in its risk mitigation strategy for existing facilities.

PE-19

The organization protects the information system from information leakage due to electromagnetic signals emanations.

PE-19
(CCI-000993)

The organization protects the information system from information leakage due to electromagnetic signals emanations.

PE-19 (1)

The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information.

PE-19 (1)
(CCI-000994)

The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information.

PE-20

The organization:

PE-20a.

Employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]; and

PE-20 a (CCI-002979)	The organization employs organization-defined asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.
PE-20 a (CCI-002980)	The organization defines asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.
PE-20 a (CCI-002981)	The organization defines the assets within the organization-defined controlled areas which are to be tracked and monitored for their location and movement.
PE-20 a (CCI-002982)	The organization defines controlled areas where the location and movement of organization-defined assets are tracked and monitored.

PE-20b.

Ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance.

PE-20 b
(CCI-002983)

The organization ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance.

PL-1

The organization:

PL-1a.

Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

PL-1a.1.

A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

PL-1 a 1 (CCI-000563)	The organization develops and documents a security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
PL-1 a 1 (CCI-000564)	The organization disseminates a security planning policy to organization-defined personnel or roles.
PL-1 a 1 (CCI-003047)	The organization defines the personnel or roles to whom a security planning policy is disseminated.

PL-1a.2.

Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and

PL-1 a 2 (CCI-000566)	The organization develops and documents procedures to facilitate the implementation of the security planning policy and associated security planning controls.
PL-1 a 2 (CCI-000567)	The organization disseminates security planning procedures to organization-defined personnel or roles.
PL-1 a 2 (CCI-003048)	The organization defines the personnel or roles to whom the security planning procedures are disseminated.

PL-1b.

Reviews and updates the current:

PL-1b.1.

Security planning policy [Assignment: organization-defined frequency]; and

PL-1 b 1 (CCI-001636)	The organization defines the frequency with which to review and update the current security planning policy.
PL-1 b 1 (CCI-001637)	The organization reviews and updates the current security planning policy in accordance with organization-defined frequency.

PL-1b.2.

Security planning procedures [Assignment: organization-defined frequency].

PL-1 b 2 (CCI-001638)	The organization defines the frequency with which to review and update the current security planning procedures.
PL-1 b 2 (CCI-000568)	The organization reviews and updates the current security planning procedures in accordance with organization-defined frequency.

PL-2

The organization:

PL-2a.

Develops a security plan for the information system that:

PL-2 a
(CCI-003049)

The organization develops a security plan for the information system.

PL-2a.1.

Is consistent with the organization�s enterprise architecture;

PL-2 a 1
(CCI-003050)

The organization's security plan for the information system is consistent with the organization's enterprise architecture.

PL-2a.2.

Explicitly defines the authorization boundary for the system;

PL-2 a 2
(CCI-003051)

The organization's security plan for the information system explicitly defines the authorization boundary for the system.

PL-2a.3.

Describes the operational context of the information system in terms of missions and business processes;

PL-2 a 3
(CCI-003052)

The organization's security plan for the information system describes the operational context of the information system in terms of missions and business processes.

PL-2a.4.

Provides the security categorization of the information system including supporting rationale;

PL-2 a 4
(CCI-003053)

The organization's security plan for the information system provides the security categorization of the information system, including supporting rationale.

PL-2a.5.

Describes the operational environment for the information system and relationships with or connections to other information systems;

PL-2 a 5
(CCI-003054)

The organization's security plan for the information system describes the operational environment for the information system and relationships with, or connections to, other information systems.

PL-2a.6.

Provides an overview of the security requirements for the system;

PL-2 a 6
(CCI-003055)

The organization's security plan for the information system provides an overview of the security requirements for the system.

PL-2a.7.

Identifies any relevant overlays, if applicable;

PL-2 a 7
(CCI-003056)

The organization's security plan for the information system identifies any relevant overlays, if applicable.

PL-2a.8.

Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and

PL-2 a 8
(CCI-003057)

The organization's security plan for the information system describes the security controls in place or planned for meeting those requirements, including a rationale for the tailoring decisions.

PL-2a.9.

Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

PL-2 a 9
(CCI-000571)

The organization's security plan for the information system is reviewed and approved by the authorizing official or designated representative prior to plan implementation.

PL-2b.

Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];

PL-2 b (CCI-003058)	The organization distributes copies of the security plan to organization-defined personnel or roles.
PL-2 b (CCI-003059)	The organization distributes copies of the security plan to organization-defined personnel or roles.
PL-2 b (CCI-003060)	The organization defines the personnel or roles to whom copies of the security plan are distributed.
PL-2 b (CCI-003061)	The organization communicates subsequent changes to the security plan to organization-defined personnel or roles.
PL-2 b (CCI-003062)	The organization defines the personnel or roles to whom changes to the security plan are communicated.

PL-2c.

Reviews the security plan for the information system [Assignment: organization-defined frequency];

PL-2 c (CCI-000572)	The organization defines the frequency for reviewing the security plan for the information system.
PL-2 c (CCI-000573)	The organization reviews the security plan for the information system in accordance with organization-defined frequency.

PL-2d.

Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and

PL-2 d
(CCI-000574)

The organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments.

PL-2e.

Protects the security plan from unauthorized disclosure and modification.

PL-2 e (CCI-003063)	The organization protects the security plan from unauthorized disclosure.
PL-2 e (CCI-003064)	The organization protects the security plan from unauthorized modification.

PL-2 (1)

[Withdrawn: Incorporated into PL-7].

PL-2 (2)

[Withdrawn: Incorporated into PL-8].

PL-2 (3)

The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities.

PL-2 (3) (CCI-003065)	The organization plans and coordinates security-related activities affecting the information system with organization-defined individuals or groups before conducting such activities in order to reduce the impact on other organizational entities.
PL-2 (3) (CCI-003066)	The organization defines the individuals or groups with whom security-related activities are planned and coordinated.
PL-2 (3) (CCI-003067)	The organization defines the individuals or groups with whom security-related activities are planned and coordinated.

PL-3

[Withdrawn: Incorporated into PL-2].

PL-4

The organization:

PL-4a.

Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;

PL-4 a (CCI-001639)	The organization makes readily available to individuals requiring access to the information system the rules that describe their responsibilities and expected behavior with regard to information and information system usage.
PL-4 a (CCI-000592)	The organization establishes the rules describing the responsibilities and expected behavior, with regard to information and information system usage, for individuals requiring access to the information system.

PL-4b.

Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

PL-4 b
(CCI-000593)

The organization receives a signed acknowledgment from individuals requiring access to the information system, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system.

PL-4c.

Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and

PL-4 c (CCI-003068)	The organization reviews and updates the rules of behavior in accordance with organization-defined frequency.
PL-4 c (CCI-003069)	The organization defines the frequency with which to review and update the rules of behavior.

PL-4d.

Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.

PL-4 d
(CCI-003070)

The organization requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.

PL-4 (1)

The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites.

PL-4 (1) (CCI-000594)	The organization includes in the rules of behavior explicit restrictions on the use of social media/networking sites.
PL-4 (1) (CCI-000595)	The organization includes in the rules of behavior explicit restrictions on posting organizational information on public websites.

PL-5

[Withdrawn: Incorporated into Appendix J, AR-2].

PL-6

[Withdrawn: Incorporated into PL-2].

PL-7

The organization:

PL-7a.

Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and

PL-7 a
(CCI-003071)

The organization develops a security Concept of Operations (CONOPS) for the information system containing, at a minimum, how the organization intends to operate the system from the perspective of information security.

PL-7b.

Reviews and updates the CONOPS [Assignment: organization-defined frequency].

PL-7 b (CCI-000577)	The organization defines the frequency with which to review and update the security CONOPS.
PL-7 b (CCI-000578)	The organization reviews and updates the security CONOPS in accordance with organization-defined frequency.

PL-8

The organization:

PL-8a.

Develops an information security architecture for the information system that:

PL-8 a
(CCI-003072)

The organization develops an information security architecture for the information system.

PL-8a.1.

Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;

PL-8 a 1
(CCI-003073)

The organization's information security architecture for the information system describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information.

PL-8a.2.

Describes how the information security architecture is integrated into and supports the enterprise architecture; and

PL-8 a 2
(CCI-003074)

The organization's information security architecture for the information system describes how the information security architecture is integrated into and supports the enterprise architecture.

PL-8a.3.

Describes any information security assumptions about, and dependencies on, external services;

PL-8 a 3
(CCI-003075)

The organization's information security architecture for the information system describes any information security assumptions about, and dependencies on, external services.

PL-8b.

Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and

PL-8 b (CCI-003076)	The organization reviews and updates the information security architecture in accordance with organization-defined frequency to reflect updates in the enterprise architecture.
PL-8 b (CCI-003077)	The organization defines the frequency with which to review and update the information system architecture.

PL-8c.

Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.

PL-8 c (CCI-003078)	The organization ensures that planned information security architecture changes are reflected in the security plan.
PL-8 c (CCI-003079)	The organization ensures that planned information security architecture changes are reflected in the security Concept of Operations (CONOPS).
PL-8 c (CCI-003080)	The organization ensures that planned information security architecture changes are reflected in organizational procurements/acquisitions.

PL-8 (1)

The organization designs its security architecture using a defense-in-depth approach that:

PL-8 (1)(a)

Allocates [Assignment: organization-defined security safeguards] to [Assignment: organization-defined locations and architectural layers]; and

PL-8 (1) (a) (CCI-003081)	The organization designs its security architecture using a defense-in-depth approach that allocates organization-defined security safeguards to organization-defined locations.
PL-8 (1) (a) (CCI-003082)	The organization designs its security architecture using a defense-in-depth approach that allocates organization-defined security safeguards to organization-defined architectural layers.
PL-8 (1) (a) (CCI-003083)	The organization defines the security safeguards to be allocated to organization-defined locations.
PL-8 (1) (a) (CCI-003084)	The organization defines the security safeguards to be allocated to organization-defined architectural layers.
PL-8 (1) (a) (CCI-003085)	The organization defines the locations to which it allocates organization-defined security safeguards in the security architecture.
PL-8 (1) (a) (CCI-003086)	The organization defines the architectural layers to which it allocates organization-defined security safeguards in the security architecture.

PL-8 (1)(b)

Ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner.

PL-8 (1) (b)
(CCI-003087)

The organization designs its security architecture using a defense-in-depth approach that ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner.

PL-8 (2)

The organization requires that [Assignment: organization-defined security safeguards] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers.

PL-8 (2)
(CCI-003088)

The organization requires that organization-defined security safeguards allocated to organization-defined locations and architectural layers be obtained from different suppliers.

PL-9

The organization centrally manages [Assignment: organization-defined security controls and related processes].

PL-9 (CCI-003117)	The organization centrally manages organization-defined security controls and related processes.
PL-9 (CCI-003118)	The organization defines security controls and related processes to be centrally managed.

PS-1

The organization:

PS-1a.

Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

PS-1a.1.

A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

PS-1 a 1 (CCI-001504)	The organization develops and documents a personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
PS-1 a 1 (CCI-001505)	The organization disseminates a personnel security policy to organization-defined personnel or roles.
PS-1 a 1 (CCI-003017)	The organization defines the personnel or roles to whom a personnel security policy is disseminated.

PS-1a.2.

Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and

PS-1 a 2 (CCI-001509)	The organization develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls.
PS-1 a 2 (CCI-001510)	The organization disseminates personnel security procedures to organization-defined personnel or roles.
PS-1 a 2 (CCI-003018)	The organization defines the personnel or roles to whom the personnel security procedures are disseminated.

PS-1b.

Reviews and updates the current:

PS-1b.1.

Personnel security policy [Assignment: organization-defined frequency]; and

PS-1 b 1
(CCI-001507)

The organization defines the frequency with which to review and update the current personnel security policy.

PS-1b.2.

Personnel security procedures [Assignment: organization-defined frequency].

PS-1 b 2 (CCI-001506)	The organization reviews and updates the current personnel security policy in accordance with organization-defined frequency.
PS-1 b 2 (CCI-001508)	The organization defines the frequency with which to review and update the current personnel security procedures.
PS-1 b 2 (CCI-001511)	The organization reviews and updates the current personnel security procedures in accordance with organization-defined frequency.

PS-2

The organization:

PS-2a.

Assigns a risk designation to all organizational positions;

PS-2 a
(CCI-001512)

The organization assigns a risk designation to all organizational positions.

PS-2b.

Establishes screening criteria for individuals filling those positions; and

PS-2 b
(CCI-001513)

The organization establishes screening criteria for individuals filling organizational positions.

PS-2c.

Reviews and updates position risk designations [Assignment: organization-defined frequency].

PS-2 c (CCI-001514)	The organization reviews and updates position risk designations in accordance with organization-defined frequency.
PS-2 c (CCI-001515)	The organization defines the frequency with which to review and update position risk designations.

PS-3

The organization:

PS-3a.

Screens individuals prior to authorizing access to the information system; and

PS-3 a
(CCI-001516)

The organization screens individuals prior to authorizing access to the information system.

PS-3b.

Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening].

PS-3 b (CCI-001517)	The organization rescreens individuals with authorized access to the information system according to organization-defined conditions requiring rescreening, and where rescreening is so indicated, on the organization-defined frequency of such rescreening.
PS-3 b (CCI-001518)	The organization defines the conditions requiring rescreening of individuals with authorized access to the information system.
PS-3 b (CCI-001519)	The organization defines the frequency for rescreening individuals with authorized access to the information system when organization-defined conditions requiring rescreening are met.

PS-3 (1)

The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.

PS-3 (1)
(CCI-001520)

The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.

PS-3 (2)

The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system.

PS-3 (2)
(CCI-001521)

The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system.

PS-3 (3)

The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:

PS-3 (3)(a)

Have valid access authorizations that are demonstrated by assigned official government duties; and

PS-3 (3) (a)
(CCI-003019)

The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties.

PS-3 (3)(b)

Satisfy [Assignment: organization-defined additional personnel screening criteria].

PS-3 (3) (b) (CCI-003020)	The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection satisfy organization-defined additional personnel screening criteria.
PS-3 (3) (b) (CCI-003021)	The organization defines additional personnel screening criteria that individuals accessing an information system processing, storing, or transmitting information requiring protection must satisfy.

PS-4

The organization, upon termination of individual employment:

PS-4a.

Disables information system access within [Assignment: organization-defined time period];

PS-4 a (CCI-001522)	The organization, upon termination of individual employment, disables information system access within an organization-defined time period.
PS-4 a (CCI-003022)	The organization defines the time period within which to disable information system access upon termination of individual employment.

PS-4b.

Terminates/revokes any authenticators/credentials associated with the individual;

PS-4 b
(CCI-003023)

The organization, upon termination of individual employment, terminates/revokes any authenticators/credentials associated with the individual.

PS-4c.

Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];

PS-4 c (CCI-001523)	The organization, upon termination of individual employment, conducts exit interviews that include a discussion of organization-defined information security topics.
PS-4 c (CCI-003024)	The organization defines information security topics to be discussed while conducting exit interviews.

PS-4d.

Retrieves all security-related organizational information system-related property;

PS-4 d
(CCI-001524)

The organization, upon termination of individual employment, retrieves all security-related organizational information system-related property.

PS-4e.

Retains access to organizational information and information systems formerly controlled by terminated individual; and

PS-4 e (CCI-001525)	The organization, upon termination of individual employment, retains access to organizational information formerly controlled by the terminated individual.
PS-4 e (CCI-001526)	The organization, upon termination of individual employment, retains access to organizational information systems formerly controlled by the terminated individual.

PS-4f.

Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].

PS-4 f (CCI-003016)	The organization, upon termination of individual employment, notifies organization-defined personnel or roles within an organization-defined time period.
PS-4 f (CCI-003025)	The organization defines personnel or roles to notify upon termination of individual employment.
PS-4 f (CCI-003026)	The organization defines the time period within which to notify organization-defined personnel or roles upon termination of individual employment.

PS-4 (1)

The organization:

PS-4 (1)(a)

Notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and

PS-4 (1) (a)
(CCI-003027)

The organization notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information.

PS-4 (1)(b)

Requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process.

PS-4 (1) (b)
(CCI-003028)

The organization requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process.

PS-4 (2)

The organization employs automated mechanisms to notify [Assignment: organization-defined personnel or roles] upon termination of an individual.

PS-4 (2) (CCI-003029)	The organization employs automated mechanisms to notify organization-defined personnel or roles upon termination of an individual.
PS-4 (2) (CCI-003030)	The organization defines the personnel or roles to be notified by automated mechanism upon termination of an individual.

PS-5

The organization:

PS-5a.

Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;

PS-5 a
(CCI-001527)

The organization reviews and confirms the ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization.

PS-5b.

Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];

PS-5 b (CCI-001528)	The organization initiates organization-defined transfer or reassignment actions within an organization-defined time period following the formal personnel transfer action.
PS-5 b (CCI-001529)	The organization defines transfer or reassignment actions to initiate within an organization-defined time period following the formal personnel transfer action.
PS-5 b (CCI-001530)	The organization defines the time period within which the organization initiates organization-defined transfer or reassignment actions following the formal personnel transfer action.

PS-5c.

Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

PS-5 c
(CCI-003031)

The organization modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer.

PS-5d.

Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].

PS-5 d (CCI-003032)	The organization notifies organization-defined personnel or roles within an organization-defined time period when individuals are transferred or reassigned to other positions within the organization.
PS-5 d (CCI-003033)	The organization defines personnel or roles to be notified when individuals are transferred or reassigned to other positions within the organization.
PS-5 d (CCI-003034)	The organization defines the time period within which organization-defined personnel or roles are to be notified when individuals are transferred or reassigned to other positions within the organization.

PS-6

The organization:

PS-6a.

Develops and documents access agreements for organizational information systems;

PS-6 a
(CCI-003035)

The organization develops and documents access agreements for organizational information systems.

PS-6b.

Reviews and updates the access agreements [Assignment: organization-defined frequency]; and

PS-6 b (CCI-001532)	The organization reviews and updates access agreements for organizational information systems in accordance with organization-defined frequency.
PS-6 b (CCI-001533)	The organization defines the frequency with which to review and update access agreements for organizational information systems.

PS-6c.

Ensures that individuals requiring access to organizational information and information systems:

PS-6c.1.

Sign appropriate access agreements prior to being granted access; and

PS-6 c 1
(CCI-001531)

The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.

PS-6c.2.

Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency].

PS-6 c 2 (CCI-003036)	The organization ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or in accordance with organization-defined frequency.
PS-6 c 2 (CCI-003037)	The organization defines the frequency for individuals requiring access to organization information and information systems to re-sign access agreements.

PS-6 (1)

[Withdrawn: Incorporated into PS-3].

PS-6 (2)

The organization ensures that access to classified information requiring special protection is granted only to individuals who:

PS-6 (2)(a)

Have a valid access authorization that is demonstrated by assigned official government duties;

PS-6 (2) (a)
(CCI-001536)

The organization ensures that access to classified information requiring special protection is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties.

PS-6 (2)(b)

Satisfy associated personnel security criteria; and

PS-6 (2) (b)
(CCI-001537)

The organization ensures that access to classified information requiring special protection is granted only to individuals who satisfy associated personnel security criteria.

PS-6 (2)(c)

Have read, understood, and signed a nondisclosure agreement.

PS-6 (2) (c)
(CCI-001538)

The organization ensures that access to classified information requiring special protection is granted only to individuals who have read, understood, and signed a nondisclosure agreement.

PS-6 (3)

The organization:

PS-6 (3)(a)

Notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; and

PS-6 (3) (a)
(CCI-003038)

The organization notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information.

PS-6 (3)(b)

Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information.

PS-6 (3) (b)
(CCI-003039)

The organization requires individuals to sign an acknowledgement of legally binding post-employment requirements for protection of organizational information, if applicable, as part of granting initial access to covered information.

PS-7

The organization:

PS-7a.

Establishes personnel security requirements including security roles and responsibilities for third-party providers;

PS-7 a
(CCI-001539)

The organization establishes personnel security requirements including security roles and responsibilities for third-party providers.

PS-7b.

Requires third-party providers to comply with personnel security policies and procedures established by the organization;

PS-7 b
(CCI-003040)

The organization requires third-party providers to comply with personnel security policies and procedures established by the organization.

PS-7c.

Documents personnel security requirements;

PS-7 c
(CCI-001540)

The organization documents personnel security requirements for third-party providers.

PS-7d.

Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and

PS-7 d (CCI-003041)	The organization requires third-party providers to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within an organization-defined time period.
PS-7 d (CCI-003042)	The organization defines personnel or roles whom third-party providers are to notify when third-party personnel who possess organizational credentials and /or badges or who have information system privileges are transferred or terminated.
PS-7 d (CCI-003043)	The organization defines the time period for third-party providers to notify organization-defined personnel or roles when third-party personnel who possess organizational credentials and /or badges or who have information system privileges are transferred or terminated.

PS-7e.

Monitors provider compliance.

PS-7 e
(CCI-001541)

The organization monitors third-party provider compliance with personnel security requirements.

PS-8

The organization:

PS-8a.

Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and

PS-8 a
(CCI-001542)

The organization employs a formal sanctions process for individuals failing to comply with established information security policies and procedures.

PS-8b.

Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

PS-8 b (CCI-003044)	The organization notifies organization-defined personnel or roles within an organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
PS-8 b (CCI-003045)	The organization defines personnel or roles who are to be notified when a formal employee sanctions process is initiated.
PS-8 b (CCI-003046)	The organization defines the time period within which to notify organization-defined personnel or roles when a formal employee sanctions process is initiated.

RA-1

The organization:

RA-1a.

Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

RA-1a.1.

A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

RA-1 a 1 (CCI-001037)	The organization develops and documents a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
RA-1 a 1 (CCI-001038)	The organization disseminates a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to organization-defined personnel or roles.
RA-1 a 1 (CCI-002368)	The organization defines the personnel or roles to whom the risk assessment policy is disseminated.

RA-1a.2.

Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and

RA-1 a 2 (CCI-001041)	The organization develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls.
RA-1 a 2 (CCI-001042)	The organization disseminates risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls to organization-defined personnel or roles.
RA-1 a 2 (CCI-002369)	The organization defines the personnel or roles to whom the risk assessment procedures are disseminated.

RA-1b.

Reviews and updates the current:

RA-1b.1.

Risk assessment policy [Assignment: organization-defined frequency]; and

RA-1 b 1 (CCI-001039)	The organization reviews and updates the current risk assessment policy in accordance with organization-defined frequency.
RA-1 b 1 (CCI-001040)	The organization defines the frequency with which to review and update the current risk assessment policy.

RA-1b.2.

Risk assessment procedures [Assignment: organization-defined frequency].

RA-1 b 2 (CCI-001043)	The organization reviews and updates the current risk assessment procedures in accordance with organization-defined frequency.
RA-1 b 2 (CCI-001044)	The organization defines the frequency with which to review and update the current risk assessment procedures.

RA-2

The organization:

RA-2a.

Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

RA-2 a
(CCI-001045)

The organization categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

RA-2b.

Documents the security categorization results (including supporting rationale) in the security plan for the information system; and

RA-2 b
(CCI-001046)

The organization documents the security categorization results (including supporting rationale) in the security plan for the information system.

RA-2c.

Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.

RA-2 c
(CCI-001047)

The organization ensures the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.

RA-3

The organization:

RA-3a.

Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;

RA-3 a
(CCI-001048)

The organization conducts an assessment of risk of the information system and the information it processes, stores, or transmits that includes the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction.

RA-3b.

Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];

RA-3 b (CCI-001642)	The organization defines the organizational document in which risk assessment results are documented (e.g., security plan, risk assessment report).
RA-3 b (CCI-001049)	The organization documents risk assessment results in the organization-defined document.

RA-3c.

Reviews risk assessment results [Assignment: organization-defined frequency];

RA-3 c (CCI-001050)	The organization reviews risk assessment results on an organization-defined frequency.
RA-3 c (CCI-001051)	The organization defines a frequency for reviewing risk assessment results.

RA-3d.

Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and

RA-3 d (CCI-002370)	The organization disseminates risk assessment results to organization-defined personnel or roles.
RA-3 d (CCI-002371)	The organization defines the personnel or roles to whom the risk assessment results will be disseminated.

RA-3e.

Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

RA-3 e (CCI-001052)	The organization updates the risk assessment on an organization-defined frequency or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
RA-3 e (CCI-001053)	The organization defines a frequency for updating the risk assessment.

RA-4

[Withdrawn: Incorporated into RA-3].

RA-5

The organization:

RA-5a.

Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;

RA-5 a (CCI-001641)	The organization defines the process for conducting random vulnerability scans on the information system and hosted applications.
RA-5 a (CCI-001643)	The organization scans for vulnerabilities in the information system and hosted applications in accordance with the organization-defined process for random scans.
RA-5 a (CCI-001054)	The organization scans for vulnerabilities in the information system and hosted applications on an organization-defined frequency.
RA-5 a (CCI-001055)	The organization defines a frequency for scanning for vulnerabilities in the information system and hosted applications.
RA-5 a (CCI-001056)	The organization scans for vulnerabilities in the information system and hosted applications when new vulnerabilities potentially affecting the system/applications are identified and reported.

RA-5b.

Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

RA-5 b
(CCI-001057)

The organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: enumerating platforms, software flaws, and improper configurations; formatting checklists and test procedures; and measuring vulnerability impact.

RA-5b.1.

Enumerating platforms, software flaws, and improper configurations;

RA-5b.2.

Formatting checklists and test procedures; and

RA-5b.3.

Measuring vulnerability impact;

RA-5c.

Analyzes vulnerability scan reports and results from security control assessments;

RA-5 c
(CCI-001058)

The organization analyzes vulnerability scan reports and results from security control assessments.

RA-5d.

Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and

RA-5 d (CCI-001059)	The organization remediates legitimate vulnerabilities in organization-defined response times in accordance with an organizational assessment risk.
RA-5 d (CCI-001060)	The organization defines response times for remediating legitimate vulnerabilities in accordance with an organization assessment of risk.

RA-5e.

Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

RA-5 e (CCI-001061)	The organization shares information obtained from the vulnerability scanning process and security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
RA-5 e (CCI-002376)	The organization defines the personnel or roles with whom the information obtained from the vulnerability scanning process and security control assessments will be shared.

RA-5 (1)

The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

RA-5 (1)
(CCI-001062)

The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned.

RA-5 (2)

The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported].

RA-5 (2) (CCI-001063)	The organization updates the information system vulnerabilities scanned on an organization-defined frequency, prior to a new scan, and/or when new vulnerabilities are identified and reported.
RA-5 (2) (CCI-001064)	The organization defines a frequency for updating the information system vulnerabilities scanned.

RA-5 (3)

The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).

RA-5 (3)
(CCI-002373)

The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).

RA-5 (4)

The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions].

RA-5 (4) (CCI-001066)	The organization determines what information about the information system is discoverable by adversaries.
RA-5 (4) (CCI-002374)	The organization defines the corrective actions when information about the information system is discoverable by adversaries.
RA-5 (4) (CCI-002375)	The organization takes organization-defined corrective actions when information about the information system is discoverable by adversaries.

RA-5 (5)

The information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-defined vulnerability scanning activities].

RA-5 (5) (CCI-001645)	The organization identifies the information system components to which privileged access is authorized for selected organization-defined vulnerability scanning activities.
RA-5 (5) (CCI-001067)	The information system implements privileged access authorization to organization-identified information system components for selected organization-defined vulnerability scanning activities.
RA-5 (5) (CCI-002906)	The organization defines the vulnerability scanning activities in which the information system implements privileged access authorization to organization-identified information system components.

RA-5 (6)

The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.

RA-5 (6)
(CCI-001068)

The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.

RA-5 (7)

[Withdrawn: Incorporated into CM-8].

RA-5 (8)

The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.

RA-5 (8)
(CCI-001071)

The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.

RA-5 (9)

[Withdrawn: Incorporated into CA-8].

RA-5 (10)

The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.

RA-5 (10)
(CCI-002372)

The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.

RA-6

The organization employs a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined events or indicators occur]].

RA-6 (CCI-003119)	The organization employs a technical surveillance countermeasures survey at organization-defined locations on an organization-defined frequency or when organization-defined events or indicators occur.
RA-6 (CCI-003120)	The organization defines the locations where technical surveillance countermeasures surveys are to be employed.
RA-6 (CCI-003121)	The organization defines the frequency on which to employ technical surveillance countermeasures surveys.
RA-6 (CCI-003122)	The organization defines the events or indicators upon which technical surveillance countermeasures surveys are to be employed.

SA-1

The organization:

SA-1a.

Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

SA-1a.1.

A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

SA-1 a 1 (CCI-000602)	The organization develops and documents a system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
SA-1 a 1 (CCI-000603)	The organization disseminates to organization-defined personnel or roles a system and services acquisition policy.
SA-1 a 1 (CCI-003089)	The organization defines the personnel or roles to whom the system and services acquisition policy is disseminated.

SA-1a.2.

Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and

SA-1 a 2 (CCI-000605)	The organization develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.
SA-1 a 2 (CCI-000606)	The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.
SA-1 a 2 (CCI-003090)	The organization defines the personnel or roles to whom procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are disseminated.

SA-1b.

Reviews and updates the current:

SA-1b.1.

System and services acquisition policy [Assignment: organization-defined frequency]; and

SA-1 b 1 (CCI-000601)	The organization defines the frequency with which to review and update the current system and services acquisition policy.
SA-1 b 1 (CCI-000604)	The organization reviews and updates the current system and services acquisition policy in accordance with organization-defined frequency.

SA-1b.2.

System and services acquisition procedures [Assignment: organization-defined frequency].

SA-1 b 2 (CCI-000607)	The organization reviews and updates the current system and services acquisition procedures in accordance with organization-defined frequency.
SA-1 b 2 (CCI-001646)	The organization defines the frequency with which to review and update the current system and services acquisition procedures.

SA-2

The organization:

SA-2a.

Determines information security requirements for the information system or information system service in mission/business process planning;

SA-2b.

Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and

SA-2 b (CCI-000610)	The organization determines the resources required to protect the information system or information system service as part of its capital planning and investment control process.
SA-2 b (CCI-000611)	The organization documents the resources required to protect the information system or information system service as part of its capital planning and investment control process.
SA-2 b (CCI-000612)	The organization allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process.

SA-2c.

Establishes a discrete line item for information security in organizational programming and budgeting documentation.

SA-2 c (CCI-000613)	The organization establishes a discrete line item for information security in organizational programming documentation.
SA-2 c (CCI-000614)	The organization establishes a discrete line item for information security in organizational budgeting documentation.

SA-3

The organization:

SA-3a.

Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;

SA-3 a (CCI-000615)	The organization manages the information system using an organization-defined system development life cycle that incorporates information security considerations.
SA-3 a (CCI-003092)	The organization defines a system development life cycle that is used to manage the information system.

SA-3b.

Defines and documents information security roles and responsibilities throughout the system development life cycle;

SA-3 b
(CCI-000616)

The organization defines and documents information system security roles and responsibilities throughout the system development life cycle.

SA-3c.

Identifies individuals having information security roles and responsibilities; and

SA-3 c
(CCI-000618)

The organization identifies individuals having information system security roles and responsibilities.

SA-3d.

Integrates the organizational information security risk management process into system development life cycle activities.

SA-3 d
(CCI-003093)

The organization integrates the organizational information security risk management process into system development life cycle activities.

SA-4

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:

SA-4a.

Security functional requirements;

SA-4 a
(CCI-003094)

The organization includes the security functional requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.

SA-4b.

Security strength requirements;

SA-4 b
(CCI-003095)

The organization includes the security strength requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.

SA-4c.

Security assurance requirements;

SA-4 c
(CCI-003096)

The organization includes the security assurance requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.

SA-4d.

Security-related documentation requirements;

SA-4 d
(CCI-003097)

The organization includes the security-related documentation requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.

SA-4e.

Requirements for protecting security-related documentation;

SA-4 e
(CCI-003098)

The organization includes requirements for protecting security-related documentation, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.

SA-4f.

Description of the information system development environment and environment in which the system is intended to operate; and

SA-4 f
(CCI-003099)

The organization includes description of the information system development environment and environment in which the system is intended to operate, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.

SA-4g.

Acceptance criteria.

SA-4 g
(CCI-003100)

The organization includes acceptance criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.

SA-4 (1)

The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

SA-4 (1)
(CCI-000623)

The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.

SA-4 (2)

The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail].

SA-4 (2) (CCI-003101)	The organization requires the developer of the information system, system component, or information system service to provide design information for the security controls to be employed that includes security-relevant external system interfaces, high-level design, low-level design, source code, hardware schematics, and/or organization-defined design information at an organization-defined level of detail.
SA-4 (2) (CCI-003102)	The organization requires the developer of the information system, system component, or information system service to provide implementation information for the security controls to be employed that includes security-relevant external system interfaces, high-level design, low-level design, source code, hardware schematics, and/or organization-defined implementation information at an organization-defined level of detail.
SA-4 (2) (CCI-003103)	The organization defines the design information that the developer of the information system, system component, or information system service is required to provide for the security controls to be employed.
SA-4 (2) (CCI-003104)	The organization defines the implementation information that the developer of the information system, system component, or information system service is required to provide for the security controls to be employed.
SA-4 (2) (CCI-003105)	The organization defines the level of detail for the design information of the security controls that is required to be provided by the developer of the information system, system component, or information system services.
SA-4 (2) (CCI-003106)	The organization defines the level of detail for the implementation information of the security controls that is required to be provided by the developer of the information system, system component, or information system services.

SA-4 (3)

The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes [Assignment: organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes].

SA-4 (3) (CCI-003107)	The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes.
SA-4 (3) (CCI-003108)	The organization defines the state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes that the developer of the information system, system component, or information system service is required to include when demonstrating the use of a system development life cycle.

SA-4 (4)

[Withdrawn: Incorporated into CM-8 (9)].

SA-4 (5)

The organization requires the developer of the information system, system component, or information system service to:

SA-4 (5)(a)

Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and

SA-4 (5) (a) (CCI-003109)	The organization requires the developer of the information system, system component, or information system service to deliver the system, component, or service with organization-defined security configurations implemented.
SA-4 (5) (a) (CCI-003110)	The organization defines the security configurations required to be implemented when the developer delivers the information system, system component, or information system service.

SA-4 (5)(b)

Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

SA-4 (5) (b)
(CCI-003111)

The organization requires the developer of the information system, system component, or information system service to use the organization-defined security configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

SA-4 (6)

The organization:

SA-4 (6)(a)

Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and

SA-4 (6) (a)
(CCI-000631)

The organization employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted.

SA-4 (6)(b)

Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.

SA-4 (6) (b)
(CCI-000633)

The organization ensures that government off-the-shelf (GOTS) or commercial-off-the-shelf(COTS) information assurance (IA) and IA-enabled information technology products have been evaluated and/or validated by the NSA or in accordance with NSA-approved procedures.

SA-4 (7)

The organization:

SA-4 (7)(a)

Limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and

SA-4 (7) (a)
(CCI-000634)

The organization limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance Partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists.

SA-4 (7)(b)

Requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated.

SA-4 (7) (b)
(CCI-000635)

The organization requires, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated.

SA-4 (8)

The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail].

SA-4 (8) (CCI-003112)	The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains an organization-defined level of detail.
SA-4 (8) (CCI-003113)	The organization defines the level of detail to be contained in the plan for the continuous monitoring of security control effectiveness that the developer of the information system, system component, or information system services is required to produce.

SA-4 (9)

The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

SA-4 (9) (CCI-003114)	The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.
SA-4 (9) (CCI-003115)	The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

SA-4 (10)

The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

SA-4 (10)
(CCI-003116)

The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

SA-5

The organization:

SA-5a.

Obtains administrator documentation for the information system, system component, or information system service that describes:

SA-5a.1.

Secure configuration, installation, and operation of the system, component, or service;

SA-5 a 1 (CCI-003124)	The organization obtains administrator documentation for the information system, system component, or information system service that describes secure configuration of the system, component, or service.
SA-5 a 1 (CCI-003125)	The organization obtains administrator documentation for the information system, system component, or information system service that describes secure installation of the system, component, or service.
SA-5 a 1 (CCI-003126)	The organization obtains administrator documentation for the information system, system component, or information system service that describes secure operation of the system, component, or service.

SA-5a.2.

Effective use and maintenance of security functions/mechanisms; and

SA-5 a 2
(CCI-003127)

The organization obtains administrator documentation for the information system, system component, or information system services that describes effective use and maintenance of security functions/mechanisms.

SA-5a.3.

Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;

SA-5 a 3
(CCI-003128)

The organization obtains administrator documentation for the information system, system component, or information system service that describes known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.

SA-5b.

Obtains user documentation for the information system, system component, or information system service that describes:

SA-5b.1.

User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;

SA-5 b 1
(CCI-003129)

The organization obtains user documentation for the information system, system component, or information system service that describes user-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms.

SA-5b.2.

Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and

SA-5 b 2
(CCI-003130)

The organization obtains user documentation for the information system, system component, or information system service that describes methods for user interaction which enables individuals to use the system, component, or service in a more secure manner.

SA-5b.3.

User responsibilities in maintaining the security of the system, component, or service;

SA-5 b 3
(CCI-003131)

The organization obtains user documentation for the information system, system component, or information system service that describes user responsibilities in maintaining the security of the system, component, or service.

SA-5c.

Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;

SA-5 c (CCI-000642)	The organization documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent.
SA-5 c (CCI-003132)	The organization takes organization-defined actions in response to attempts to obtain either unavailable or nonexistent documentation for the information system, system component, or information system service.
SA-5 c (CCI-003133)	The organization defines actions to be taken in response to attempts to obtain either unavailable or nonexistent documentation for the information system, system component, or information system service.

SA-5d.

Protects documentation as required, in accordance with the risk management strategy; and

SA-5 d
(CCI-003134)

The organization protects information system, system component, or information system service documentation as required, in accordance with the risk management strategy.

SA-5e.

Distributes documentation to [Assignment: organization-defined personnel or roles].

SA-5 e (CCI-003135)	The organization distributes information system, system component, or information system service documentation to organization-defined personnel or roles.
SA-5 e (CCI-003136)	The organization defines the personnel or roles to whom information system, system component, or information system service documentation is to be distributed.

SA-5 (1)

[Withdrawn: Incorporated into SA-4 (1)].

SA-5 (2)

[Withdrawn: Incorporated into SA-4 (2)].

SA-5 (3)

[Withdrawn: Incorporated into SA-4 (2)].

SA-5 (4)

[Withdrawn: Incorporated into SA-4 (2)].

SA-5 (5)

[Withdrawn: Incorporated into SA-4 (2)].

SA-6

[Withdrawn: Incorporated into CM-10 and SI-7].

SA-7

[Withdrawn: Incorporated into CM-11 and SI-7].

SA-8

The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

SA-8 (CCI-000664)	The organization applies information system security engineering principles in the specification of the information system.
SA-8 (CCI-000665)	The organization applies information system security engineering principles in the design of the information system.
SA-8 (CCI-000666)	The organization applies information system security engineering principles in the development of the information system.
SA-8 (CCI-000667)	The organization applies information system security engineering principles in the implementation of the information system.
SA-8 (CCI-000668)	The organization applies information system security engineering principles in the modification of the information system.

SA-9

The organization:

SA-9a.

Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

SA-9 a (CCI-000669)	The organization requires that providers of external information system services comply with organizational information security requirements.
SA-9 a (CCI-000670)	The organization requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
SA-9 a (CCI-003137)	The organization defines security controls that providers of external information system services employ in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

SA-9b.

Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and

SA-9 b (CCI-000671)	The organization defines government oversight with regard to external information system services.
SA-9 b (CCI-000672)	The organization documents government oversight with regard to external information system services.
SA-9 b (CCI-000673)	The organization defines user roles and responsibilities with regard to external information system services.
SA-9 b (CCI-000674)	The organization documents user roles and responsibilities with regard to external information system services.

SA-9c.

Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.

SA-9 c (CCI-003138)	The organization employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis.
SA-9 c (CCI-003139)	The organization defines processes, methods, and techniques to employ to monitor security control compliance by external service providers on an ongoing basis.

SA-9 (1)

The organization:

SA-9 (1)(a)

Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and

SA-9 (1)(b)

Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].

SA-9 (1) (b) (CCI-003141)	The organization ensures that the acquisition or outsourcing of dedicated information security services is approved by organization-defined personnel or roles.
SA-9 (1) (b) (CCI-003142)	The organization defines the personnel or roles authorized to approve the acquisition or outsourcing of dedicated information security services.

SA-9 (2)

The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services.

SA-9 (2) (CCI-003143)	The organization requires providers of organization-defined external information system services to identify the functions, ports, protocols, and other services required for the use of such services.
SA-9 (2) (CCI-003144)	The organization defines the external information system services for which the providers are required to identify the functions, ports, protocols, and other services required for the use of such services.

SA-9 (3)

The organization establishes, documents, and maintains trust relationships with external service providers based on [Assignment: organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships].

SA-9 (3) (CCI-003145)	The organization establishes trust relationships with external service providers based on organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships.
SA-9 (3) (CCI-003146)	The organization documents trust relationships with external service providers based on organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships.
SA-9 (3) (CCI-003147)	The organization maintains trust relationships with external service providers based on organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships.
SA-9 (3) (CCI-003148)	The organization defines security requirements, properties, factors, or conditions defining acceptable trust relationships with external service providers.

SA-9 (4)

The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests.

SA-9 (4) (CCI-003149)	The organization employs organization-defined security safeguards to ensure that the interests of organization-defined external service providers are consistent with and reflect organizational interests.
SA-9 (4) (CCI-003150)	The organization defines security safeguards to employ to ensure that the interests of organization-defined external service providers are consistent with and reflect organizational interests.
SA-9 (4) (CCI-003151)	The organization defines external service providers whose interests are consistent with and reflect organizational interests.

SA-9 (5)

The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions].

SA-9 (5) (CCI-003152)	The organization restricts the location of information processing, information/data, and/or information system services to organization-defined locations based on organization-defined requirements or conditions.
SA-9 (5) (CCI-003153)	The organization defines the locations for which to restrict information processing, information/data, and/or information system services based on organization-defined requirements or conditions.
SA-9 (5) (CCI-003154)	The organization defines the requirements or conditions on which to base restricting the location of information processing, information/data, and/or information system services to organization-defined locations.

SA-10

The organization requires the developer of the information system, system component, or information system service to:

SA-10a.

Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];

SA-10 a
(CCI-003155)

The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service design, development, implementation and/or operation.

SA-10b.

Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];

SA-10 b (CCI-003156)	The organization requires the developer of the information system, system component, or information system service to document the integrity of changes to organization-defined configuration items under configuration management.
SA-10 b (CCI-003157)	The organization requires the developer of the information system, system component, or information system service to manage the integrity of changes to organization-defined configuration items under configuration management.
SA-10 b (CCI-003158)	The organization requires the developer of the information system, system component, or information system service to control the integrity of changes to organization-defined configuration items under configuration management.
SA-10 b (CCI-003159)	The organization defines the configuration items under configuration management that require the integrity of changes to be documented, managed and controlled.

SA-10c.

Implement only organization-approved changes to the system, component, or service;

SA-10 c
(CCI-000692)

The organization requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service.

SA-10d.

Document approved changes to the system, component, or service and the potential security impacts of such changes; and

SA-10 d (CCI-000694)	The organization requires the developer of the information system, system component, or information system service to document approved changes to the system, component, or service.
SA-10 d (CCI-003160)	The organization requires the developer of the information system, system component, or information system service to document the potential security impacts of approved changes to the system, component, or service.

SA-10e.

Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].

SA-10 e (CCI-003161)	The organization requires the developer of the information system, system component, or information system service to track security flaws within the system, component, or service.
SA-10 e (CCI-003162)	The organization requires the developer of the information system, system component, or information system service to track flaw resolution within the system, component, or service.
SA-10 e (CCI-003163)	The organization requires the developer of the information system, system component, or information system service to report findings of security flaws and flaw resolution within the system, component, or service to organization-defined personnel.
SA-10 e (CCI-003164)	The organization defines the personnel to whom security flaw findings and flaw resolution within the system, component, or service are reported.

SA-10 (1)

The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.

SA-10 (1)
(CCI-000698)

The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components.

SA-10 (2)

The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.

SA-10 (2)
(CCI-000700)

The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.

SA-10 (3)

The organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components.

SA-10 (3)
(CCI-003165)

The organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components.

SA-10 (4)

The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions and software/firmware source and object code with previous versions.

SA-10 (4) (CCI-003166)	The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions with previous versions.
SA-10 (4) (CCI-003167)	The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of software/firmware source code with previous versions.
SA-10 (4) (CCI-003168)	The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of object code with previous versions.

SA-10 (5)

The organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.

SA-10 (5)
(CCI-003169)

The organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.

SA-10 (6)

The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.

SA-10 (6)
(CCI-003170)

The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.

SA-11

The organization requires the developer of the information system, system component, or information system service to:

SA-11a.

Create and implement a security assessment plan;

SA-11 a (CCI-003171)	The organization requires the developer of the information system, system component, or information system service to create a security assessment plan.
SA-11 a (CCI-003172)	The organization requires the developer of the information system, system component, or information system service to implement a security assessment plan.

SA-11b.

Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];

SA-11 b (CCI-003173)	The organization requires the developer of the information system, system component, or information system service to perform unit, integration, system, and/or regression testing/evaluation at an organization-defined depth and coverage.
SA-11 b (CCI-003174)	The organization defines the depth and coverage at which to perform unit, integration, system, and/or regression testing/evaluation.

SA-11c.

Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;

SA-11 c (CCI-003175)	The organization requires the developer of the information system, system component, or information system service to produce evidence of the execution of the security assessment plan.
SA-11 c (CCI-003176)	The organization requires the developer of the information system, system component, or information system service to produce the results of the security testing/evaluation.

SA-11d.

Implement a verifiable flaw remediation process; and

SA-11 d
(CCI-003177)

The organization requires the developer of the information system, system component, or information system service to implement a verifiable flaw remediation process.

SA-11e.

Correct flaws identified during security testing/evaluation.

SA-11 e
(CCI-003178)

The organization requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation.

SA-11 (1)

The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

SA-11 (1) (CCI-003179)	The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws.
SA-11 (1) (CCI-003180)	The organization requires the developer of the information system, system component, or information system service to document the results of static code analysis.

SA-11 (2)

The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service.

SA-11 (2) (CCI-003181)	The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analysis.
SA-11 (2) (CCI-003182)	The organization requires the developer of the information system, system component, or information system service to perform testing/evaluation of the as-built system, component, or service subsequent to threat and vulnerability analysis.

SA-11 (3)

The organization:

SA-11 (3)(a)

Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and

SA-11 (3) (a) (CCI-003183)	The organization requires an independent agent satisfying organization-defined independence criteria to verify the correct implementation of the developer security assessment plan.
SA-11 (3) (a) (CCI-003184)	The organization requires an independent agent satisfying organization-defined independence criteria to verify the evidence produced during security testing/evaluation.
SA-11 (3) (a) (CCI-003185)	The organization defines the independence criteria the independent agent must satisfy prior to verifying the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation.

SA-11 (3)(b)

Ensures that the independent agent either is provided with sufficient information to complete the verification process or has been granted the authority to obtain such information.

SA-11 (3) (b)
(CCI-003186)

The organization ensures that the independent agent either is provided with sufficient information to complete the verification process or has been granted the authority to obtain such information.

SA-11 (4)

The organization requires the developer of the information system, system component, or information system service to perform a manual code review of [Assignment: organization-defined specific code] using [Assignment: organization-defined processes, procedures, and/or techniques].

SA-11 (4) (CCI-003187)	The organization requires the developer of the information system, system component, or information system service to perform a manual code review of organization-defined specific code using organization-defined processes, procedures, and/or techniques.
SA-11 (4) (CCI-003188)	The organization defines the specific code for which the developer of the information system, system component, or information system service is required to perform a manual code review using organization-defined process, procedures, and/or techniques.
SA-11 (4) (CCI-003189)	The organization defines the processes, procedures, and/or techniques to be used by the developer of the information system, system component, or information system service to perform a manual code review of organization-defined specific code.

SA-11 (5)

The organization requires the developer of the information system, system component, or information system service to perform penetration testing at [Assignment: organization-defined breadth/depth] and with [Assignment: organization-defined constraints].

SA-11 (5) (CCI-003190)	The organization requires the developer of the information system, system component, or information system service to perform penetration testing at an organization-defined breadth/depth and with organization-defined constraints.
SA-11 (5) (CCI-003191)	The organization defines the breadth/depth at which the developer of the information system, system component, or information system service is required to perform penetration testing.
SA-11 (5) (CCI-003192)	The organization defines the constraints on penetration testing performed by the developer of the information system, system component, or information system service.

SA-11 (6)

The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews.

SA-11 (6)
(CCI-003193)

The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews.

SA-11 (7)

The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at [Assignment: organization-defined depth of testing/evaluation].

SA-11 (7) (CCI-003194)	The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at an organization-defined depth of testing/evaluation.
SA-11 (7) (CCI-003195)	The organization defines the depth of testing/evaluation to which the developer of the information system, system component, or information system service is required to verify that the scope of security testing/evaluation provides complete coverage of the required security controls.

SA-11 (8)

The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.

SA-11 (8) (CCI-003196)	The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws.
SA-11 (8) (CCI-003197)	The organization requires the developer of the information system, system component, or information system service to document the results of the dynamic code analysis.

SA-12

The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.

SA-12 (CCI-000722)	The organization defines the security safeguards to employ to protect against supply chain threats to the information system, system component, or information system service.
SA-12 (CCI-000723)	The organization protects against supply chain threats to the information system, system component, or information system service by employing organization-defined security safeguards as part of a comprehensive, defense-in-breadth information security strategy.

SA-12 (1)

The organization employs [Assignment: organization-defined tailored acquisition strategies, contract tools, and procurement methods] for the purchase of the information system, system component, or information system service from suppliers.

SA-12 (1) (CCI-003198)	The organization employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers.
SA-12 (1) (CCI-003199)	The organization defines tailored acquisition strategies, contract tools, and procurement methods to employ for the purchase of the information system, system component, or information system service from suppliers.
SA-12 (1) (CCI-003207)	The organization employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers.
SA-12 (1) (CCI-003208)	The organization employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers.
SA-12 (1) (CCI-003209)	The organization employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers.

SA-12 (2)

The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service.

SA-12 (2)
(CCI-003200)

The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service.

SA-12 (3)

[Withdrawn: Incorporated into SA-12 (1)].

SA-12 (4)

[Withdrawn: Incorporated into SA-12 (13)].

SA-12 (5)

The organization employs [Assignment: organization-defined security safeguards] to limit harm from potential adversaries identifying and targeting the organizational supply chain.

SA-12 (5) (CCI-003201)	The organization employs organization-defined security safeguards to limit harm from potential adversaries identifying and targeting the organizational supply chain.
SA-12 (5) (CCI-003202)	The organization defines security safeguards to employ to limit harm from potential adversaries identifying and targeting the organizational supply chain.

SA-12 (6)

[Withdrawn: Incorporated into SA-12 (1)].

SA-12 (7)

The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.

SA-12 (7) (CCI-003203)	The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.
SA-12 (7) (CCI-003204)	The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.

SA-12 (8)

The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service.

SA-12 (8)
(CCI-003205)

The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service.

SA-12 (9)

The organization employs [Assignment: organization-defined Operations Security (OPSEC) safeguards] in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.

SA-12 (9) (CCI-003206)	The organization employs organization-defined Operations Security (OPSEC) safeguards in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.
SA-12 (9) (CCI-003210)	The organization defines the Operations Security (OPSEC) safeguards to be employed in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.
SA-12 (9) (CCI-003211)	The organization defines the Operations Security (OPSEC) safeguards to be employed in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.

SA-12 (10)

The organization employs [Assignment: organization-defined security safeguards] to validate that the information system or system component received is genuine and has not been altered.

SA-12 (10) (CCI-003212)	The organization employs organization-defined security safeguards to validate that the information system or system component received is genuine and has not been altered.
SA-12 (10) (CCI-003213)	The organization defines the security safeguards to be employed to validate that the information system or system component received is genuine and has not been altered.

SA-12 (11)

The organization employs [Selection (one or more): organizational analysis, independent third-party analysis, organizational penetration testing, independent third-party penetration testing] of [Assignment: organization-defined supply chain elements, processes, and actors] associated with the information system, system component, or information system service.

SA-12 (11) (CCI-003214)	The organization employs organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing of organization-defined supply chain elements, processes, and actors associated with the information system, system component, or information system service.
SA-12 (11) (CCI-003215)	The organization defines the supply chain elements, processes, and actors associated with the information system, system component, or information system service for organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing.

SA-12 (12)

The organization establishes inter-organizational agreements and procedures with entities involved in the supply chain for the information system, system component, or information system service.

SA-12 (12) (CCI-003216)	The organization establishes inter-organizational agreements with entities involved in the supply chain for the information system, system component, or information system service.
SA-12 (12) (CCI-003217)	The organization establishes inter-organizational procedures with entities involved in the supply chain for the information system, system component, or information system service.

SA-12 (13)

The organization employs [Assignment: organization-defined security safeguards] to ensure an adequate supply of [Assignment: organization-defined critical information system components].

SA-12 (13) (CCI-003218)	The organization employs organization-defined security safeguards to ensure an adequate supply of organization-defined critical information system components.
SA-12 (13) (CCI-003219)	The organization defines the security safeguards to be employed to ensure an adequate supply of organization-defined critical information system components.
SA-12 (13) (CCI-003220)	The organization defines the critical information system components for which organization-defined security safeguards are employed to ensure adequate supply.

SA-12 (14)

The organization establishes and retains unique identification of [Assignment: organization-defined supply chain elements, processes, and actors] for the information system, system component, or information system service.

SA-12 (14) (CCI-003221)	The organization establishes unique identification of organization-defined supply chain elements, processes, and actors for the information system, system component, or information system service.
SA-12 (14) (CCI-003222)	The organization retains unique identification of organization-defined supply chain elements, processes, and actors for the information system, system component, or information system service.
SA-12 (14) (CCI-003223)	The organization defines the supply chain elements, processes, and actors for the information system, system component, or information system service to establish and retain unique identification.

SA-12 (15)

The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.

SA-12 (15)
(CCI-003224)

The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.

SA-13

The organization:

SA-13a.

Describes the trustworthiness required in the [Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and

SA-13 a (CCI-003225)	The organization describes the trustworthiness required in the organization-defined information system, information system component, or information system service supporting its critical missions/business functions.
SA-13 a (CCI-003226)	The organization defines the information system, information system component, or information system service supporting its critical missions/business functions in which the trustworthiness must be described.

SA-13b.

Implements [Assignment: organization-defined assurance overlay] to achieve such trustworthiness.

SA-13 b (CCI-003227)	The organization implements an organization-defined assurance overlay to achieve trustworthiness required to support its critical missions/business functions.
SA-13 b (CCI-003228)	The organization defines an assurance overlay to be implemented to achieve trustworthiness required to support its critical missions/business functions.

SA-14

The organization identifies critical information system components and functions by performing a criticality analysis for [Assignment: organization-defined information systems, information system components, or information system services] at [Assignment: organization-defined decision points in the system development life cycle].

SA-14 (CCI-003229)	The organization identifies critical information system components by performing a criticality analysis for organization-defined information systems, information system components, or information system services at organization-defined decision points in the system development life cycle.
SA-14 (CCI-003230)	The organization identifies critical information system functions by performing a criticality analysis for organization-defined information systems, information system components, or information system services at organization-defined decision points in the system development life cycle.
SA-14 (CCI-003231)	The organization defines the information systems, information system components, or information system services for which the organization identifies critical information system components and functions for criticality analysis.
SA-14 (CCI-003232)	The organization defines the decision points in the system development life cycle at which to perform a criticality analysis to identify critical information system components and functions for organization-defined information systems, information system components, or information system services.

SA-14 (1)

[Withdrawn: Incorporated into SA-20].

SA-15

The organization:

SA-15
(CCI-003233)

The organization requires the developer of the information system, system component, or information system service to follow a documented development process.

SA-15a.

Requires the developer of the information system, system component, or information system service to follow a documented development process that:

SA-15a.1.

Explicitly addresses security requirements;

SA-15 a 1
(CCI-003234)

The documented information system, system component, or information system service development process explicitly addresses security requirements.

SA-15a.2.

Identifies the standards and tools used in the development process;

SA-15 a 2 (CCI-003235)	The documented information system, system component, or information system service development process identifies the standards used in the development process.
SA-15 a 2 (CCI-003236)	The documented information system, system component, or information system service development process identifies the tools used in the development process.

SA-15a.3.

Documents the specific tool options and tool configurations used in the development process; and

SA-15 a 3
(CCI-003237)

The documented information system, system component, or information system service development process documents the specific tool options and tool configurations used in the development process.

SA-15a.4.

Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and

SA-15 a 4 (CCI-003238)	The documented information system, system component, or information system service development process documents changes to the process and/or tools used in development.
SA-15 a 4 (CCI-003239)	The documented information system, system component, or information system service development process manages changes to the process and/or tools used in development.
SA-15 a 4 (CCI-003240)	The documented information system, system component, or information system service development process ensures the integrity of changes to the process and/or tools used in development.

SA-15b.

Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements].

SA-15 b (CCI-003241)	The organization reviews the development process in accordance with organization-defined frequency to determine if the development process selected and employed can satisfy organization-defined security requirements.
SA-15 b (CCI-003242)	The organization reviews the development standards in accordance with organization-defined frequency to determine if the development standards selected and employed can satisfy organization-defined security requirements.
SA-15 b (CCI-003243)	The organization reviews the development tools in accordance with organization-defined frequency to determine if the development tools selected and employed can satisfy organization-defined security requirements.
SA-15 b (CCI-003244)	The organization reviews the development tool options/configurations in accordance with organization-defined frequency to determine if the development tool options/configurations selected and employed can satisfy organization-defined security requirements.
SA-15 b (CCI-003245)	The organization defines the frequency on which to review the development process, standards, tools, and tool options/configurations to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy organization-defined security requirements.
SA-15 b (CCI-003246)	The organization defines the security requirements that must be satisfied by conducting a review of the development process, standards, tools, and tool options/configurations.

SA-15 (1)

The organization requires the developer of the information system, system component, or information system service to:

SA-15 (1)(a)

Define quality metrics at the beginning of the development process; and

SA-15 (1) (a)
(CCI-003247)

The organization requires the developer of the information system, system component, or information system service to define quality metrics at the beginning of the development process.

SA-15 (1)(b)

Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery].

SA-15 (1) (b) (CCI-003248)	The organization requires the developer of the information system, system component, or information system service to provide evidence of meeting the quality metrics in accordance with organization-defined frequency, organization-defined program review milestones and/or upon delivery.
SA-15 (1) (b) (CCI-003249)	The organization defines the frequency on which the developer of the information system, system component, or information system service is required to provide evidence of meeting the quality metrics.
SA-15 (1) (b) (CCI-003250)	The organization defines the program review milestones at which the developer of the information system, system component, or information system service is required to provide evidence of meeting the quality metrics.

SA-15 (2)

The organization requires the developer of the information system, system component, or information system service to select and employ a security tracking tool for use during the development process.

SA-15 (2) (CCI-003251)	The organization requires the developer of the information system, system component, or information system service to select a security tracking tool for use during the development process.
SA-15 (2) (CCI-003252)	The organization requires the developer of the information system, system component, or information system service to employ a security tracking tool for use during the development process.

SA-15 (3)

The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at [Assignment: organization-defined breadth/depth] and at [Assignment: organization-defined decision points in the system development life cycle].

SA-15 (3) (CCI-003253)	The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at an organization-defined breadth/depth and at organization-defined decision points in the system development life cycle.
SA-15 (3) (CCI-003254)	The organization defines the breadth/depth at which the developer of the information system, system component, or information system service is required to perform a criticality analysis.
SA-15 (3) (CCI-003255)	The organization defines decision points in the system development life cycle at which the developer of the information system, system component, or information system service is required to perform a criticality analysis.

SA-15 (4)

The organization requires that developers perform threat modeling and a vulnerability analysis for the information system at [Assignment: organization-defined breadth/depth] that:

SA-15 (4) (CCI-003256)	The organization requires that developers perform threat modeling for the information system at an organization-defined breadth/depth.
SA-15 (4) (CCI-003257)	The organization requires that developers perform a vulnerability analysis for the information system at an organization-defined breadth/depth.
SA-15 (4) (CCI-003258)	The organization defines the breadth/depth at which threat modeling for the information system must be performed by developers.
SA-15 (4) (CCI-003259)	The organization defines the breadth/depth at which vulnerability analysis for the information system must be performed by developers.

SA-15 (4)(a)

Uses [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];

SA-15 (4) (a) (CCI-003260)	Threat modeling performed by the developer for the information system uses organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels.
SA-15 (4) (a) (CCI-003261)	Vulnerability analysis performed by the developer for the information system uses organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels.
SA-15 (4) (a) (CCI-003262)	The organization defines information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used to perform threat modeling for the information system by the developer.
SA-15 (4) (a) (CCI-003263)	The organization defines information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used to perform a vulnerability analysis for the information system by the developer.

SA-15 (4)(b)

Employs [Assignment: organization-defined tools and methods]; and

SA-15 (4) (b) (CCI-003264)	The organization requires the threat modeling performed by the developers employ organization-defined tools and methods.
SA-15 (4) (b) (CCI-003265)	The organization requires the vulnerability analysis performed by the developers employ organization-defined tools and methods.
SA-15 (4) (b) (CCI-003266)	The organization defines tools and methods to be employed to perform threat modeling for the information system by the developer.
SA-15 (4) (b) (CCI-003267)	The organization defines tools and methods to be employed to perform a vulnerability analysis for the information system by the developer.

SA-15 (4)(c)

Produces evidence that meets [Assignment: organization-defined acceptance criteria].

SA-15 (4) (c) (CCI-003268)	The organization requires that developers performing threat modeling for the information system produce evidence that meets organization-defined acceptance criteria.
SA-15 (4) (c) (CCI-003269)	The organization requires that developers performing vulnerability analysis for the information system produce evidence that meets organization-defined acceptance criteria.
SA-15 (4) (c) (CCI-003270)	The organization defines the acceptance criteria that must be met when threat modeling of the information system is performed by the developer.
SA-15 (4) (c) (CCI-003271)	The organization defines the acceptance criteria that must be met when vulnerability analysis of the information system is performed by the developer.

SA-15 (5)

The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to [Assignment: organization-defined thresholds].

SA-15 (5) (CCI-003272)	The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to organization-defined thresholds.
SA-15 (5) (CCI-003273)	The organization defines the thresholds to which the developer of the information system, system component, or information system service is required to reduce attack surfaces.

SA-15 (6)

The organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process.

SA-15 (6)
(CCI-003274)

The organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process.

SA-15 (7)

The organization requires the developer of the information system, system component, or information system service to:

SA-15 (7)(a)

Perform an automated vulnerability analysis using [Assignment: organization-defined tools];

SA-15 (7) (a) (CCI-003275)	The organization requires the developer of the information system, system component, or information system services to perform an automated vulnerability analysis using organization-defined tools.
SA-15 (7) (a) (CCI-003276)	The organization defines the tools the developer of the information system, system component, or information system services uses to perform an automated vulnerability analysis.

SA-15 (7)(b)

Determine the exploitation potential for discovered vulnerabilities;

SA-15 (7) (b)
(CCI-003277)

The organization requires the developer of the information system, system component, or information system services to determine the exploitation potential for discovered vulnerabilities.

SA-15 (7)(c)

Determine potential risk mitigations for delivered vulnerabilities; and

SA-15 (7) (c)
(CCI-003278)

The organization requires the developer of the information system, system component, or information system services to determine potential risk mitigations for delivered vulnerabilities.

SA-15 (7)(d)

Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles].

SA-15 (7) (d) (CCI-003279)	The organization requires the developer of the information system, system component, or information system services to deliver the outputs of the tools and results of the vulnerability analysis to organization-defined personnel or roles.
SA-15 (7) (d) (CCI-003280)	The organization defines the personnel or roles to whom the outputs of the tools and results of the vulnerability analysis are delivered.

SA-15 (8)

The organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.

SA-15 (8) (CCI-003281)	The organization requires the developer of the information system, system component, or information system service to use threat modeling from similar systems, components, or services to inform the current development process.
SA-15 (8) (CCI-003282)	The organization requires the developer of the information system, system component, or information system service to use vulnerability analysis from similar systems, components, or services to inform the current development process.

SA-15 (9)

The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service.

SA-15 (9) (CCI-003283)	The organization approves the use of live data in development environments for the information system, system component, or information system service.
SA-15 (9) (CCI-003284)	The organization approves the use of live data in test environments for the information system, system component, or information system service.
SA-15 (9) (CCI-003285)	The organization documents the use of live data in development environments for the information system, system component, or information system service.
SA-15 (9) (CCI-003286)	The organization documents the use of live data in test environments for the information system, system component, or information system service.
SA-15 (9) (CCI-003287)	The organization controls the use of live data in development environments for the information system, system component, or information system service.
SA-15 (9) (CCI-003288)	The organization controls the use of live data in test environments for the information system, system component, or information system service.

SA-15 (10)

The organization requires the developer of the information system, system component, or information system service to provide an incident response plan.

SA-15 (10)
(CCI-003289)

The organization requires the developer of the information system, system component, or information system service to provide an incident response plan.

SA-15 (11)

The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review.

SA-15 (11)
(CCI-003290)

The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review.

SA-16

The organization requires the developer of the information system, system component, or information system service to provide [Assignment: organization-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms.

SA-16 (CCI-003291)	The organization requires the developer of the information system, system component, or information system service to provide organization-defined training on the correct use and operation of the implemented security functions, controls, and/or mechanisms.
SA-16 (CCI-003292)	The organization defines the training the developer of the information system, system component, or information system service is required to provide on the correct use and operation of the implemented security functions, controls, and/or mechanisms.

SA-17

The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:

SA-17
(CCI-003293)

The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture.

SA-17a.

Is consistent with and supportive of the organization�s security architecture which is established within and is an integrated part of the organization�s enterprise architecture;

SA-17 a
(CCI-003294)

The design specification and security architecture is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture.

SA-17b.

Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and

SA-17 b (CCI-003295)	The design specification and security architecture accurately and completely describes the required security functionality.
SA-17 b (CCI-003296)	The design specification and security architecture accurately and completely describes the allocation of security controls among physical and logical components.

SA-17c.

Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.

SA-17 c
(CCI-003297)

The design specification and security architecture expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.

SA-17 (1)

The organization requires the developer of the information system, system component, or information system service to:

SA-17 (1)(a)

Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security policy] to be enforced; and

SA-17 (1) (a) (CCI-003298)	The organization requires the developer of the information system, system component, or information system to produce, as an integral part of the development process, a formal policy model describing the organization-defined elements of organizational security policy to be enforced.
SA-17 (1) (a) (CCI-003299)	The organization defines the elements of organization security policy to be described in the formal policy model for enforcement on the information system, system component, or information system service.

SA-17 (1)(b)

Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented.

SA-17 (1) (b)
(CCI-003300)

The organization requires the developer of the information system, system component, or information system service to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented.

SA-17 (2)

The organization requires the developer of the information system, system component, or information system service to:

SA-17 (2)(a)

Define security-relevant hardware, software, and firmware; and

SA-17 (2) (a) (CCI-003301)	The organization requires the developer of the information system, system component, or information system service to define security-relevant hardware.
SA-17 (2) (a) (CCI-003302)	The organization requires the developer of the information system, system component, or information system service to define security-relevant hardware.
SA-17 (2) (a) (CCI-003303)	The organization requires the developer of the information system, system component, or information system service to define security-relevant software.
SA-17 (2) (a) (CCI-003304)	The organization requires the developer of the information system, system component, or information system service to define security-relevant firmware.
SA-17 (2) (a) (CCI-003305)	The organization requires the developer of the information system, system component, or information system service to provide a rationale that the definition for security-relevant hardware is complete.

SA-17 (2)(b)

Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.

SA-17 (2) (b) (CCI-003306)	The organization requires the developer of the information system, system component, or information system service to provide a rationale that the definition for security-relevant software is complete.
SA-17 (2) (b) (CCI-003307)	The organization requires the developer of the information system, system component, or information system service to provide a rationale that the definition for security-relevant firmware is complete.

SA-17 (3)

The organization requires the developer of the information system, system component, or information system service to:

SA-17 (3)(a)

Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;

SA-17 (3) (a) (CCI-003308)	The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware in terms of exceptions, error messages, and effects.
SA-17 (3) (a) (CCI-003309)	The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant software in terms of exceptions, error messages, and effects.
SA-17 (3) (a) (CCI-003310)	The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant firmware in terms of exceptions, error messages, and effects.

SA-17 (3)(b)

Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;

SA-17 (3) (b)
(CCI-003311)

The organization requires the developer of the information system, system component, or information system service to show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model.

SA-17 (3)(c)

Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;

SA-17 (3) (c) (CCI-003312)	The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware.
SA-17 (3) (c) (CCI-003313)	The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant software.
SA-17 (3) (c) (CCI-003314)	The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant firmware.

SA-17 (3)(d)

Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and

SA-17 (3) (d) (CCI-003315)	The organization requires the developer of the information system, system component, or information system service to show that the formal top-level specification is an accurate description of the implemented security-relevant hardware.
SA-17 (3) (d) (CCI-003316)	The organization requires the developer of the information system, system component, or information system service to show that the formal top-level specification is an accurate description of the implemented security-relevant software.
SA-17 (3) (d) (CCI-003317)	The organization requires the developer of the information system, system component, or information system service to show that the formal top-level specification is an accurate description of the implemented security-relevant firmware.

SA-17 (3)(e)

Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware.

SA-17 (3) (e) (CCI-003318)	The organization requires the developer of the information system, system component, or information system service to describe the security-relevant hardware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware.
SA-17 (3) (e) (CCI-003319)	The organization requires the developer of the information system, system component, or information system service to describe the security-relevant software mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant software.
SA-17 (3) (e) (CCI-003320)	The organization requires the developer of the information system, system component, or information system service to describe the security-relevant firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant firmware.

SA-17 (4)

The organization requires the developer of the information system, system component, or information system service to:

SA-17 (4)(a)

Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;

SA-17 (4) (a) (CCI-003321)	The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware in terms of exceptions, error messages, and effects.
SA-17 (4) (a) (CCI-003322)	The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant software in terms of exceptions, error messages, and effects.
SA-17 (4) (a) (CCI-003323)	The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant firmware in terms of exceptions, error messages, and effects.

SA-17 (4)(b)

Show via [Selection: informal demonstration, convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;

SA-17 (4) (b)
(CCI-003324)

The organization requires the developer of the information system, system component, or information system service to show via informal demonstration or convincing argument with formal methods as feasible that the descriptive top-level specification is consistent with the formal policy model.

SA-17 (4)(c)

Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;

SA-17 (4) (c) (CCI-003325)	The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware.
SA-17 (4) (c) (CCI-003326)	The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant software.
SA-17 (4) (c) (CCI-003327)	The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant firmware.

SA-17 (4)(d)

Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and

SA-17 (4) (d) (CCI-003328)	The organization requires the developer of the information system, system component, or information system service to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware.
SA-17 (4) (d) (CCI-003329)	The organization requires the developer of the information system, system component, or information system service to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant software.
SA-17 (4) (d) (CCI-003330)	The organization requires the developer of the information system, system component, or information system service to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant firmware.

SA-17 (4)(e)

Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware.

SA-17 (4) (e) (CCI-003331)	The organization requires the developer of the information system, system component, or information system service to describe the security-relevant hardware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware.
SA-17 (4) (e) (CCI-003332)	The organization requires the developer of the information system, system component, or information system service to describe the security-relevant software mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant software.
SA-17 (4) (e) (CCI-003333)	The organization requires the developer of the information system, system component, or information system service to describe the security-relevant firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant firmware.

SA-17 (5)

The organization requires the developer of the information system, system component, or information system service to:

SA-17 (5)(a)

Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and

SA-17 (5) (a) (CCI-003334)	The organization requires the developer of the information system, system component, or information system service to design and structure the security-relevant hardware to use a complete, conceptually simple protection mechanism with precisely defined semantics.
SA-17 (5) (a) (CCI-003335)	The organization requires the developer of the information system, system component, or information system service to design and structure the security-relevant software to use a complete, conceptually simple protection mechanism with precisely defined semantics.
SA-17 (5) (a) (CCI-003336)	The organization requires the developer of the information system, system component, or information system service to design and structure the security-relevant firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics.

SA-17 (5)(b)

Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.

SA-17 (5) (b) (CCI-003337)	The organization requires the developer of the information system, system component, or information system service to internally structure the security-relevant hardware with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics.
SA-17 (5) (b) (CCI-003338)	The organization requires the developer of the information system, system component, or information system service to internally structure the security-relevant software with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics.
SA-17 (5) (b) (CCI-003339)	The organization requires the developer of the information system, system component, or information system service to internally structure the security-relevant firmware with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics.

SA-17 (6)

The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate testing.

SA-17 (6) (CCI-003340)	The organization requires the developer of the information system, component, or information system service to structure security-relevant hardware to facilitate testing.
SA-17 (6) (CCI-003341)	The organization requires the developer of the information system, component, or information system service to structure security-relevant software to facilitate testing.
SA-17 (6) (CCI-003342)	The organization requires the developer of the information system, component, or information system service to structure security-relevant firmware to facilitate testing.

SA-17 (7)

The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.

SA-17 (7) (CCI-003343)	The organization requires the developer of the information system, component, or information system service to structure security-relevant hardware to facilitate controlling access with least privilege.
SA-17 (7) (CCI-003344)	The organization requires the developer of the information system, component, or information system service to structure security-relevant software to facilitate controlling access with least privilege.
SA-17 (7) (CCI-003345)	The organization requires the developer of the information system, component, or information system service to structure security-relevant firmware to facilitate controlling access with least privilege.

SA-18

The organization implements a tamper protection program for the information system, system component, or information system service.

SA-18
(CCI-003346)

The organization implements a tamper protection program for the information system, system component, or information system service.

SA-18 (1)

The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design, development, integration, operations, and maintenance.

SA-18 (1) (CCI-003347)	The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design.
SA-18 (1) (CCI-003348)	The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including development.
SA-18 (1) (CCI-003349)	The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including integration.
SA-18 (1) (CCI-003350)	The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including operations.
SA-18 (1) (CCI-003351)	The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including maintenance.

SA-18 (2)

The organization inspects [Assignment: organization-defined information systems, system components, or devices] [Selection (one or more): at random; at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection]] to detect tampering.

SA-18 (2) (CCI-003352)	The organization inspects organization-defined information systems, system components, or devices at random, at an organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering.
SA-18 (2) (CCI-003353)	The organization defines the information systems, system components, or devices to inspect at random, at an organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering.
SA-18 (2) (CCI-003354)	The organization defines the frequency on which to inspect organization-defined information systems, system components, or devices to detect tampering.
SA-18 (2) (CCI-003355)	The organization defines indications of need for inspection to detect tampering during inspections of organization-defined information systems, system components, or devices.

SA-19

The organization:

SA-19a.

Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and

SA-19 a (CCI-003356)	The organization develops an anti-counterfeit policy that includes the means to detect counterfeit components from entering the information system.
SA-19 a (CCI-003357)	The organization develops an anti-counterfeit policy that includes the means to prevent counterfeit components from entering the information system.
SA-19 a (CCI-003358)	The organization develops anti-counterfeit procedures that include the means to detect counterfeit components from entering the information system.
SA-19 a (CCI-003359)	The organization develops anti-counterfeit procedures that include the means to prevent counterfeit components from entering the information system.
SA-19 a (CCI-003360)	The organization implements an anti-counterfeit policy that includes the means to detect counterfeit components from entering the information system.
SA-19 a (CCI-003361)	The organization implements an anti-counterfeit policy that includes the means to prevent counterfeit components from entering the information system.
SA-19 a (CCI-003362)	The organization implements anti-counterfeit procedures that include the means to detect counterfeit components from entering the information system.
SA-19 a (CCI-003363)	The organization implements anti-counterfeit procedures that include the means to prevent counterfeit components from entering the information system.

SA-19b.

Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]].

SA-19 b (CCI-003364)	The organization reports counterfeit information system components to the source of the counterfeit component, organization-defined external reporting organizations, and/or organization-defined personnel or roles.
SA-19 b (CCI-003365)	The organization defines the external reporting organizations to which counterfeit information system components are to be reported.
SA-19 b (CCI-003366)	The organization defines the personnel or roles to whom counterfeit information system components are to be reported.

SA-19 (1)

The organization trains [Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware).

SA-19 (1) (CCI-003367)	The organization trains organization-defined personnel or roles to detect counterfeit information system components (including hardware, software, and firmware).
SA-19 (1) (CCI-003368)	The organization defines the personnel or roles to be trained to detect counterfeit information system components (including hardware, software, and firmware).

SA-19 (2)

The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service.

SA-19 (2) (CCI-003369)	The organization maintains configuration control over organization-defined information system components awaiting service/repair.
SA-19 (2) (CCI-003370)	The organization defines the information system components awaiting service/repair over which configuration control must be maintained.
SA-19 (2) (CCI-003371)	The organization maintains configuration control over serviced/repaired components awaiting return to service.

SA-19 (3)

The organization disposes of information system components using [Assignment: organization-defined techniques and methods].

SA-19 (3) (CCI-003390)	The organization defines the techniques and methods used to dispose of information system components.
SA-19 (3) (CCI-003391)	The organization disposes of information system components using organization-defined techniques and methods.

SA-19 (4)

The organization scans for counterfeit information system components [Assignment: organization-defined frequency].

SA-19 (4) (CCI-003388)	The organization defines the frequency on which to scan for counterfeit information system components.
SA-19 (4) (CCI-003389)	The organization scans for counterfeit information system components in accordance with organization-defined frequency.

SA-20

The organization re-implements or custom develops [Assignment: organization-defined critical information system components].

SA-20 (CCI-003386)	The organization defines the critical information system components to re-implement or custom develop.
SA-20 (CCI-003387)	The organization re-implements or custom develops organization-defined critical information system components.

SA-21

The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]:

SA-21a.

Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and

SA-21 a (CCI-003383)	The organization defines the official government duties to be assigned to the developer of an organization-defined information system, system component, or information system service.
SA-21 a (CCI-003385)	The organization requires that the developer of an organization-defined information system, system component, or information system service have appropriate access authorizations as determined by assigned organization-defined official government duties.

SA-21b.

Satisfy [Assignment: organization-defined additional personnel screening criteria].

SA-21 b (CCI-003381)	The organization defines additional personnel screening criteria that must be satisfied by the developer of an organization-defined information system, system component, or information system service.
SA-21 b (CCI-003382)	The organization requires that the developer of an organization-defined information system, system component, or information system service satisfy organization-defined additional personnel screening criteria.

SA-21 (1)

The organization requires the developer of the information system, system component, or information system service take [Assignment: organization-defined actions] to ensure that the required access authorizations and screening criteria are satisfied.

SA-21 (1) (CCI-003377)	The organization defines the actions the developer of the information system, system component, or information system service must take to ensure the required screening criteria are satisfied.
SA-21 (1) (CCI-003378)	The organization defines the actions the developer of the information system, system component, or information system service must take to ensure the required access authorizations are satisfied.
SA-21 (1) (CCI-003379)	The organization requires the developer of the information system, system component, or information system service take organization-defined actions to ensure the required screening criteria are satisfied.
SA-21 (1) (CCI-003380)	The organization requires the developer of the information system, system component, or information system service take organization-defined actions to ensure the required access authorizations are satisfied.

SA-22

The organization:

SA-22a.

Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and

SA-22 a
(CCI-003376)

The organization replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer.

SA-22b.

Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs.

SA-22 b (CCI-003374)	The organization documents approval for the continued use of unsupported system components required to satisfy mission/business needs.
SA-22 b (CCI-003375)	The organization provides justification for the continued use of unsupported system components required to satisfy mission/business needs.

SA-22 (1)

The organization provides [Selection (one or more): in-house support; [Assignment: organization-defined support from external providers]] for unsupported information system components.

SA-22 (1) (CCI-003372)	The organization defines the support from external providers to be provided for unsupported information system components.
SA-22 (1) (CCI-003373)	The organization provides in-house support and/or organization-defined support from external providers for unsupported information system components.

SC-1

The organization:

SC-1a.

Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

SC-1a.1.

A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

SC-1 a 1 (CCI-001074)	The organization develops a system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
SC-1 a 1 (CCI-001075)	The organization disseminates to organization-defined personnel or roles the system and communications protection policy.
SC-1 a 1 (CCI-002377)	The organization documents the system and communications protection policy.
SC-1 a 1 (CCI-002378)	The organization defines the personnel or roles to be recipients of the system and communications protection policy.

SC-1a.2.

Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and

SC-1 a 2 (CCI-001078)	The organization develops system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.
SC-1 a 2 (CCI-001079)	The organization disseminates to organization-defined personnel or roles the procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.
SC-1 a 2 (CCI-002379)	The organization documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.
SC-1 a 2 (CCI-002380)	The organization defines the personnel or roles to be recipients of the procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.

SC-1b.

Reviews and updates the current:

SC-1b.1.

System and communications protection policy [Assignment: organization-defined frequency]; and

SC-1 b 1 (CCI-001076)	The organization reviews and updates the system and communications protection policy in accordance with organization-defined frequency.
SC-1 b 1 (CCI-001077)	The organization defines the frequency for reviewing and updating the system and communications protection policy.

SC-1b.2.

System and communications protection procedures [Assignment: organization-defined frequency].

SC-1 b 2 (CCI-001080)	The organization reviews and updates the system and communications protection procedures in accordance with organization-defined frequency.
SC-1 b 2 (CCI-001081)	The organization defines the frequency of system and communications protection procedure reviews and updates.

SC-2

The information system separates user functionality (including user interface services) from information system management functionality.

SC-2
(CCI-001082)

The information system separates user functionality (including user interface services) from information system management functionality.

SC-2 (1)

The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users.

SC-2 (1)
(CCI-001083)

The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users.

SC-3

The information system isolates security functions from nonsecurity functions.

SC-3
(CCI-001084)

The information system isolates security functions from nonsecurity functions.

SC-3 (1)

The information system utilizes underlying hardware separation mechanisms to implement security function isolation.

SC-3 (1)
(CCI-001085)

The information system utilizes underlying hardware separation mechanisms to implement security function isolation.

SC-3 (2)

The information system isolates security functions enforcing access and information flow control from nonsecurity functions and from other security functions.

SC-3 (2)
(CCI-001086)

The information system isolates security functions enforcing access and information flow control from both nonsecurity functions and from other security functions.

SC-3 (3)

The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions.

SC-3 (3)
(CCI-002381)

The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions.

SC-3 (4)

The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.

SC-3 (4)
(CCI-002382)

The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.

SC-3 (5)

The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.

SC-3 (5)
(CCI-001089)

The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.

SC-4

The information system prevents unauthorized and unintended information transfer via shared system resources.

SC-4
(CCI-001090)

The information system prevents unauthorized and unintended information transfer via shared system resources.

SC-4 (1)

[Withdrawn: Incorporated into SC-4].

SC-4 (2)

The information system prevents unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories.

SC-4 (2) (CCI-002383)	The organization defines the procedures to be employed to prevent unauthorized information transfer via shared resources when system processing explicitly switches between different information classification levels or security categories.
SC-4 (2) (CCI-002384)	The information system prevents unauthorized information transfer via shared resources in accordance with organization-defined procedures when system processing explicitly switches between different information classification levels or security categories.

SC-5

The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards].

SC-5 (CCI-001093)	The organization defines the types of denial of service attacks (or provides references to sources of current denial of service attacks) that can be addressed by the information system.
SC-5 (CCI-002385)	The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.
SC-5 (CCI-002386)	The organization defines the security safeguards to be employed to protect the information system against, or limit the effects of, denial of service attacks.

SC-5 (1)

The information system restricts the ability of individuals to launch [Assignment: organization-defined denial of service attacks] against other information systems.

SC-5 (1) (CCI-001094)	The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems.
SC-5 (1) (CCI-002387)	The organization defines the denial of service attacks against other information systems that the information system is to restrict the ability of individuals to launch.

SC-5 (2)

The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding denial of service attacks.

SC-5 (2)
(CCI-001095)

The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

SC-5 (3)

The organization:

SC-5 (3)(a)

Employs [Assignment: organization-defined monitoring tools] to detect indicators of denial of service attacks against the information system; and

SC-5 (3) (a) (CCI-002388)	The organization defines a list of monitoring tools to be employed to detect indicators of denial of service attacks against the information system.
SC-5 (3) (a) (CCI-002389)	The organization employs an organization-defined list of monitoring tools to detect indicators of denial of service attacks against the information system.

SC-5 (3)(b)

Monitors [Assignment: organization-defined information system resources] to determine if sufficient resources exist to prevent effective denial of service attacks.

SC-5 (3) (b) (CCI-002390)	The organization defines the information system resources to be monitored to determine if sufficient resources exist to prevent effective denial of service attacks.
SC-5 (3) (b) (CCI-002391)	The organization monitors organization-defined information system resources to determine if sufficient resources exist to prevent effective denial of service attacks.

SC-6

The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]].

SC-6 (CCI-002392)	The organization defines the resources to be allocated to protect the availability of information system resources.
SC-6 (CCI-002393)	The organization defines the security safeguards to be employed to protect the availability of information system resources.
SC-6 (CCI-002394)	The information system protects the availability of resources by allocating organization-defined resources based on priority, quota, and/or organization-defined security safeguards.

SC-7

The information system:

SC-7a.

Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;

SC-7 a
(CCI-001097)

The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.

SC-7b.

Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and

SC-7 b
(CCI-002395)

The information system implements subnetworks for publicly accessible system components that are physically and/or logically separated from internal organizational networks.

SC-7c.

Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

SC-7 c
(CCI-001098)

The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

SC-7 (1)

[Withdrawn: Incorporated into SC-7].

SC-7 (2)

[Withdrawn: Incorporated into SC-7].

SC-7 (3)

The organization limits the number of external network connections to the information system.

SC-7 (3)
(CCI-001101)

The organization limits the number of external network connections to the information system.

SC-7 (4)

The organization:

SC-7 (4)(a)

Implements a managed interface for each external telecommunication service;

SC-7 (4) (a)
(CCI-001102)

The organization implements a managed interface for each external telecommunication service.

SC-7 (4)(b)

Establishes a traffic flow policy for each managed interface;

SC-7 (4) (b)
(CCI-001103)

The organization establishes a traffic flow policy for each managed interface for each external telecommunication service.

SC-7 (4)(c)

Protects the confidentiality and integrity of the information being transmitted across each interface;

SC-7 (4) (c)
(CCI-002396)

The organization protects the confidentiality and integrity of the information being transmitted across each interface for each external telecommunication service.

SC-7 (4)(d)

Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and

SC-7 (4) (d)
(CCI-001105)

The organization documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need for each external telecommunication service.

SC-7 (4)(e)

Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.

SC-7 (4) (e) (CCI-001106)	The organization reviews exceptions to the traffic flow policy on an organization-defined frequency for each external telecommunication service.
SC-7 (4) (e) (CCI-001107)	The organization defines a frequency for the review of exceptions to the traffic flow policy for each external telecommunication service.
SC-7 (4) (e) (CCI-001108)	The organization removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need for each external telecommunication service.

SC-7 (5)

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

SC-7 (5)
(CCI-001109)

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

SC-7 (6)

[Withdrawn: Incorporated into SC-7 (18)].

SC-7 (7)

The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

SC-7 (7)
(CCI-002397)

The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

SC-7 (8)

The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.

SC-7 (8) (CCI-001112)	The information system routes organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers at managed interfaces.
SC-7 (8) (CCI-001113)	The organization defines the internal communications traffic to be routed to external networks.
SC-7 (8) (CCI-001114)	The organization defines the external networks to which organization-defined internal communications traffic should be routed.

SC-7 (9)

The information system:

SC-7 (9)(a)

Detects and denies outgoing communications traffic posing a threat to external information systems; and

SC-7 (9) (a) (CCI-002398)	The information system detects outgoing communications traffic posing a threat to external information systems.
SC-7 (9) (a) (CCI-002399)	The information system denies outgoing communications traffic posing a threat to external information systems.

SC-7 (9)(b)

Audits the identity of internal users associated with denied communications.

SC-7 (9) (b)
(CCI-002400)

The information system audits the identity of internal users associated with denied outgoing communications traffic posing a threat to external information systems.

SC-7 (10)

The organization prevents the unauthorized exfiltration of information across managed interfaces.

SC-7 (10)
(CCI-001116)

The organization prevents the unauthorized exfiltration of information across managed interfaces.

SC-7 (11)

The information system only allows incoming communications from [Assignment: organization-defined authorized sources] routed to [Assignment: organization-defined authorized destinations].

SC-7 (11) (CCI-002401)	The organization defines the authorized sources from which the information system will allow incoming communications.
SC-7 (11) (CCI-002402)	The organization defines the authorized destinations for routing inbound communications.
SC-7 (11) (CCI-002403)	The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

SC-7 (12)

The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components].

SC-7 (12) (CCI-002404)	The organization defines the host-based boundary protection mechanisms that are to be implemented at organization-defined information system components.
SC-7 (12) (CCI-002405)	The organization defines the information system components at which organization-defined host-based boundary protection mechanisms will be implemented.
SC-7 (12) (CCI-002406)	The organization implements organization-defined host-based boundary protection mechanisms at organization-defined information system components.

SC-7 (13)

The organization isolates [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.

SC-7 (13) (CCI-001119)	The organization isolates organization-defined information security tools, mechanisms, and support components from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.
SC-7 (13) (CCI-001120)	The organization defines key information security tools, mechanisms, and support components to be isolated.

SC-7 (14)

The organization protects against unauthorized physical connections at [Assignment: organization-defined managed interfaces].

SC-7 (14) (CCI-001121)	The organization protects against unauthorized physical connections at organization-defined managed interfaces.
SC-7 (14) (CCI-001122)	The organization defines the managed interfaces where boundary protections against unauthorized physical connections are to be implemented.
SC-7 (14) (CCI-002407)	The organization defines the managed interfaces at which the organization protects against unauthorized physical connections.

SC-7 (15)

The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.

SC-7 (15)
(CCI-001123)

The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.

SC-7 (16)

The information system prevents discovery of specific system components composing a managed interface.

SC-7 (16)
(CCI-001124)

The information system prevents discovery of specific system components composing a managed interface.

SC-7 (17)

The information system enforces adherence to protocol formats.

SC-7 (17)
(CCI-001125)

The information system enforces adherence to protocol format.

SC-7 (18)

The information system fails securely in the event of an operational failure of a boundary protection device.

SC-7 (18)
(CCI-001126)

The information system fails securely in the event of an operational failure of a boundary protection device.

SC-7 (19)

The information system blocks both inbound and outbound communications traffic between [Assignment: organization-defined communication clients] that are independently configured by end users and external service providers.

SC-7 (19) (CCI-002408)	The organization defines the independently configured communication clients, which are configured by end users and external service providers, between which the information system will block both inbound and outbound communications traffic.
SC-7 (19) (CCI-002409)	The information system blocks both inbound and outbound communications traffic between organization-defined communication clients that are independently configured by end users and external service providers.

SC-7 (20)

The information system provides the capability to dynamically isolate/segregate [Assignment: organization-defined information system components] from other components of the system.

SC-7 (20) (CCI-002410)	The organization defines information system components that are to be dynamically isolated/segregated from other components of the information system.
SC-7 (20) (CCI-002411)	The information system provides the capability to dynamically isolate/segregate organization-defined information system components from other components of the system.

SC-7 (21)

The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions].

SC-7 (21) (CCI-002412)	The organization defines the information system components supporting organization-defined missions and/or business functions that are to be separated using boundary protection mechanisms.
SC-7 (21) (CCI-002413)	The organization defines the information system components supporting organization-defined missions and/or business functions that are to be separated using boundary protection mechanisms.
SC-7 (21) (CCI-002414)	The organization defines the missions and/or business functions for which boundary protection mechanisms will be employed to separate the supporting organization-defined information system components.
SC-7 (21) (CCI-002415)	The organization employs boundary protection mechanisms to separate organization-defined information system components supporting organization-defined missions and/or business functions.

SC-7 (22)

The information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains.

SC-7 (22)
(CCI-002416)

The information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains.

SC-7 (23)

The information system disables feedback to senders on protocol format validation failure.

SC-7 (23)
(CCI-002417)

The information system disables feedback to senders on protocol format validation failure.

SC-8

The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.

SC-8
(CCI-002418)

The information system protects the confidentiality and/or integrity of transmitted information.

SC-8 (1)

The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].

SC-8 (1) (CCI-002419)	The organization defines the alternative physical safeguards to be employed when cryptographic mechanisms are not implemented to protect information during transmission.
SC-8 (1) (CCI-002421)	The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.

SC-8 (2)

The information system maintains the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.

SC-8 (2) (CCI-002420)	The information system maintains the confidentiality and/or integrity of information during preparation for transmission.
SC-8 (2) (CCI-002422)	The information system maintains the confidentiality and/or integrity of information during reception.

SC-8 (3)

The information system implements cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].

SC-8 (3) (CCI-002423)	The information system implements cryptographic mechanisms to protect message externals (e.g., message headers and routing information) unless otherwise protected by organization-defined alternative physical safeguards.
SC-8 (3) (CCI-002427)	The organization defines the alternative physical safeguards to be employed to protect message externals (e.g., message headers and routing information) when cryptographic mechanisms are not implemented.

SC-8 (4)

The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].

SC-8 (4) (CCI-002424)	The organization defines the alternative physical safeguards to be employed when cryptographic mechanisms are not implemented by the information system.
SC-8 (4) (CCI-002425)	The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by organization-defined alternative physical safeguards.

SC-9

[Withdrawn: Incorporated into SC-8].

SC-10

The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.

SC-10 (CCI-001133)	The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
SC-10 (CCI-001134)	The organization defines the time period of inactivity after which the information system terminates a network connection associated with a communications session.

SC-11

The information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication].

SC-11 (CCI-001661)	The organization defines the security functions, to minimally include information system authentication and re-authentication, within the information system to be included in a trusted communications path.
SC-11 (CCI-001135)	The information system establishes a trusted communications path between the user and organization-defined security functions within the information system.

SC-11 (1)

The information system provides a trusted communications path that is logically isolated and distinguishable from other paths.

SC-11 (1)
(CCI-002426)

The information system provides a trusted communications path that is logically isolated and distinguishable from other paths.

SC-12

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].

SC-12 (CCI-002428)	The organization defines the requirements for cryptographic key generation to be employed within the information system.
SC-12 (CCI-002429)	The organization defines the requirements for cryptographic key distribution to be employed within the information system.
SC-12 (CCI-002430)	The organization defines the requirements for cryptographic key storage to be employed within the information system.
SC-12 (CCI-002431)	The organization defines the requirements for cryptographic key access to be employed within the information system.
SC-12 (CCI-002432)	The organization defines the requirements for cryptographic key destruction to be employed within the information system.
SC-12 (CCI-002433)	The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation.
SC-12 (CCI-002434)	The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key distribution.
SC-12 (CCI-002435)	The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key storage.
SC-12 (CCI-002436)	The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key access.
SC-12 (CCI-002437)	The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key destruction.
SC-12 (CCI-002438)	The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation.
SC-12 (CCI-002439)	The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key distribution.
SC-12 (CCI-002440)	The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key storage.
SC-12 (CCI-002441)	The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key access.
SC-12 (CCI-002442)	The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key destruction.

SC-12 (1)

The organization maintains availability of information in the event of the loss of cryptographic keys by users.

SC-12 (1)
(CCI-001139)

The organization maintains availability of information in the event of the loss of cryptographic keys by users.

SC-12 (2)

The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes.

SC-12 (2) (CCI-002443)	The organization produces symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes.
SC-12 (2) (CCI-002444)	The organization controls symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes.
SC-12 (2) (CCI-002445)	The organization distributes symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes.

SC-12 (3)

The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user�s private key].

SC-12 (3) (CCI-002446)	The organization produces asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; or approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key.
SC-12 (3) (CCI-002447)	The organization controls asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; or approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key.
SC-12 (3) (CCI-002448)	The organization distributes asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; or approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key.

SC-12 (4)

[Withdrawn: Incorporated into SC-12].

SC-12 (5)

[Withdrawn: Incorporated into SC-12].

SC-13

The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

SC-13 (CCI-002449)	The organization defines the cryptographic uses, and type of cryptography required for each use, to be implemented by the information system.
SC-13 (CCI-002450)	The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

SC-13 (1)

[Withdrawn: Incorporated into SC-13].

SC-13 (2)

[Withdrawn: Incorporated into SC-13].

SC-13 (3)

[Withdrawn: Incorporated into SC-13].

SC-13 (4)

[Withdrawn: Incorporated into SC-13].

SC-14

[Withdrawn: Capability provided by AC-2, AC-3, AC-5, AC-6, SI-3, SI-4, SI-5, SI-7, SI-10].

SC-15

The information system:

SC-15a.

Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and

SC-15 a (CCI-001150)	The information system prohibits remote activation of collaborative computing devices, excluding the organization-defined exceptions where remote activation is to be allowed.
SC-15 a (CCI-001151)	The organization defines exceptions to the prohibition of collaborative computing devices where remote activation is to be allowed.

SC-15b.

Provides an explicit indication of use to users physically present at the devices.

SC-15 b
(CCI-001152)

The information system provides an explicit indication of use to users physically present at collaborative computing devices.

SC-15 (1)

The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use.

SC-15 (1)
(CCI-001153)

The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use.

SC-15 (2)

[Withdrawn: Incorporated into SC-7].

SC-15 (3)

The organization disables or removes collaborative computing devices from [Assignment: organization-defined information systems or information system components] in [Assignment: organization-defined secure work areas].

SC-15 (3) (CCI-001155)	The organization disables or removes collaborative computing devices from organization-defined information systems or information system components in organization-defined secure work areas.
SC-15 (3) (CCI-001156)	The organization defines secure work areas where collaborative computing devices are to be disabled or removed.
SC-15 (3) (CCI-002451)	The organization defines the information systems or information system components from which collaborative computing devices in organization-defined secure work areas are to be disabled or removed.

SC-15 (4)

The information system provides an explicit indication of current participants in [Assignment: organization-defined online meetings and teleconferences].

SC-15 (4) (CCI-002452)	The organization defines the online meetings and teleconferences for which the information system provides an explicit indication of current participants.
SC-15 (4) (CCI-002453)	The information system provides an explicit indication of current participants in organization-defined online meetings and teleconferences.

SC-16

The information system associates [Assignment: organization-defined security attributes] with information exchanged between information systems and between system components.

SC-16 (CCI-001157)	The information system associates organization-defined security attributes with information exchanged between information systems.
SC-16 (CCI-002454)	The organization defines the security attributes the information system is to associate with the information being exchanged between information systems and between information system components.
SC-16 (CCI-002455)	The information system associates organization-defined security attributes with information exchanged between information system components.

SC-16 (1)

The information system validates the integrity of transmitted security attributes.

SC-16 (1)
(CCI-001158)

The information system validates the integrity of transmitted security attributes.

SC-17

The organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates from an approved service provider.

SC-17 (CCI-001159)	The organization issues public key certificates under an organization-defined certificate policy or obtains public key certificates from an approved service provider.
SC-17 (CCI-002456)	The organization defines the certificate policy employed to issue public key certificates.

SC-18

The organization:

SC-18a.

Defines acceptable and unacceptable mobile code and mobile code technologies;

SC-18 a
(CCI-001160)

The organization defines acceptable and unacceptable mobile code and mobile code technologies.

SC-18b.

Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and

SC-18 b (CCI-001162)	The organization establishes implementation guidance for acceptable mobile code and mobile code technologies.
SC-18 b (CCI-001161)	The organization establishes usage restrictions for acceptable mobile code and mobile code technologies.

SC-18c.

Authorizes, monitors, and controls the use of mobile code within the information system.

SC-18 c (CCI-001163)	The organization authorizes the use of mobile code within the information system.
SC-18 c (CCI-001164)	The organization monitors the use of mobile code within the information system.
SC-18 c (CCI-001165)	The organization controls the use of mobile code within the information system.

SC-18 (1)

The information system identifies [Assignment: organization-defined unacceptable mobile code] and takes [Assignment: organization-defined corrective actions].

SC-18 (1) (CCI-001662)	The information system takes organization-defined corrective action when organization-defined unacceptable mobile code is identified.
SC-18 (1) (CCI-001166)	The information system identifies organization-defined unacceptable mobile code.
SC-18 (1) (CCI-002457)	The organization defines the corrective actions to be taken when organization-defined unacceptable mobile code is identified.
SC-18 (1) (CCI-002458)	The organization defines what constitutes unacceptable mobile code for its information systems.

SC-18 (2)

The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements].

SC-18 (2) (CCI-001167)	The organization ensures the development of mobile code to be deployed in information systems meets organization-defined mobile code requirements.
SC-18 (2) (CCI-001168)	The organization defines requirements for the acquisition, development, and use of mobile code.
SC-18 (2) (CCI-001687)	The organization ensures the use of mobile code to be deployed in information systems meets organization-defined mobile code requirements.
SC-18 (2) (CCI-001688)	The organization ensures the acquisition of mobile code to be deployed in information systems meets organization-defined mobile code requirements.

SC-18 (3)

The information system prevents the download and execution of [Assignment: organization-defined unacceptable mobile code].

SC-18 (3) (CCI-001169)	The information system prevents the download of organization-defined unacceptable mobile code.
SC-18 (3) (CCI-001695)	The information system prevents the execution of organization-defined unacceptable mobile code.
SC-18 (3) (CCI-002459)	The organization defines the unacceptable mobile code of which the information system is to prevent download and execution.

SC-18 (4)

The information system prevents the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforces [Assignment: organization-defined actions] prior to executing the code.

SC-18 (4) (CCI-001170)	The information system prevents the automatic execution of mobile code in organization-defined software applications.
SC-18 (4) (CCI-001171)	The organization defines software applications in which automatic mobile code execution is to be prohibited.
SC-18 (4) (CCI-001172)	The organization defines actions to be enforced by the information system before executing mobile code.
SC-18 (4) (CCI-002460)	The information system enforces organization-defined actions prior to executing mobile code.

SC-18 (5)

The organization allows execution of permitted mobile code only in confined virtual machine environments.

SC-18 (5)
(CCI-002461)

The organization allows execution of permitted mobile code only in confined virtual machine environments.

SC-19

The organization:

SC-19a.

Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and

SC-19 a (CCI-001173)	The organization establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously.
SC-19 a (CCI-001174)	The organization establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously.

SC-19b.

Authorizes, monitors, and controls the use of VoIP within the information system.

SC-19 b (CCI-001175)	The organization authorizes the use of VoIP within the information system.
SC-19 b (CCI-001176)	The organization monitors the use of VoIP within the information system.
SC-19 b (CCI-001177)	The organization controls the use of VoIP within the information system.

SC-20

The information system:

SC-20a.

Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

SC-20 a (CCI-001178)	The information system provides additional data origin authentication artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.
SC-20 a (CCI-002462)	The information system provides additional data integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.

SC-20b.

Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

SC-20 b (CCI-001663)	The information system, when operating as part of a distributed, hierarchical namespace, provides the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).
SC-20 b (CCI-001179)	The information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child zones.

SC-20 (1)

[Withdrawn: Incorporated into SC-20].

SC-20 (2)

The information system provides data origin and integrity protection artifacts for internal name/address resolution queries.

SC-20 (2) (CCI-002463)	The information system provides data origin artifacts for internal name/address resolution queries.
SC-20 (2) (CCI-002464)	The information system provides data integrity protection artifacts for internal name/address resolution queries.

SC-21

The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

SC-21 (CCI-002465)	The information system requests data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.
SC-21 (CCI-002466)	The information system requests data integrity verification on the name/address resolution responses the system receives from authoritative sources.
SC-21 (CCI-002467)	The information system performs data integrity verification on the name/address resolution responses the system receives from authoritative sources.
SC-21 (CCI-002468)	The information system performs data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.

SC-21 (1)

[Withdrawn: Incorporated into SC-21].

SC-22

The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

SC-22 (CCI-001182)	The information systems that collectively provide name/address resolution service for an organization are fault-tolerant.
SC-22 (CCI-001183)	The information systems that collectively provide name/address resolution service for an organization implement internal/external role separation.

SC-23

The information system protects the authenticity of communications sessions.

SC-23
(CCI-001184)

The information system protects the authenticity of communications sessions.

SC-23 (1)

The information system invalidates session identifiers upon user logout or other session termination.

SC-23 (1)
(CCI-001185)

The information system invalidates session identifiers upon user logout or other session termination.

SC-23 (2)

[Withdrawn: Incorporated into AC-12 (1)].

SC-23 (3)

The information system generates a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated.

SC-23 (3) (CCI-001664)	The information system recognizes only session identifiers that are system-generated.
SC-23 (3) (CCI-001188)	The information system generates unique session identifiers for each session with organization-defined randomness requirements.
SC-23 (3) (CCI-001189)	The organization defines randomness requirements for generating unique session identifiers.

SC-23 (4)

[Withdrawn: Incorporated into SC-23 (3)].

SC-23 (5)

The information system only allows the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.

SC-23 (5) (CCI-002469)	The organization defines the certificate authorities the information system will allow to be used on the information system.
SC-23 (5) (CCI-002470)	The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

SC-24

The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure.

SC-24 (CCI-001665)	The information system preserves organization-defined system state information in the event of a system failure.
SC-24 (CCI-001190)	The information system fails to an organization-defined known-state for organization-defined types of failures.
SC-24 (CCI-001191)	The organization defines the known states the information system should fail to in the event of an organization-defined system failure.
SC-24 (CCI-001192)	The organization defines types of failures for which the information system should fail to an organization-defined known state.
SC-24 (CCI-001193)	The organization defines system state information that should be preserved in the event of a system failure.

SC-25

The organization employs [Assignment: organization-defined information system components] with minimal functionality and information storage.

SC-25 (CCI-001194)	The information system employs organization-defined information system components with minimal functionality and information storage.
SC-25 (CCI-002471)	The organization defines the information system components, with minimal functionality and information storage, to be employed.

SC-26

The information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks.

SC-26
(CCI-001195)

The information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks.

SC-26 (1)

[Withdrawn: Incorporated into SC-35].

SC-27

The information system includes: [Assignment: organization-defined platform-independent applications].

SC-27 (CCI-001197)	The information system includes organization-defined platform-independent applications.
SC-27 (CCI-001198)	The organization defines applications that are platform independent.

SC-28

The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].

SC-28 (CCI-001199)	The information system protects the confidentiality and/or integrity of organization-defined information at rest.
SC-28 (CCI-002472)	The organization defines the information at rest that is to be protected by the information system.

SC-28 (1)

The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components].

SC-28 (1) (CCI-002473)	The organization defines the information at rest for which cryptographic mechanisms will be implemented.
SC-28 (1) (CCI-002474)	The organization defines the information system components which require the implementation of cryptographic mechanisms to prevent unauthorized disclosure and modification of organization-defined information at rest.
SC-28 (1) (CCI-002475)	The information system implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.
SC-28 (1) (CCI-002476)	The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

SC-28 (2)

The organization removes from online storage and stores off-line in a secure location [Assignment: organization-defined information].

SC-28 (2) (CCI-002477)	The organization defines the information at rest to be removed from online storage and stored in an off-line secure location.
SC-28 (2) (CCI-002478)	The organization removes organization-defined information at rest from online storage.
SC-28 (2) (CCI-002479)	The organization stores organization-defined information at rest in an off-line secure location.

SC-29

The organization employs a diverse set of information technologies for [Assignment: organization-defined information system components] in the implementation of the information system.

SC-29 (CCI-001201)	The organization employs a diverse set of information technologies for organization-defined information system components in the implementation of the information system.
SC-29 (CCI-002480)	The organization defines the information system components for which a diverse set of information technologies are to be employed.

SC-29 (1)

The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency].

SC-29 (1) (CCI-001203)	The organization employs virtualization techniques to support the deployment of a diversity of operating systems that are changed on an organization-defined frequency.
SC-29 (1) (CCI-001204)	The organization defines the frequency of changes to operating systems and applications to support a diversity of deployments.
SC-29 (1) (CCI-002481)	The organization employs virtualization techniques to support the deployment of a diversity of applications that are changed per organization-defined frequency.

SC-30

The organization employs [Assignment: organization-defined concealment and misdirection techniques] for [Assignment: organization-defined information systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries.

SC-30 (CCI-002482)	The organization defines the concealment and misdirection techniques employed for organization-defined information systems to confuse and mislead adversaries.
SC-30 (CCI-002483)	The organization defines the information systems for which organization-defined concealment and misdirection techniques are to be employed.
SC-30 (CCI-002484)	The organization defines the time periods at which it will employ organization-defined concealment and misdirection techniques on organization-defined information systems.
SC-30 (CCI-002485)	The organization employs organization-defined concealment and misdirection techniques for organization-defined information systems at organization-defined time periods to confuse and mislead adversaries.

SC-30 (1)

[Withdrawn: Incorporated into SC-29 (1)].

SC-30 (2)

The organization employs [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets.

SC-30 (2) (CCI-002486)	The organization defines the techniques to be employed to introduce randomness into organizational operations and assets.
SC-30 (2) (CCI-002487)	The organization employs organization-defined techniques to introduce randomness into organizational operations.
SC-30 (2) (CCI-002488)	The organization employs organization-defined techniques to introduce randomness into organizational assets.

SC-30 (3)

The organization changes the location of [Assignment: organization-defined processing and/or storage] [Selection: [Assignment: organization-defined time frequency]; at random time intervals]].

SC-30 (3) (CCI-002489)	The organization defines the processing and/or storage locations to be changed at random intervals or at an organization-defined frequency.
SC-30 (3) (CCI-002490)	The organization defines the frequency at which it changes the location of organization-defined processing and/or storage.
SC-30 (3) (CCI-002491)	The organization changes the location of organization-defined processing and/or storage at an organization-defined time frequency or at random time intervals.
SC-30 (3) (CCI-002492)	The organization changes the location of organization-defined processing and/or storage at an organization-defined time frequency or at random time intervals.

SC-30 (4)

The organization employs realistic, but misleading information in [Assignment: organization-defined information system components] with regard to its security state or posture.

SC-30 (4) (CCI-002493)	The organization defines the information system components in which it will employ realistic but misleading information regarding its security state or posture.
SC-30 (4) (CCI-002494)	The organization employs realistic, but misleading, information in organization-defined information system components with regard to its security state or posture.

SC-30 (5)

The organization employs [Assignment: organization-defined techniques] to hide or conceal [Assignment: organization-defined information system components].

SC-30 (5) (CCI-002495)	The organization defines the techniques to be employed to hide or conceal organization-defined information system components.
SC-30 (5) (CCI-002496)	The organization defines the information system components to be hidden or concealed.
SC-30 (5) (CCI-002497)	The organization employs organization-defined techniques to hide or conceal organization-defined information system components.

SC-31

The organization:

SC-31a.

Performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and

SC-31 a
(CCI-002498)

The organization performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert storage and/or timing channels.

SC-31b.

Estimates the maximum bandwidth of those channels.

SC-31 b
(CCI-002499)

The organization estimates the maximum bandwidth of the covert storage and timing channels.

SC-31 (1)

The organization tests a subset of the identified covert channels to determine which channels are exploitable.

SC-31 (1)
(CCI-001207)

The organization tests a subset of the identified covert channels to determine which channels are exploitable.

SC-31 (2)

The organization reduces the maximum bandwidth for identified covert [Selection (one or more); storage; timing] channels to [Assignment: organization-defined values].

SC-31 (2) (CCI-002500)	The organization defines the maximum bandwidth values to which covert storage and/or timing channels are to be reduced.
SC-31 (2) (CCI-002501)	The organization reduces the maximum bandwidth for identified covert storage and/or timing channels to organization-defined values.

SC-31 (3)

The organization measures the bandwidth of [Assignment: organization-defined subset of identified covert channels] in the operational environment of the information system.

SC-31 (3) (CCI-002502)	The organization defines the subset of identified covert channels in the operational environment of the information system that are to have the bandwidth measured.
SC-31 (3) (CCI-002503)	The organization measures the bandwidth of an organization-defined subset of identified covert channels in the operational environment of the information system.

SC-32

The organization partitions the information system into [Assignment: organization-defined information system components] residing in separate physical domains or environments based on [Assignment: organization-defined circumstances for physical separation of components].

SC-32 (CCI-002504)	The organization defines the information system components into which the information system is partitioned.
SC-32 (CCI-002505)	The organization defines the circumstances under which the information system components are to be physically separated to support partitioning.
SC-32 (CCI-002506)	The organization partitions the information system into organization-defined information system components residing in separate physical domains or environments based on organization-defined circumstances for physical separation of components.

SC-33

[Withdrawn: Incorporated into SC-8].

SC-34

The information system at [Assignment: organization-defined information system components]:

SC-34
(CCI-001212)

The organization defines information system components on which the operating environment and organization-defined applications are loaded and executed from hardware-enforced, read-only media.

SC-34a.

Loads and executes the operating environment from hardware-enforced, read-only media; and

SC-34 a
(CCI-001210)

The information system, at organization-defined information system components, loads and executes the operating environment from hardware-enforced, read-only media.

SC-34b.

Loads and executes [Assignment: organization-defined applications] from hardware-enforced, read-only media.

SC-34 b (CCI-001211)	The information system, at organization-defined information system components, loads and executes organization-defined applications from hardware-enforced, read-only media.
SC-34 b (CCI-001213)	The organization defines applications that will be loaded and executed from hardware-enforced, read-only media.

SC-34 (1)

The organization employs [Assignment: organization-defined information system components] with no writeable storage that is persistent across component restart or power on/off.

SC-34 (1) (CCI-001214)	The organization employs organization-defined information system components with no writeable storage that are persistent across component restart or power on/off.
SC-34 (1) (CCI-001215)	The organization defines the information system components to be employed with no writeable storage.

SC-34 (2)

The organization protects the integrity of information prior to storage on read-only media and controls the media after such information has been recorded onto the media.

SC-34 (2) (CCI-001216)	The organization protects the integrity of information prior to storage on read-only media.
SC-34 (2) (CCI-002507)	The organization controls read-only media after information has been recorded onto the media.

SC-34 (3)

The organization:

SC-34 (3)(a)

Employs hardware-based, write-protect for [Assignment: organization-defined information system firmware components]; and

SC-34 (3) (a) (CCI-002508)	The organization defines the information system firmware components for which hardware-based, write-protect is employed.
SC-34 (3) (a) (CCI-002509)	The organization employs hardware-based, write-protect for organization-defined information system firmware components.

SC-34 (3)(b)

Implements specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.

SC-34 (3) (b) (CCI-002510)	The organization defines the individuals authorized to manually disable hardware-based, write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.
SC-34 (3) (b) (CCI-002511)	The organization implements specific procedures for organization-defined authorized individuals to manually disable hardware-based, write-protect for firmware modifications.
SC-34 (3) (b) (CCI-002512)	The organization implements specific procedures for organization-defined authorized individuals to manually re-enable hardware write-protect prior to returning to operational mode.

SC-35

The information system includes components that proactively seek to identify malicious websites and/or web-based malicious code.

SC-35
(CCI-001196)

The information system includes components that proactively seek to identify malicious websites and/or web-based malicious code.

SC-36

The organization distributes [Assignment: organization-defined processing and storage] across multiple physical locations.

SC-36 (CCI-002513)	The organization defines the processing that is to be distributed across multiple physical locations.
SC-36 (CCI-002514)	The organization defines the storage that is to be distributed across multiple physical locations.
SC-36 (CCI-002515)	The organization distributes organization-defined processing across multiple physical locations.
SC-36 (CCI-002516)	The organization distributes organization-defined storage across multiple physical locations.

SC-36 (1)

The organization employs polling techniques to identify potential faults, errors, or compromises to [Assignment: organization-defined distributed processing and storage components].

SC-36 (1) (CCI-002517)	The organization defines the distributed processing components that are to be polled to identify potential faults, errors, or compromises.
SC-36 (1) (CCI-002518)	The organization defines the distributed storage components that are to be polled to identify potential faults, errors, or compromises.
SC-36 (1) (CCI-002519)	The organization employs polling techniques to identify potential faults, errors, or compromises to organization-defined distributed processing components.
SC-36 (1) (CCI-002520)	The organization employs polling techniques to identify potential faults, errors, or compromises to organization-defined distributed storage components.

SC-37

The organization employs [Assignment: organization-defined out-of-band channels] for the physical delivery or electronic transmission of [Assignment: organization-defined information, information system components, or devices] to [Assignment: organization-defined individuals or information systems].

SC-37 (CCI-002521)	The organization defines the out-of-band channels to be employed for the physical delivery or electronic transmission of organization-defined information, information system components, or devices.
SC-37 (CCI-002522)	The organization defines the information, information system components, or devices that are to be electronically transmitted or physically delivered via organization-defined out-of-band channels.
SC-37 (CCI-002524)	The organization employs organization-defined out-of-band channels for the electronic transmission or physical delivery of organization-defined information, information system components, or devices to organization-defined individuals or information systems.

SC-37 (1)

The organization employs [Assignment: organization-defined security safeguards] to ensure that only [Assignment: organization-defined individuals or information systems] receive the [Assignment: organization-defined information, information system components, or devices].

SC-37 (1) (CCI-002525)	The organization defines the security safeguards to be employed to ensure only organization-defined individuals or information systems receive organization-defined information, information system components, or devices.
SC-37 (1) (CCI-002526)	The organization defines the information, information system components, or devices which are to be received only by organization-defined individuals or information systems.
SC-37 (1) (CCI-002527)	The organization employs organization-defined security safeguards to ensure only organization-defined individuals or information systems receive the organization-defined information, information system components, or devices.

SC-38

The organization employs [Assignment: organization-defined operations security safeguards] to protect key organizational information throughout the system development life cycle.

SC-38 (CCI-002528)	The organization defines the operations security safeguards to be employed to protect key organizational information throughout the system development life cycle.
SC-38 (CCI-002529)	The organization employs organization-defined operations security safeguards to protect key organizational information throughout the system development life cycle.

SC-39

The information system maintains a separate execution domain for each executing process.

SC-39
(CCI-002530)

The information system maintains a separate execution domain for each executing process.

SC-39 (1)

The information system implements underlying hardware separation mechanisms to facilitate process separation.

SC-39 (1)
(CCI-002531)

The information system implements underlying hardware separation mechanisms to facilitate process separation.

SC-39 (2)

The information system maintains a separate execution domain for each thread in [Assignment: organization-defined multi-threaded processing].

SC-39 (2) (CCI-002532)	The organization defines the multi-threaded processing in which a separate execution domain is maintained by the information system for each thread.
SC-39 (2) (CCI-002533)	The information system maintains a separate execution domain for each thread in organization-defined multi-threaded processing.

SC-40

The information system protects external and internal [Assignment: organization-defined wireless links] from [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks].

SC-40 (CCI-002534)	The organization defines types of signal parameter attacks or references to sources for such attacks from which the information system protects organization-defined wireless links.
SC-40 (CCI-002535)	The organization defines the external and internal wireless links the information system is to protect from organization-defined types of signal parameter attacks or references to sources for such attacks.
SC-40 (CCI-002536)	The information system protects organization-defined external and internal wireless links from organization-defined types of signal parameter attacks or references to sources for such attacks.

SC-40 (1)

The information system implements cryptographic mechanisms that achieve [Assignment: organization-defined level of protection] against the effects of intentional electromagnetic interference.

SC-40 (1) (CCI-002537)	The organization defines the level of protection against the effects of intentional electromagnetic interference to be achieved by implemented cryptographic mechanisms.
SC-40 (1) (CCI-002538)	The information system implements cryptographic mechanisms that achieve an organization-defined level of protection against the effects of intentional electromagnetic interference.

SC-40 (2)

The information system implements cryptographic mechanisms to reduce the detection potential of wireless links to [Assignment: organization-defined level of reduction].

SC-40 (2) (CCI-002539)	The organization defines the level of reduction the information system is to implement to reduce the detection potential of wireless links.
SC-40 (2) (CCI-002540)	The information system implements cryptographic mechanisms to reduce the detection potential of wireless links to an organization-defined level of reduction.

SC-40 (3)

The information system implements cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.

SC-40 (3)
(CCI-002541)

The information system implements cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.

SC-40 (4)

The information system implements cryptographic mechanisms to prevent the identification of [Assignment: organization-defined wireless transmitters] by using the transmitter signal parameters.

SC-40 (4) (CCI-002542)	The organization defines the wireless transmitters that are to have cryptographic mechanisms implemented by the information system to prevent the identification of the wireless transmitters.
SC-40 (4) (CCI-002543)	The information system implements cryptographic mechanisms to prevent the identification of organization-defined wireless transmitters by using the transmitter signal parameters.

SC-41

The organization physically disables or removes [Assignment: organization-defined connection ports or input/output devices] on [Assignment: organization-defined information systems or information system components].

SC-41 (CCI-002544)	The organization defines the information systems or information system components on which organization-defined connection ports or input/output devices are to be physically disabled or removed.
SC-41 (CCI-002545)	The organization defines the connection ports or input/output devices that are to be physically disabled or removed from organization-defined information systems or information system components.
SC-41 (CCI-002546)	The organization physically disables or removes organization-defined connection ports or input/output devices on organization-defined information systems or information system components.

SC-42

The information system:

SC-42a.

Prohibits the remote activation of environmental sensing capabilities with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]; and

SC-42 a (CCI-002547)	The organization defines the exceptions where remote activation of sensors is allowed.
SC-42 a (CCI-002548)	The information system prohibits the remote activation of environmental sensing capabilities except for the organization-defined exceptions where remote activation of sensors is allowed.

SC-42b.

Provides an explicit indication of sensor use to [Assignment: organization-defined class of users].

SC-42 b (CCI-002549)	The organization defines the class of users to receive explicit indication of sensor use.
SC-42 b (CCI-002550)	The information system provides an explicit indication of sensor use to the organization-defined class of users.

SC-42 (1)

The organization ensures that the information system is configured so that data or information collected by the [Assignment: organization-defined sensors] is only reported to authorized individuals or roles.

SC-42 (1) (CCI-002551)	The organization defines the sensors to be configured so that collected data or information is reported only to authorized individuals or roles.
SC-42 (1) (CCI-002552)	The organization ensures that the information system is configured so that data or information collected by the organization-defined sensors is only reported to authorized individuals or roles.

SC-42 (2)

The organization employs the following measures: [Assignment: organization-defined measures], so that data or information collected by [Assignment: organization-defined sensors] is only used for authorized purposes.

SC-42 (2) (CCI-002553)	The organization defines the measures to be employed to ensure data or information collected by organization-defined sensors is used only for authorized purposes.
SC-42 (2) (CCI-002554)	The organization defines the sensors that are to collect data or information for authorized purposes.
SC-42 (2) (CCI-002555)	The organization employs organization-defined measures, so that data or information collected by organization-defined sensors is only used for authorized purposes.

SC-42 (3)

The organization prohibits the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems].

SC-42 (3) (CCI-002556)	The organization defines the environmental sensing capabilities prohibited on devices used in organization-defined facilities, areas, or systems.
SC-42 (3) (CCI-002557)	The organization defines the facilities, areas, or systems where devices processing organization-defined environmental sensing capabilities are prohibited.
SC-42 (3) (CCI-002558)	The organization prohibits the use of devices possessing organization-defined environmental sensing capabilities in organization-defined facilities, areas, or systems.

SC-43

The organization:

SC-43a.

Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and

SC-43 a (CCI-002559)	The organization defines the information system components for which usage restrictions and implementation guidance are to be established.
SC-43 a (CCI-002560)	The organization establishes usage restrictions and implementation guidance for organization-defined information system components based on the potential to cause damage to the information system if used maliciously.

SC-43b.

Authorizes, monitors, and controls the use of such components within the information system.

SC-43 b (CCI-002561)	The organization authorizes the use of organization-defined information system components which have the potential to cause damage to the information system if used maliciously.
SC-43 b (CCI-002562)	The organization monitors the use of organization-defined information system components which have the potential to cause damage to the information system if used maliciously.
SC-43 b (CCI-002563)	The organization controls the use of organization-defined information system components which have the potential to cause damage to the information system if used maliciously.

SC-44

The organization employs a detonation chamber capability within [Assignment: organization-defined information system, system component, or location].

SC-44 (CCI-002564)	The organization defines the information system, system component, or location where a detonation chamber (i.e., dynamic execution environments) capability is employed.
SC-44 (CCI-002565)	The organization employs a detonation chamber (i.e., dynamic execution environments) capability within an organization-defined information system, system component, or location.

SI-1

The organization:

SI-1a.

Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

SI-1 a
(CCI-002601)

The organization defines the personnel or roles to whom the system and information integrity policy and procedures are to be disseminated.

SI-1a.1.

A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

SI-1 a 1 (CCI-001217)	The organization develops and documents a system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
SI-1 a 1 (CCI-001218)	The organization disseminates the system and information integrity policy to organization-defined personnel or roles.

SI-1a.2.

Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and

SI-1 a 2 (CCI-001220)	The organization develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system integrity controls.
SI-1 a 2 (CCI-001221)	The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the system and information integrity policy and associated system integrity controls.

SI-1b.

Reviews and updates the current:

SI-1b.1.

System and information integrity policy [Assignment: organization-defined frequency]; and

SI-1 b 1 (CCI-001219)	The organization reviews and updates system and information integrity policy in accordance with organization-defined frequency.
SI-1 b 1 (CCI-001223)	The organization defines the frequency of system and information integrity policy reviews and updates.

SI-1b.2.

System and information integrity procedures [Assignment: organization-defined frequency].

SI-1 b 2 (CCI-001222)	The organization reviews and updates system and information integrity procedures in accordance with organization-defined frequency.
SI-1 b 2 (CCI-001224)	The organization defines the frequency of system and information integrity procedure reviews and updates.

SI-2

The organization:

SI-2a.

Identifies, reports, and corrects information system flaws;

SI-2 a (CCI-001225)	The organization identifies information system flaws.
SI-2 a (CCI-001226)	The organization reports information system flaws.
SI-2 a (CCI-001227)	The organization corrects information system flaws.

SI-2b.

Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

SI-2 b (CCI-001228)	The organization tests software updates related to flaw remediation for effectiveness before installation.
SI-2 b (CCI-001229)	The organization tests software updates related to flaw remediation for potential side effects before installation.
SI-2 b (CCI-002602)	The organization tests firmware updates related to flaw remediation for effectiveness before installation.
SI-2 b (CCI-002603)	The organization tests firmware updates related to flaw remediation for potential side effects before installation.

SI-2c.

Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and

SI-2 c (CCI-002604)	The organization defines the time period following the release of updates within which security-related software updates are to be installed.
SI-2 c (CCI-002605)	The organization installs security-relevant software updates within an organization-defined time period of the release of the updates.
SI-2 c (CCI-002606)	The organization defines the time period following the release of updates within which security-related firmware updates are to be installed.
SI-2 c (CCI-002607)	The organization installs security-relevant firmware updates within an organization-defined time period of the release of the updates.

SI-2d.

Incorporates flaw remediation into the organizational configuration management process.

SI-2 d
(CCI-001230)

The organization incorporates flaw remediation into the organizational configuration management process.

SI-2 (1)

The organization centrally manages the flaw remediation process.

SI-2 (1)
(CCI-001231)

The organization centrally manages the flaw remediation process.

SI-2 (2)

The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation.

SI-2 (2) (CCI-001233)	The organization employs automated mechanisms on an organization-defined frequency to determine the state of information system components with regard to flaw remediation.
SI-2 (2) (CCI-001234)	The organization defines a frequency for employing automated mechanisms to determine the state of information system components with regard to flaw remediation.

SI-2 (3)

The organization:

SI-2 (3)(a)

Measures the time between flaw identification and flaw remediation; and

SI-2 (3) (a)
(CCI-001235)

The organization measures the time between flaw identification and flaw remediation.

SI-2 (3)(b)

Establishes [Assignment: organization-defined benchmarks] for taking corrective actions.

SI-2 (3) (b) (CCI-001236)	The organization defines benchmarks for the time taken to apply corrective actions after flaw identification.
SI-2 (3) (b) (CCI-002608)	The organization establishes organization-defined benchmarks for the time taken to apply corrective actions after flaw identification.

SI-2 (4)

[Withdrawn: Incorporated into SI-2].

SI-2 (5)

The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components].

SI-2 (5) (CCI-002609)	The organization defines the information system components on which organization-defined security-relevant software updates will be automatically installed.
SI-2 (5) (CCI-002610)	The organization defines the information system components on which organization-defined security-relevant firmware updates will be automatically installed.
SI-2 (5) (CCI-002611)	The organization defines the security-relevant software updates to be automatically installed on organization-defined information system components.
SI-2 (5) (CCI-002612)	The organization defines the security-relevant firmware updates to be automatically installed on organization-defined information system components.
SI-2 (5) (CCI-002613)	The organization installs organization-defined security-relevant software updates automatically to organization-defined information system components.
SI-2 (5) (CCI-002614)	The organization installs organization-defined security-relevant firmware updates automatically to organization-defined information system components.

SI-2 (6)

The organization removes [Assignment: organization-defined software and firmware components] after updated versions have been installed.

SI-2 (6) (CCI-002615)	The organization defines the software components to be removed (e.g., previous versions) after updated versions have been installed.
SI-2 (6) (CCI-002616)	The organization defines the firmware components to be removed (e.g., previous versions) after updated versions have been installed.
SI-2 (6) (CCI-002617)	The organization removes organization-defined software components (e.g., previous versions) after updated versions have been installed.
SI-2 (6) (CCI-002618)	The organization removes organization-defined firmware components (e.g., previous versions) after updated versions have been installed.

SI-3

The organization:

SI-3a.

Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;

SI-3 a (CCI-002619)	The organization employs malicious code protection mechanisms at information system entry points to detect malicious code.
SI-3 a (CCI-002620)	The organization employs malicious code protection mechanisms at information system exit points to detect malicious code.
SI-3 a (CCI-002621)	The organization employs malicious code protection mechanisms at information system entry points to eradicate malicious code.
SI-3 a (CCI-002622)	The organization employs malicious code protection mechanisms at information system exit points to eradicate malicious code.

SI-3b.

Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;

SI-3 b
(CCI-001240)

The organization updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.

SI-3c.

Configures malicious code protection mechanisms to:

SI-3c.1.

Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and

SI-3 c 1 (CCI-001241)	The organization configures malicious code protection mechanisms to perform periodic scans of the information system on an organization-defined frequency.
SI-3 c 1 (CCI-001242)	The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.
SI-3 c 1 (CCI-002623)	The organization defines the frequency for performing periodic scans of the information system for malicious code.
SI-3 c 1 (CCI-002624)	The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy.

SI-3c.2.

[Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and

SI-3 c 2 (CCI-001243)	The organization configures malicious code protection mechanisms to perform organization-defined action(s) in response to malicious code detection.
SI-3 c 2 (CCI-001244)	The organization defines one or more actions to perform in response to malicious code detection, such as blocking malicious code, quarantining malicious code, or sending alerts to administrators.

SI-3d.

Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

SI-3 d
(CCI-001245)

The organization addresses the receipt of false positives during malicious code detection and eradication, and the resulting potential impact on the availability of the information system.

SI-3 (1)

The organization centrally manages malicious code protection mechanisms.

SI-3 (1)
(CCI-001246)

The organization centrally manages malicious code protection mechanisms.

SI-3 (2)

The information system automatically updates malicious code protection mechanisms.

SI-3 (2)
(CCI-001247)

The information system automatically updates malicious code protection mechanisms.

SI-3 (3)

[Withdrawn: Incorporated into AC-6 (10)].

SI-3 (4)

The information system updates malicious code protection mechanisms only when directed by a privileged user.

SI-3 (4)
(CCI-001249)

The information system updates malicious code protection mechanisms only when directed by a privileged user.

SI-3 (5)

[Withdrawn: Incorporated into MP-7].

SI-3 (6)

The organization:

SI-3 (6)(a)

Tests malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system; and

SI-3 (6) (a) (CCI-001669)	The organization defines the frequency of testing malicious code protection mechanisms.
SI-3 (6) (a) (CCI-001251)	The organization tests malicious code protection mechanisms on an organization-defined frequency by introducing a known benign, non-spreading test case into the information system.

SI-3 (6)(b)

Verifies that both detection of the test case and associated incident reporting occur.

SI-3 (6) (b) (CCI-002625)	The organization, when testing malicious code protection mechanisms, verifies the detection of the test case occurs.
SI-3 (6) (b) (CCI-002626)	The organization, when testing malicious code protection mechanisms, verifies the incident reporting of the test case occurs.

SI-3 (7)

The information system implements nonsignature-based malicious code detection mechanisms.

SI-3 (7)
(CCI-002627)

The information system implements nonsignature-based malicious code detection mechanisms.

SI-3 (8)

The information system detects [Assignment: organization-defined unauthorized operating system commands] through the kernel application programming interface at [Assignment: organization-defined information system hardware components] and [Selection (one or more): issues a warning; audits the command execution; prevents the execution of the command].

SI-3 (8) (CCI-002628)	The organization defines the unauthorized operating system commands that are to be detected through the kernel application programming interface by organization-defined information system hardware components.
SI-3 (8) (CCI-002629)	The organization defines the information system hardware components that are to detect organization-defined unauthorized operating system commands through the kernel programming application interface.
SI-3 (8) (CCI-002630)	The information system detects organization-defined unauthorized operating system commands through the kernel application programming interface at organization-defined information system hardware components.
SI-3 (8) (CCI-002631)	The information system issues a warning, audits the command execution, or prevents the execution of the command when organization-defined unauthorized operating system commands are detected.

SI-3 (9)

The information system implements [Assignment: organization-defined security safeguards] to authenticate [Assignment: organization-defined remote commands].

SI-3 (9) (CCI-002632)	The organization defines the remote commands that are to be authenticated using organization-defined safeguards for malicious code protection.
SI-3 (9) (CCI-002633)	The organization defines the security safeguards to be implemented to authenticate organization-defined remote commands for malicious code protection.
SI-3 (9) (CCI-002637)	The information system implements organization-defined security safeguards to authenticate organization-defined remote commands for malicious code protection.

SI-3 (10)

The organization:

SI-3 (10)(a)

Employs [Assignment: organization-defined tools and techniques] to analyze the characteristics and behavior of malicious code; and

SI-3 (10) (a) (CCI-002634)	The organization defines the tools to be employed to analyze the characteristics and behavior of malicious code.
SI-3 (10) (a) (CCI-002635)	The organization defines the techniques to be employed to analyze the characteristics and behavior of malicious code.
SI-3 (10) (a) (CCI-002636)	The organization employs organization-defined tools to analyze the characteristics and behavior of malicious code.
SI-3 (10) (a) (CCI-002638)	The organization employs organization-defined techniques to analyze the characteristics and behavior of malicious code.

SI-3 (10)(b)

Incorporates the results from malicious code analysis into organizational incident response and flaw remediation processes.

SI-3 (10) (b) (CCI-002639)	The organization incorporates the results from malicious code analysis into organizational incident response processes.
SI-3 (10) (b) (CCI-002640)	The organization incorporates the results from malicious code analysis into organizational flaw remediation processes.

SI-4

The organization:

SI-4
(CCI-002653)

The organization provides organization-defined information system monitoring information to organization-defined personnel or roles as needed or per organization-defined frequency.

SI-4a.

Monitors the information system to detect:

SI-4a.1.

Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and

SI-4 a 1 (CCI-001253)	The organization defines the objectives of monitoring for attacks and indicators of potential attacks on the information system.
SI-4 a 1 (CCI-002641)	The organization monitors the information system to detect attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives.

SI-4a.2.

Unauthorized local, network, and remote connections;

SI-4 a 2 (CCI-002642)	The organization monitors the information system to detect unauthorized local connections.
SI-4 a 2 (CCI-002643)	The organization monitors the information system to detect unauthorized network connections.
SI-4 a 2 (CCI-002644)	The organization monitors the information system to detect unauthorized remote connections.

SI-4b.

Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];

SI-4 b (CCI-002645)	The organization defines the techniques and methods to be used to identify unauthorized use of the information system.
SI-4 b (CCI-002646)	The organization identifies unauthorized use of the information system through organization-defined techniques and methods.

SI-4c.

Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;

SI-4 c (CCI-001255)	The organization deploys monitoring devices strategically within the information system to collect organization-determined essential information.
SI-4 c (CCI-001256)	The organization deploys monitoring devices at ad hoc locations within the system to track specific types of transactions of interest to the organization.

SI-4d.

Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;

SI-4 d (CCI-002647)	The organization protects information obtained from intrusion-monitoring tools from unauthorized access.
SI-4 d (CCI-002648)	The organization protects information obtained from intrusion-monitoring tools from unauthorized modification.
SI-4 d (CCI-002649)	The organization protects information obtained from intrusion-monitoring tools from unauthorized deletion.

SI-4e.

Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

SI-4 e
(CCI-001257)

The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information.

SI-4f.

Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and

SI-4 f
(CCI-001258)

The organization obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.

SI-4g.

Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].

SI-4 g (CCI-002650)	The organization defines the information system monitoring information that is to be provided the organization-defined personnel or roles.
SI-4 g (CCI-002651)	The organization defines the personnel or roles that are to be provided organization-defined information system monitoring information.
SI-4 g (CCI-002652)	The organization defines the frequency at which the organization will provide the organization-defined information system monitoring information to organization-defined personnel or roles.
SI-4 g (CCI-002654)	The organization provides organization-defined information system monitoring information to organization-defined personnel or roles as needed or per organization-defined frequency.

SI-4 (1)

The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.

SI-4 (1) (CCI-002655)	The organization connects individual intrusion detection tools into an information system-wide intrusion detection system.
SI-4 (1) (CCI-002656)	The organization configures individual intrusion detection tools into an information system-wide intrusion detection system.

SI-4 (2)

The organization employs automated tools to support near real-time analysis of events.

SI-4 (2)
(CCI-001260)

The organization employs automated tools to support near real-time analysis of events.

SI-4 (3)

The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.

SI-4 (3) (CCI-002657)	The organization employs automated tools to integrate intrusion detection tools into access control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.
SI-4 (3) (CCI-002658)	The organization employs automated tools to integrate intrusion detection tools into flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.

SI-4 (4)

The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions.

SI-4 (4) (CCI-002659)	The organization defines the frequency on which it will monitor inbound communications for unusual or unauthorized activities or conditions.
SI-4 (4) (CCI-002660)	The organization defines the frequency on which it will monitor outbound communications for unusual or unauthorized activities or conditions.
SI-4 (4) (CCI-002661)	The information system monitors inbound communications traffic per organization-defined frequency for unusual or unauthorized activities or conditions.
SI-4 (4) (CCI-002662)	The information system monitors outbound communications traffic per organization-defined frequency for unusual or unauthorized activities or conditions.

SI-4 (5)

The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].

SI-4 (5) (CCI-001264)	The organization defines indicators of compromise or potential compromise to the security of the information system which will result in information system alerts being provided to organization-defined personnel or roles.
SI-4 (5) (CCI-002663)	The organization defines the personnel or roles to receive information system alerts when organization-defined indicators of compromise or potential compromise occur.
SI-4 (5) (CCI-002664)	The information system alerts organization-defined personnel or roles when organization-defined compromise indicators reflect the occurrence of a compromise or a potential compromise.

SI-4 (6)

[Withdrawn: Incorporated into AC-6 (10)].

SI-4 (7)

The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events].

SI-4 (7) (CCI-001670)	The information system takes organization-defined least-disruptive actions to terminate suspicious events.
SI-4 (7) (CCI-001266)	The information system notifies an organization-defined list of incident response personnel (identified by name and/or by role) of detected suspicious events.
SI-4 (7) (CCI-001267)	The organization defines a list of incident response personnel (identified by name and/or by role) to be notified of detected suspicious events.
SI-4 (7) (CCI-001268)	The organization defines a list of least-disruptive actions to be taken by the information system to terminate suspicious events.

SI-4 (8)

[Withdrawn: Incorporated into SI-4].

SI-4 (9)

The organization tests intrusion-monitoring tools [Assignment: organization-defined frequency].

SI-4 (9) (CCI-001270)	The organization tests intrusion monitoring tools at an organization-defined frequency.
SI-4 (9) (CCI-001271)	The organization defines the frequency for testing intrusion monitoring tools.

SI-4 (10)

The organization makes provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined information system monitoring tools].

SI-4 (10) (CCI-002665)	The organization defines the encrypted communications traffic that is to be visible to organization-defined information system monitoring tools.
SI-4 (10) (CCI-002666)	The organization defines the information system monitoring tools that will have visibility into organization-defined encrypted communications traffic.
SI-4 (10) (CCI-002667)	The organization makes provisions so that organization-defined encrypted communications traffic is visible to organization-defined information system monitoring tools.

SI-4 (11)

The organization analyzes outbound communications traffic at the external boundary of the information system and selected [Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems)] to discover anomalies.

SI-4 (11) (CCI-001671)	The organization analyzes outbound communications traffic at selected organization-defined interior points within the system (e.g., subnetworks, subsystems) to discover anomalies.
SI-4 (11) (CCI-001273)	The organization analyzes outbound communications traffic at the external boundary of the information system to discover anomalies.
SI-4 (11) (CCI-002668)	The organization defines the interior points within the information system (e.g., subnetworks, subsystems) where outbound communications will be analyzed to discover anomalies.

SI-4 (12)

The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined activities that trigger alerts].

SI-4 (12) (CCI-001274)	The organization employs automated mechanisms to alert security personnel of organization-defined inappropriate or unusual activities with security implications.
SI-4 (12) (CCI-001275)	The organization defines the activities which will trigger alerts to security personnel of inappropriate or unusual activities.

SI-4 (13)

The organization:

SI-4 (13)(a)

Analyzes communications traffic/event patterns for the information system;

SI-4 (13) (a)
(CCI-001276)

The organization analyzes communications traffic/event patterns for the information system.

SI-4 (13)(b)

Develops profiles representing common traffic patterns and/or events; and

SI-4 (13) (b)
(CCI-001277)

The organization develops profiles representing common traffic patterns and/or events.

SI-4 (13)(c)

Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives.

SI-4 (13) (c)
(CCI-002669)

The organization uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and false negatives.

SI-4 (14)

The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.

SI-4 (14)
(CCI-001673)

The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.

SI-4 (15)

The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.

SI-4 (15)
(CCI-001282)

The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.

SI-4 (16)

The organization correlates information from monitoring tools employed throughout the information system.

SI-4 (16)
(CCI-001283)

The organization correlates information from monitoring tools employed throughout the information system.

SI-4 (17)

The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.

SI-4 (17)
(CCI-001284)

The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.

SI-4 (18)

The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information.

SI-4 (18) (CCI-002670)	The organization defines the interior points within the system (e.g., subsystems, subnetworks) where outbound communications will be analyzed to detect covert exfiltration of information.
SI-4 (18) (CCI-002671)	The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) to detect covert exfiltration of information.
SI-4 (18) (CCI-002672)	The organization analyzes outbound communications traffic at organization-defined interior points within the system (e.g., subsystems, subnetworks) to detect covert exfiltration of information.

SI-4 (19)

The organization implements [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk.

SI-4 (19) (CCI-002673)	The organization defines the additional monitoring to be implemented for individuals identified as posing an increased level of risk.
SI-4 (19) (CCI-002674)	The organization defines the sources that may be used to identify individuals who pose an increased level of risk.
SI-4 (19) (CCI-002675)	The organization implements organization-defined additional monitoring of individuals who have been identified by organization-defined sources as posing an increased level of risk.

SI-4 (20)

The organization implements [Assignment: organization-defined additional monitoring] of privileged users.

SI-4 (20) (CCI-002676)	The organization defines additional monitoring to be implemented for privileged users.
SI-4 (20) (CCI-002677)	The organization implements organization-defined additional monitoring of privileged users.

SI-4 (21)

The organization implements [Assignment: organization-defined additional monitoring] of individuals during [Assignment: organization-defined probationary period].

SI-4 (21) (CCI-002678)	The organization defines additional monitoring to be implemented for individuals during an organization-defined probationary period.
SI-4 (21) (CCI-002679)	The organization defines the probationary period during which additional monitoring will be implemented for individuals.
SI-4 (21) (CCI-002680)	The organization implements organization-defined additional monitoring of individuals during an organization-defined probationary period.

SI-4 (22)

The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel or roles]].

SI-4 (22) (CCI-002681)	The organization defines the authorization or approval process for network services.
SI-4 (22) (CCI-002682)	The organization defines the personnel or roles to be alerted when unauthorized or unapproved network services are detected.
SI-4 (22) (CCI-002683)	The information system detects network services that have not been authorized or approved by the organization-defined authorization or approval processes.
SI-4 (22) (CCI-002684)	The information system audits and/or alerts organization-defined personnel when unauthorized network services are detected.

SI-4 (23)

The organization implements [Assignment: organization-defined host-based monitoring mechanisms] at [Assignment: organization-defined information system components].

SI-4 (23) (CCI-002685)	The organization defines the host-based monitoring mechanisms to be implemented at organization-defined information system components.
SI-4 (23) (CCI-002686)	The organization defines the information system components at which organization-defined host-based monitoring mechanisms are to be implemented.
SI-4 (23) (CCI-002687)	The organization implements organization-defined host-based monitoring mechanisms at organization-defined information system components.

SI-4 (24)

The information system discovers, collects, distributes, and uses indicators of compromise.

SI-4 (24) (CCI-002688)	The information system discovers indicators of compromise.
SI-4 (24) (CCI-002689)	The information system collects indicators of compromise.
SI-4 (24) (CCI-002690)	The information system distributes indicators of compromise.
SI-4 (24) (CCI-002691)	The information system uses indicators of compromise.

SI-5

The organization:

SI-5a.

Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;

SI-5 a (CCI-001285)	The organization receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis.
SI-5 a (CCI-002692)	The organization defines the external organizations from which it receives information system security alerts, advisories, and directives.

SI-5b.

Generates internal security alerts, advisories, and directives as deemed necessary;

SI-5 b
(CCI-001286)

The organization generates internal security alerts, advisories, and directives as deemed necessary.

SI-5c.

Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and

SI-5 c (CCI-001287)	The organization disseminates security alerts, advisories, and directives to organization-defined personnel or roles, organization-defined elements within the organization, and/or organization-defined external organizations.
SI-5 c (CCI-001288)	The organization defines the personnel or roles to whom the organization will disseminate security alerts, advisories, and directives.
SI-5 c (CCI-002693)	The organization defines the elements within the organization to whom the organization will disseminate security alerts, advisories, and directives.
SI-5 c (CCI-002694)	The organization defines the external organizations to which the organization will disseminate security alerts, advisories, and directives.

SI-5d.

Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

SI-5 d
(CCI-001289)

The organization implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

SI-5 (1)

The organization employs automated mechanisms to make security alert and advisory information available throughout the organization.

SI-5 (1)
(CCI-001290)

The organization employs automated mechanisms to make security alert and advisory information available throughout the organization.

SI-6

The information system:

SI-6a.

Verifies the correct operation of [Assignment: organization-defined security functions];

SI-6 a (CCI-002695)	The organization defines the security functions that require verification of correct operation.
SI-6 a (CCI-002696)	The information system verifies correct operation of organization-defined security functions.

SI-6b.

Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];

SI-6 b (CCI-002697)	The organization defines the frequency at which it will verify correct operation of organization-defined security functions.
SI-6 b (CCI-002698)	The organization defines the system transitional states when the information system will verify correct operation of organization-defined security functions.
SI-6 b (CCI-002699)	The information system performs verification of the correct operation of organization-defined security functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency.

SI-6c.

Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and

SI-6 c (CCI-001294)	The information system notifies organization-defined personnel or roles of failed security verification tests.
SI-6 c (CCI-002700)	The organization defines the personnel or roles to be notified when security verification tests fail.

SI-6d.

[Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered.

SI-6 d (CCI-002701)	The organization defines alternative action(s) to be taken when the information system discovers anomalies in the operation of organization-defined security functions.
SI-6 d (CCI-002702)	The information system shuts the information system down, restarts the information system, and/or initiates organization-defined alternative action(s) when anomalies in the operation of the organization-defined security functions are discovered.

SI-6 (1)

[Withdrawn: Incorporated into SI-6].

SI-6 (2)

The information system implements automated mechanisms to support for the management of distributed security testing.

SI-6 (2)
(CCI-001295)

The information system implements automated mechanisms to support the management of distributed security testing.

SI-6 (3)

The organization reports the results of security function verification to [Assignment: organization-defined personnel or roles].

SI-6 (3) (CCI-001675)	The organization defines the personnel or roles that are to receive reports on the results of security function verification.
SI-6 (3) (CCI-001296)	The organization reports the results of security function verification to organization-defined personnel or roles.

SI-7

The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].

SI-7 (CCI-002703)	The organization defines the software, firmware, and information which will be subjected to integrity verification tools to detect unauthorized changes.
SI-7 (CCI-002704)	The organization employs integrity verification tools to detect unauthorized changes to organization-defined software, firmware, and information.

SI-7 (1)

The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]].

SI-7 (1) (CCI-002705)	The organization defines the software on which integrity checks will be performed.
SI-7 (1) (CCI-002706)	The organization defines the firmware on which integrity checks will be performed.
SI-7 (1) (CCI-002707)	The organization defines the information on which integrity checks will be performed.
SI-7 (1) (CCI-002708)	The organization defines the transitional state or security-relevant events when the information system will perform integrity checks on software, firmware, and information.
SI-7 (1) (CCI-002709)	The organization defines the frequency at which it will perform integrity checks of software, firmware, and information.
SI-7 (1) (CCI-002710)	The information system performs an integrity check of organization-defined software at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency.
SI-7 (1) (CCI-002711)	The information system performs an integrity check of organization-defined firmware at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency.
SI-7 (1) (CCI-002712)	The information system performs an integrity check of organization-defined information at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency.

SI-7 (2)

The organization employs automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification.

SI-7 (2) (CCI-001300)	The organization employs automated tools that provide notification to organization-defined personnel or roles upon discovering discrepancies during integrity verification.
SI-7 (2) (CCI-002713)	The organization defines the personnel or roles to be notified when discrepancies are discovered during integrity verification.

SI-7 (3)

The organization employs centrally managed integrity verification tools.

SI-7 (3)
(CCI-001301)

The organization employs centrally managed integrity verification tools.

SI-7 (4)

[Withdrawn: Incorporated into SA-12].

SI-7 (5)

The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements [Assignment: organization-defined security safeguards]] when integrity violations are discovered.

SI-7 (5) (CCI-002714)	The organization defines the security safeguards that are to be employed when integrity violations are discovered.
SI-7 (5) (CCI-002715)	The information system automatically shuts the information system down, restarts the information system, and/or implements organization-defined security safeguards when integrity violations are discovered.

SI-7 (6)

The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.

SI-7 (6) (CCI-002716)	The information system implements cryptographic mechanisms to detect unauthorized changes to software.
SI-7 (6) (CCI-002717)	The information system implements cryptographic mechanisms to detect unauthorized changes to firmware.
SI-7 (6) (CCI-002718)	The information system implements cryptographic mechanisms to detect unauthorized changes to information.

SI-7 (7)

The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability.

SI-7 (7) (CCI-002719)	The organization defines the unauthorized security-relevant changes to the information system that are to be incorporated into the organizational incident response capability.
SI-7 (7) (CCI-002720)	The organization incorporates the detection of unauthorized organization-defined security-relevant changes to the information system into the organizational incident response capability.

SI-7 (8)

The information system, upon detection of a potential integrity violation, provides the capability to audit the event and initiates the following actions: [Selection (one or more): generates an audit record; alerts current user; alerts [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]].

SI-7 (8) (CCI-002721)	The organization defines the personnel or roles that are to be alerted by the information system when it detects a potential integrity violation.
SI-7 (8) (CCI-002722)	The organization defines other actions that can be taken when the information system detects a potential integrity violation.
SI-7 (8) (CCI-002723)	The information system, upon detection of a potential integrity violation, provides the capability to audit the event.
SI-7 (8) (CCI-002724)	The information system, upon detection of a potential integrity violation, initiates one or more of the following actions: generates an audit record; alerts the current user; alerts organization-defined personnel or roles; and/or organization-defined other actions.

SI-7 (9)

The information system verifies the integrity of the boot process of [Assignment: organization-defined devices].

SI-7 (9) (CCI-002725)	The organization defines the devices which will have the integrity of the boot process verified.
SI-7 (9) (CCI-002726)	The information system verifies the integrity of the boot process of organization-defined devices.

SI-7 (10)

The information system implements [Assignment: organization-defined security safeguards] to protect the integrity of boot firmware in [Assignment: organization-defined devices].

SI-7 (10) (CCI-002727)	The organization defines the security safeguards to be implemented to protect the integrity of the boot firmware in organization-defined devices.
SI-7 (10) (CCI-002728)	The organization defines the devices on which organization-defined security safeguards will be implemented to protect the integrity of the boot firmware.
SI-7 (10) (CCI-002729)	The information system implements organization-defined security safeguards to protect the integrity of boot firmware in organization-defined devices.

SI-7 (11)

The organization requires that [Assignment: organization-defined user-installed software] execute in a confined physical or virtual machine environment with limited privileges.

SI-7 (11) (CCI-002730)	The organization defines the user-installed software that is to be executed in a confined physical or virtual machine environment with limited privileges.
SI-7 (11) (CCI-002731)	The organization requires that organization-defined user-installed software execute in a confined physical or virtual machine environment with limited privileges.

SI-7 (12)

The organization requires that the integrity of [Assignment: organization-defined user-installed software] be verified prior to execution.

SI-7 (12) (CCI-002732)	The organization defines the user-installed software that is to have its integrity verified prior to execution.
SI-7 (12) (CCI-002733)	The organization requires that the integrity of organization-defined user-installed software be verified prior to execution.

SI-7 (13)

The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles].

SI-7 (13) (CCI-002734)	The organization defines the personnel or roles which have the authority to explicitly approve binary or machine-executable code.
SI-7 (13) (CCI-002735)	The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments.
SI-7 (13) (CCI-002736)	The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only with the explicit approval of organization-defined personnel or roles.

SI-7 (14)

The organization:

SI-7 (14)(a)

Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and

SI-7 (14) (a)
(CCI-002737)

The organization prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code.

SI-7 (14)(b)

Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official.

SI-7 (14) (b)
(CCI-002738)

The organization provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official.

SI-7 (15)

The information system implements cryptographic mechanisms to authenticate [Assignment: organization-defined software or firmware components] prior to installation.

SI-7 (15) (CCI-002739)	The organization defines the software or firmware components on which cryptographic mechanisms are to be implemented to support authentication prior to installation.
SI-7 (15) (CCI-002740)	The information system implements cryptographic mechanisms to authenticate organization-defined software or firmware components prior to installation.

SI-7 (16)

The organization does not allow processes to execute without supervision for more than [Assignment: organization-defined time period].

SI-7 (16) (CCI-001321)	The organization does not allow a process to execute without supervision for more than an organization-defined time period.
SI-7 (16) (CCI-001322)	The organization defines a time period that is the longest a process is allowed to execute without supervision.

SI-8

The organization:

SI-8a.

Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and

SI-8 a (CCI-002741)	The organization employs spam protection mechanisms at information system entry points to detect and take action on unsolicited messages.
SI-8 a (CCI-002742)	The organization employs spam protection mechanisms at information system exit points to detect and take action on unsolicited messages.

SI-8b.

Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

SI-8 b
(CCI-001306)

The organization updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

SI-8 (1)

The organization centrally manages spam protection mechanisms.

SI-8 (1)
(CCI-001307)

The organization centrally manages spam protection mechanisms.

SI-8 (2)

The information system automatically updates spam protection mechanisms.

SI-8 (2)
(CCI-001308)

The information system automatically updates spam protection mechanisms.

SI-8 (3)

The information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.

SI-8 (3)
(CCI-002743)

The information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.

SI-9

[Withdrawn: Incorporated into AC-2, AC-3, AC-5, AC-6].

SI-10

The information system checks the validity of [Assignment: organization-defined information inputs].

SI-10 (CCI-001310)	The information system checks the validity of organization-defined inputs.
SI-10 (CCI-002744)	The organization defines the inputs on which the information system is to conduct validity checks.

SI-10 (1)

The information system:

SI-10 (1)(a)

Provides a manual override capability for input validation of [Assignment: organization-defined inputs];

SI-10 (1) (a) (CCI-002745)	The organization defines the inputs for which the information system provides a manual override capability for input validation.
SI-10 (1) (a) (CCI-002746)	The information system provides a manual override capability for input validation of organization-defined inputs.

SI-10 (1)(b)

Restricts the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and

SI-10 (1) (b) (CCI-002747)	The organization defines the individuals who have the authorization to use the manual override capability for input validation.
SI-10 (1) (b) (CCI-002748)	The information system restricts the use of the manual override capability to only organization-defined authorized individuals.

SI-10 (1)(c)

Audits the use of the manual override capability.

SI-10 (1) (c)
(CCI-002749)

The information system audits the use of the manual override capability.

SI-10 (2)

The organization ensures that input validation errors are reviewed and resolved within [Assignment: organization-defined time period].

SI-10 (2) (CCI-002750)	The organization defines the time period within which input validation errors are to be reviewed.
SI-10 (2) (CCI-002751)	The organization defines the time period within which input validation errors are to be resolved.
SI-10 (2) (CCI-002752)	The organization ensures that input validation errors are reviewed within an organization-defined time period.
SI-10 (2) (CCI-002753)	The organization ensures that input validation errors are resolved within an organization-defined time period.

SI-10 (3)

The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.

SI-10 (3)
(CCI-002754)

The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.

SI-10 (4)

The organization accounts for timing interactions among information system components in determining appropriate responses for invalid inputs.

SI-10 (4)
(CCI-002755)

The organization accounts for timing interactions among information system components in determining appropriate responses for invalid inputs.

SI-10 (5)

The organization restricts the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats].

SI-10 (5) (CCI-002756)	The organization defines the trusted sources to which the usage of information inputs will be restricted (e.g., whitelisting).
SI-10 (5) (CCI-002757)	The organization defines the acceptable formats to which information inputs are restricted.
SI-10 (5) (CCI-002758)	The organization restricts the use of information inputs to organization-defined trusted sources and/or organization-defined formats.

SI-11

The information system:

SI-11a.

Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and

SI-11 a
(CCI-001312)

The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

SI-11b.

Reveals error messages only to [Assignment: organization-defined personnel or roles].

SI-11 b (CCI-001314)	The information system reveals error messages only to organization-defined personnel or roles.
SI-11 b (CCI-002759)	The organization defines the personnel or roles to whom error messages are to be revealed.

SI-12

The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

SI-12 (CCI-001678)	The organization retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
SI-12 (CCI-001315)	The organization handles information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

SI-13

The organization:

SI-13a.

Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and

SI-13 a (CCI-002760)	The organization determines mean time to failure (MTTF) for organization-defined information system components in specific environments of operation.
SI-13 a (CCI-002761)	The organization defines the system components in specific environments of operation for which the mean time to failure (MTTF) is to be determined.

SI-13b.

Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria].

SI-13 b (CCI-001318)	The organization provides substitute information system components.
SI-13 b (CCI-002762)	The organization defines the mean time to failure (MTTF) substitution criteria to be employed as a means to determine the need to exchange active and standby components.
SI-13 b (CCI-002763)	The organization provides a means to exchange active and standby components in accordance with the organization-defined mean time to failure (MTTF) substitution criteria.

SI-13 (1)

The organization takes information system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure.

SI-13 (1) (CCI-001319)	The organization takes information system components out of service by transferring component responsibilities to a substitute component no later than an organization-defined fraction or percentage of mean time to failure (MTTF).
SI-13 (1) (CCI-001320)	The organization defines the maximum fraction or percentage of mean time to failure (MTTF) used to determine when information system components are taken out of service by transferring component responsibilities to substitute components.

SI-13 (2)

[Withdrawn: Incorporated into SI-7 (16)].

SI-13 (3)

The organization manually initiates transfers between active and standby information system components [Assignment: organization-defined frequency] if the mean time to failure exceeds [Assignment: organization-defined time period].

SI-13 (3) (CCI-001323)	The organization manually initiates a transfer between active and standby information system components in accordance with organization-defined frequency if the mean time to failure (MTTF) exceeds an organization-defined time period.
SI-13 (3) (CCI-001324)	The organization defines the minimum frequency at which the organization manually initiates a transfer between active and standby information system components if the mean time to failure (MTTF) exceeds the organization-defined time period.
SI-13 (3) (CCI-001325)	The organization defines a time period that the mean time to failure (MTTF) must exceed before the organization manually initiates a transfer between active and standby information system components.

SI-13 (4)

The organization, if information system component failures are detected:

SI-13 (4)(a)

Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and

SI-13 (4) (a) (CCI-001326)	The organization, if information system component failures are detected, ensures standby components are successfully and transparently installed within an organization-defined time period.
SI-13 (4) (a) (CCI-001327)	The organization defines a time period for a standby information system component to be successfully and transparently installed for the information system component that has failed.

SI-13 (4)(b)

[Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system].

SI-13 (4) (b) (CCI-001328)	The organization, if an information system component failure is detected, activates an organization-defined alarm and/or automatically shuts down the information system.
SI-13 (4) (b) (CCI-001329)	The organization defines the alarm to be activated when an information system component failure is detected.

SI-13 (5)

The organization provides [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the information system.

SI-13 (5) (CCI-000558)	The organization defines the real-time or near-real-time failover capability to be provided for the information system.
SI-13 (5) (CCI-000559)	The organization provides real-time or near-real-time organization-defined failover capability for the information system.

SI-14

The organization implements non-persistent [Assignment: organization-defined information system components and services] that are initiated in a known state and terminated [Selection (one or more): upon end of session of use; periodically at [Assignment: organization-defined frequency]].

SI-14 (CCI-002764)	The organization defines non-persistent information system components and services to be implemented.
SI-14 (CCI-002765)	The organization defines the frequency at which it will terminate organization-defined non-persistent information system components and services.
SI-14 (CCI-002766)	The organization implements organization-defined non-persistence information system components and services that are initiated in a known state.
SI-14 (CCI-002767)	The organization implements organization-defined non-persistence information system components and services that are terminated upon end of session of use and/or periodically at an organization-defined frequency.

SI-14 (1)

The organization ensures that software and data employed during information system component and service refreshes are obtained from [Assignment: organization-defined trusted sources].

SI-14 (1) (CCI-002768)	The organization defines the trusted sources from which it obtains software and data employed during the refreshing of non-persistent information system components and services.
SI-14 (1) (CCI-002769)	The organization ensures that software and data employed during non-persistent information system component and service refreshes are obtained from organization-defined trusted sources.

SI-15

The information system validates information output from [Assignment: organization-defined software programs and/or applications] to ensure that the information is consistent with the expected content.

SI-15 (CCI-002770)	The organization defines the software programs and/or applications from which the information system is to validate the information output to ensure the information is consistent with expected content.
SI-15 (CCI-002771)	The information system validates information output from organization-defined software programs and/or applications to ensure that the information is consistent with the expected content.
SI-15 (CCI-002772)	The organization defines the security safeguards to be implemented to protect the information system's memory from unauthorized code execution.

SI-16

The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution.

SI-16 (CCI-002823)	The organization defines the security safeguards to be implemented to protect the information system's memory from unauthorized code execution.
SI-16 (CCI-002824)	The information system implements organization-defined security safeguards to protect its memory from unauthorized code execution.

SI-17

The information system implements [Assignment: organization-defined fail-safe procedures] when [Assignment: organization-defined failure conditions occur].

SI-17 (CCI-002773)	The organization defines the fail-safe procedures to be implemented by the information system when organization-defined failure conditions occur.
SI-17 (CCI-002774)	The organization defines the failure conditions which, when they occur, will result in the information system implementing organization-defined fail-safe procedures.
SI-17 (CCI-002775)	The information system implements organization-defined fail-safe procedures when organization-defined failure conditions occur.

PM-1

The organization:

PM-1a.

Develops and disseminates an organization-wide information security program plan that:

PM-1a.1.

Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;

PM-1 a 1 (CCI-000073)	The organization develops an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements.
PM-1 a 1 (CCI-002985)	The organization disseminates an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements.

PM-1a.2.

Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;

PM-1 a 2 (CCI-001680)	The organization develops an organization-wide information security program plan that includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
PM-1 a 2 (CCI-002986)	The organization disseminates an organization-wide information security program plan that includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

PM-1a.3.

Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and

PM-1 a 3 (CCI-002984)	The organization develops an organization-wide information security program plan that reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical).
PM-1 a 3 (CCI-002987)	The organization disseminates an organization-wide information security program plan that reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical).

PM-1a.4.

Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;

PM-1 a 4 (CCI-000074)	The organization develops an organization-wide information security program plan that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation.
PM-1 a 4 (CCI-002988)	The organization disseminates an organization-wide information security program plan that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation.

PM-1b.

Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];

PM-1 b (CCI-000075)	The organization reviews the organization-wide information security program plan on an organization-defined frequency.
PM-1 b (CCI-000076)	The organization defines the frequency with which to review the organization-wide information security program plan.

PM-1c.

Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and

PM-1 c
(CCI-000077)

The organization updates the plan to address organizational changes and problems identified during plan implementation or security control assessments.

PM-1d.

Protects the information security program plan from unauthorized disclosure and modification.

PM-1 d (CCI-002989)	The organization protects the information security program plan from unauthorized disclosure.
PM-1 d (CCI-002990)	The organization protects the information security program plan from unauthorized modification.

PM-2

The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.

PM-2
(CCI-000078)

The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.

PM-3

The organization:

PM-3a.

Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;

PM-3 a
(CCI-000080)

The organization ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement.

PM-3b.

Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and

PM-3 b
(CCI-000081)

The organization employs a business case/Exhibit 300/Exhibit 53 to record the resources required.

PM-3c.

Ensures that information security resources are available for expenditure as planned.

PM-3 c
(CCI-000141)

The organization ensures that information security resources are available for expenditure as planned.

PM-4

The organization:

PM-4a.

Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:

PM-4a.1.

Are developed and maintained;

PM-4 a 1 (CCI-000142)	The organization implements a process for ensuring that plans of action and milestones for the security program and the associated organizational information systems are maintained.
PM-4 a 1 (CCI-002991)	The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems are developed.

PM-4a.2.

Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and

PM-4 a 2
(CCI-000170)

The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation.

PM-4a.3.

Are reported in accordance with OMB FISMA reporting requirements.

PM-4 a 3
(CCI-002992)

The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems are reported in accordance with OMB FISMA reporting requirements.

PM-4b.

Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

PM-4 b
(CCI-002993)

The organization reviews plans of action and milestones for the security program and associated organization information systems for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

PM-5

The organization develops and maintains an inventory of its information systems.

PM-5
(CCI-000207)

The organization develops and maintains an inventory of its information systems.

PM-6

The organization develops, monitors, and reports on the results of information security measures of performance.

PM-6 (CCI-000209)	The organization develops the results of information security measures of performance.
PM-6 (CCI-000210)	The organization monitors the results of information security measures of performance.
PM-6 (CCI-000211)	The organization reports on the results of information security measures of performance.

PM-7

The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.

PM-7
(CCI-000212)

The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.

PM-8

The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.

PM-8 (CCI-001640)	The organization updates the critical infrastructure and key resources protection plan that addresses information security issues.
PM-8 (CCI-000216)	The organization develops and documents a critical infrastructure and key resource protection plan that addresses information security issues.

PM-9

The organization:

PM-9a.

Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;

PM-9 a
(CCI-000227)

The organization develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems.

PM-9b.

Implements the risk management strategy consistently across the organization; and

PM-9 b
(CCI-000228)

The organization implements a comprehensive strategy to manage risk to organization operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems consistently across the organization.

PM-9c.

Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.

PM-9 c (CCI-002994)	The organization reviews and updates the risk management strategy in accordance with organization-defined frequency or as required, to address organizational changes.
PM-9 c (CCI-002995)	The organization defines the frequency with which to review and update the risk management strategy to address organizational changes.

PM-10

The organization:

PM-10a.

Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;

PM-10 a (CCI-000229)	The organization documents the security state of organizational information systems and the environments in which those systems operate through security authorization processes.
PM-10 a (CCI-000230)	The organization tracks the security state of organizational information systems and the environments in which those systems operate through security authorization processes.
PM-10 a (CCI-000231)	The organization reports the security state of organizational information systems and the environments in which those systems operate through security authorization processes.

PM-10b.

Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and

PM-10 b
(CCI-000233)

The organization designates individuals to fulfill specific roles and responsibilities within the organizational risk management process.

PM-10c.

Fully integrates the security authorization processes into an organization-wide risk management program.

PM-10 c
(CCI-000234)

The organization fully integrates the security authorization processes into an organization-wide risk management program.

PM-11

The organization:

PM-11a.

Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and

PM-11 a
(CCI-000235)

The organization defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.

PM-11b.

Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained.

PM-11 b
(CCI-000236)

The organization determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs are obtained.

PM-12

The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team.

PM-12
(CCI-002996)

The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team.

PM-13

The organization establishes an information security workforce development and improvement program.

PM-13
(CCI-002997)

The organization establishes an information security workforce development and improvement program.

PM-14

The organization:

PM-14a.

Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:

PM-14a.1.

Are developed and maintained; and

PM-14 a 1 (CCI-002998)	The organization implements a process for ensuring that organizational plans for conducting security testing activities associated with organizational information systems are developed.
PM-14 a 1 (CCI-002999)	The organization implements a process for ensuring that organizational plans for conducting security testing activities associated with organizational information systems are maintained.
PM-14 a 1 (CCI-003000)	The organization implements a process for ensuring that organizational plans for conducting security training activities associated with organizational information systems are developed.
PM-14 a 1 (CCI-003001)	The organization implements a process for ensuring that organizational plans for conducting security training activities associated with organizational information systems are maintained.
PM-14 a 1 (CCI-003002)	The organization implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems are developed.
PM-14 a 1 (CCI-003003)	The organization implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems are maintained.

PM-14a.2.

Continue to be executed in a timely manner;

PM-14 a 2 (CCI-003004)	The organization implements a process for ensuring that organizational plans for conducting security testing associated with organizational information systems continue to be executed in a timely manner.
PM-14 a 2 (CCI-003005)	The organization implements a process for ensuring that organizational plans for conducting security training associated with organizational information systems continue to be executed in a timely manner.
PM-14 a 2 (CCI-003006)	The organization implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems continue to be executed in a timely manner.

PM-14b.

Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

PM-14 b (CCI-003007)	The organization reviews testing plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
PM-14 b (CCI-003008)	The organization reviews training plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
PM-14 b (CCI-003009)	The organization reviews monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

PM-15

The organization establishes and institutionalizes contact with selected groups and associations within the security community:

PM-15a.

To facilitate ongoing security education and training for organizational personnel;

PM-15 a
(CCI-003010)

The organization establishes and institutionalizes contact with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel.

PM-15b.

To maintain currency with recommended security practices, techniques, and technologies; and

PM-15 b
(CCI-003011)

The organization establishes and institutionalizes contact with selected groups and associations within the security community to maintain currency with recommended security practices, techniques, and technologies.

PM-15c.

To share current security-related information including threats, vulnerabilities, and incidents.

PM-15 c
(CCI-003012)

The organization establishes and institutionalizes contact with selected groups and associations within the security community to share current security-related information including threats, vulnerabilities, and incidents.

PM-16

The organization implements a threat awareness program that includes a cross-organization information-sharing capability.

PM-16
(CCI-003013)

The organization implements a threat awareness program that includes a cross-organization information-sharing capability.