NIST 800-53 Security Controls Catalog Revision 4

SORT Family ID Control Name

Count ID

AC-01 ACCESS CONTROL AC-1 ACCESS CONTROL POLICY AND

PROCEDURES

1
 AC-02 ACCESS CONTROL AC-2 ACCOUNT MANAGEMENT

AC-03 ACCESS CONTROL AC-3 ACCESS ENFORCEMENT

3
 AC-07 ACCESS CONTROL AC-7 UNSUCCESSFUL LOGON ATTEMPTS

AC-08 ACCESS CONTROL AC-8 SYSTEM USE NOTIFICATION

5
 AC-14 ACCESS CONTROL AC-14 PERMITTED ACTIONS WITHOUT
IDENTIFICATION OR
AUTHENTICATION

AC-17 ACCESS CONTROL AC-17 REMOTE ACCESS

7
 AC-18 ACCESS CONTROL AC-18 WIRELESS ACCESS

AC-19 ACCESS CONTROL AC-19 ACCESS CONTROL FOR MOBILE

DEVICES

9
 AC-20 ACCESS CONTROL AC-20 USE OF EXTERNAL INFORMATION
SYSTEMS

10

AC-22 ACCESS CONTROL AC-22 PUBLICLY ACCESSIBLE CONTENT

11
 AT-01 AWARENESS AND AT-1 SECURITY AWARENESS AND
TRAINING TRAINING POLICY
ANDPROCEDURES

12

AT-02 AWARENESS AND AT-2 SECURITY AWARENESS TRAINING

TRAINING

13
 AT-03 AWARENESS AND AT-3 ROLE-BASED SECURITY TRAINING
TRAINING

14

AT-04 AWARENESS AND AT-4 SECURITY TRAINING RECORDS

TRAINING

15

AU-01 AUDIT AND AU-1 AUDIT AND ACCOUNTABILITY

ACCOUNTABILITY POLICY AND
PROCEDURES

16
 AU-02 AUDIT AND AU-2 AUDIT EVENTS
ACCOUNTABILITY

17

AU-03 AUDIT AND AU-3 CONTENT OF AUDIT RECORDS

ACCOUNTABILITY

18

AU-04 AUDIT AND AU-4 AUDIT STORAGE CAPACITY

ACCOUNTABILITY

19
 AU-05 AUDIT AND AU-5 RESPONSE TO AUDIT PROCESSING
ACCOUNTABILITY FAILURES

20

AU-06 AUDIT AND AU-6 AUDIT REVIEW, ANALYSIS, AND

ACCOUNTABILITY REPORTING

21

AU-08 AUDIT AND AU-8 TIME STAMPS

ACCOUNTABILITY

22
 AU-09 AUDIT AND AU-9 PROTECTION OF AUDIT
ACCOUNTABILITY INFORMATION

23

AU-11 AUDIT AND AU-11 AUDIT RECORD RETENTION

ACCOUNTABILITY

24

AU-12 AUDIT AND AU-12 AUDIT GENERATION

ACCOUNTABILITY

25
 CA-01 SECURITY CA-1 SECURITY ASSESSMENT AND
ASSESSMENT AND AUTHORIZATION
AUTHORIZATION POLICY AND PROCEDURES

26
 CA-02 SECURITY CA-2 SECURITY ASSESSMENTS
ASSESSMENT AND
AUTHORIZATION

27
 CA-02 SECURITY CA-2 (1) SECURITY ASSESSMENTS |
(01) ASSESSMENT AND INDEPENDENT ASSESSORS
AUTHORIZATION

28

CA-03 SECURITY CA-3 SYSTEM INTERCONNECTIONS

ASSESSMENT AND
AUTHORIZATION

29
 CA-05 SECURITY CA-5 PLAN OF ACTION AND MILESTONES
ASSESSMENT AND
AUTHORIZATION

30

CA-06 SECURITY CA-6 SECURITY AUTHORIZATION

ASSESSMENT AND
AUTHORIZATION

31
 CA-07 SECURITY CA-7 CONTINUOUS MONITORING
ASSESSMENT AND
AUTHORIZATION

32

CA-09 SECURITY CA-9 INTERNAL SYSTEM CONNECTIONS

ASSESSMENT AND
AUTHORIZATION

33
 CM-01 CONFIGURATION CM-1 CONFIGURATION MANAGEMENT
MANAGEMENT POLICY AND
PROCEDURES

34

CM-02 CONFIGURATION CM-2 BASELINE CONFIGURATION

MANAGEMENT

35

CM-04 CONFIGURATION CM-4 SECURITY IMPACT ANALYSIS

MANAGEMENT

36
 CM-06 CONFIGURATION CM-6 CONFIGURATION SETTINGS
MANAGEMENT

37

CM-07 CONFIGURATION CM-7 LEAST FUNCTIONALITY

MANAGEMENT

38
 CM-08 CONFIGURATION CM-8 INFORMATION SYSTEM
MANAGEMENT COMPONENT INVENTORY

39

CM-10 CONFIGURATION CM-10 SOFTWARE USAGE RESTRICTIONS

MANAGEMENT

40

CM-11 CONFIGURATION CM-11 USER-INSTALLED SOFTWARE

MANAGEMENT

41
 CP-01 CONTINGENCY CP-1 CONTINGENCY PLANNING POLICY
PLANNING AND
PROCEDURES

42

CP-02 CONTINGENCY CP-2 CONTINGENCY PLAN

PLANNING

43
 CP-03 CONTINGENCY CP-3 CONTINGENCY TRAINING
PLANNING

44

CP-04 CONTINGENCY CP-4 CONTINGENCY PLAN TESTING

PLANNING

45

CP-09 CONTINGENCY CP-9 INFORMATION SYSTEM BACKUP

PLANNING

46
 CP-10 CONTINGENCY CP-10 INFORMATION SYSTEM RECOVERY
PLANNING AND
RECONSTITUTION

47

IA-01 IDENTIFICATION AND IA-1 IDENTIFICATION AND

AUTHENTICATION AUTHENTICATION POLICY AND
PROCEDURES

48
 IA-02 IDENTIFICATION AND IA-2 IDENTIFICATION AND
AUTHENTICATION AUTHENTICATION
(ORGANIZATIONAL USERS)

49

IA-02 IDENTIFICATION AND IA-2 (1) IDENTIFICATION AND

(01) AUTHENTICATION AUTHENTICATION | NETWORK
50 ACCESS TO PRIVILEGED
ACCOUNTS

IA-02 IDENTIFICATION AND IA-2 (12) IDENTIFICATION AND

(12) AUTHENTICATION AUTHENTICATION | ACCEPTANCE
OF PIV CREDENTIALS

51
 IA-04 IDENTIFICATION AND IA-4 IDENTIFIER MANAGEMENT
AUTHENTICATION

52

IA-05 IDENTIFICATION AND IA-5 AUTHENTICATOR MANAGEMENT

AUTHENTICATION

53
 IA-05 IDENTIFICATION AND IA-5 (1) AUTHENTICATOR MANAGEMENT |
(01) AUTHENTICATION PASSWORD-BASED
AUTHENTICATION

54

IA-05 IDENTIFICATION AND IA-5 (11) AUTHENTICATOR MANAGEMENT |

(11) AUTHENTICATION HARDWARE TOKEN-BASED
AUTHENTICATION
55

IA-06 IDENTIFICATION AND IA-6 AUTHENTICATOR FEEDBACK

AUTHENTICATION

56

IA-07 IDENTIFICATION AND IA-7 CRYPTOGRAPHIC MODULE

AUTHENTICATION AUTHENTICATION

57
 IA-08 IDENTIFICATION AND IA-8 IDENTIFICATION AND
AUTHENTICATION AUTHENTICATION (NON-
ORGANIZATIONAL USERS)

58

IA-08 IDENTIFICATION AND IA-8 (1) IDENTIFICATION AND

(01) AUTHENTICATION AUTHENTICATION | ACCEPTANCE
OF PIV CREDENTIALS FROM OTHER
AGENCIES
59

IA-08 IDENTIFICATION AND IA-8 (2) IDENTIFICATION AND

(02) AUTHENTICATION AUTHENTICATION | ACCEPTANCE
OF THIRD-PARTY CREDENTIALS

60

IA-08 IDENTIFICATION AND IA-8 (3) IDENTIFICATION AND

(03) AUTHENTICATION AUTHENTICATION | USE OF FICAM-
APPROVED PRODUCTS
61

IA-08 IDENTIFICATION AND IA-8 (4) IDENTIFICATION AND

(04) AUTHENTICATION AUTHENTICATION | USE OF FICAM-
ISSUED PROFILES

62
 IR-01 INCIDENT RESPONSE IR-1 INCIDENT RESPONSE POLICY AND
PROCEDURES

63

IR-02 INCIDENT RESPONSE IR-2 INCIDENT RESPONSE TRAINING

64

IR-04 INCIDENT RESPONSE IR-4 INCIDENT HANDLING

65
 IR-05 INCIDENT RESPONSE IR-5 INCIDENT MONITORING

66

IR-06 INCIDENT RESPONSE IR-6 INCIDENT REPORTING

67

IR-07 INCIDENT RESPONSE IR-7 INCIDENT RESPONSE ASSISTANCE

68
 IR-08 INCIDENT RESPONSE IR-8 INCIDENT RESPONSE PLAN

69

MA-01 MAINTENANCE MA-1 SYSTEM MAINTENANCE POLICY

AND PROCEDURES

70
 MA-02 MAINTENANCE MA-2 CONTROLLED MAINTENANCE

71

MA-04 MAINTENANCE MA-4 NONLOCAL MAINTENANCE

72
 MA-05 MAINTENANCE MA-5 MAINTENANCE PERSONNEL

73

MP-01 MEDIA PROTECTION MP-1 MEDIA PROTECTION POLICY AND

PROCEDURES

74

MP-02 MEDIA PROTECTION MP-2 MEDIA ACCESS

75
 MP-06 MEDIA PROTECTION MP-6 MEDIA SANITIZATION

76

MP-07 MEDIA PROTECTION MP-7 MEDIA USE

77
 PE-01 PHYSICAL AND PE-1 PHYSICAL AND ENVIRONMENTAL
ENVIRONMENTAL PROTECTION
PROTECTION POLICY AND PROCEDURES

78

PE-02 PHYSICAL AND PE-2 PHYSICAL ACCESS

ENVIRONMENTAL AUTHORIZATIONS
PROTECTION

79
 PE-03 PHYSICAL AND PE-3 PHYSICAL ACCESS CONTROL
ENVIRONMENTAL
PROTECTION

80

PE-06 PHYSICAL AND PE-6 MONITORING PHYSICAL ACCESS

ENVIRONMENTAL
PROTECTION

81
 PE-08 PHYSICAL AND PE-8 VISITOR ACCESS RECORDS
ENVIRONMENTAL
PROTECTION

82

PE-12 PHYSICAL AND PE-12 EMERGENCY LIGHTING

ENVIRONMENTAL
PROTECTION

83

PE-13 PHYSICAL AND PE-13 FIRE PROTECTION

ENVIRONMENTAL
PROTECTION

84

PE-14 PHYSICAL AND PE-14 TEMPERATURE AND HUMIDITY

ENVIRONMENTAL CONTROLS
PROTECTION

85

PE-15 PHYSICAL AND PE-15 WATER DAMAGE PROTECTION

ENVIRONMENTAL
PROTECTION

86
 PE-16 PHYSICAL AND PE-16 DELIVERY AND REMOVAL
ENVIRONMENTAL
PROTECTION

87

PL-01 PLANNING PL-1 SECURITY PLANNING POLICY AND

PROCEDURES

88
 PL-02 PLANNING PL-2 SYSTEM SECURITY PLAN

89

PL-04 PLANNING PL-4 RULES OF BEHAVIOR

90
 PS-01 PERSONNEL PS-1 PERSONNEL SECURITY POLICY
SECURITY AND PROCEDURES

91

PS-02 PERSONNEL PS-2 POSITION RISK DESIGNATION

SECURITY

92

PS-03 PERSONNEL PS-3 PERSONNEL SCREENING

SECURITY

93
 PS-04 PERSONNEL PS-4 PERSONNEL TERMINATION
SECURITY

94

PS-05 PERSONNEL PS-5 PERSONNEL TRANSFER

SECURITY

95
 PS-06 PERSONNEL PS-6 ACCESS AGREEMENTS
SECURITY

96

PS-07 PERSONNEL PS-7 THIRD-PARTY PERSONNEL

SECURITY SECURITY

97
 PS-08 PERSONNEL PS-8 PERSONNEL SANCTIONS
SECURITY

98

RA-01 RISK ASSESSMENT RA-1 RISK ASSESSMENT POLICY AND

PROCEDURES

99
 RA-02 RISK ASSESSMENT RA-2 SECURITY CATEGORIZATION

100

RA-03 RISK ASSESSMENT RA-3 RISK ASSESSMENT

101
 RA-05 RISK ASSESSMENT RA-5 VULNERABILITY SCANNING

102

SA-01 SYSTEM AND SA-1 SYSTEM AND SERVICES

SERVICES ACQUISITION POLICY AND
ACQUISITION PROCEDURES

103
 SA-02 SYSTEM AND SA-2 ALLOCATION OF RESOURCES
SERVICES
ACQUISITION

104

SA-03 SYSTEM AND SA-3 SYSTEM DEVELOPMENT LIFE

SERVICES CYCLE
ACQUISITION

105
 SA-04 SYSTEM AND SA-4 ACQUISITION PROCESS
SERVICES
ACQUISITION

106
 SA-05 SYSTEM AND SA-5 INFORMATION SYSTEM
SERVICES DOCUMENTATION
ACQUISITION

107

SA-09 SYSTEM AND SA-9 EXTERNAL INFORMATION SYSTEM

SERVICES SERVICES
ACQUISITION

108
 SC-01 SYSTEM AND SC-1 SYSTEM AND COMMUNICATIONS
COMMUNICATIONS PROTECTION
PROTECTION POLICY AND PROCEDURES

109

SC-05 SYSTEM AND SC-5 DENIAL OF SERVICE PROTECTION

COMMUNICATIONS
PROTECTION

110

SC-07 SYSTEM AND SC-7 BOUNDARY PROTECTION

COMMUNICATIONS
PROTECTION

111
 SC-12 SYSTEM AND SC-12 CRYPTOGRAPHIC KEY
COMMUNICATIONS ESTABLISHMENT AND
PROTECTION MANAGEMENT

112

SC-13 SYSTEM AND SC-13 CRYPTOGRAPHIC PROTECTION

COMMUNICATIONS
PROTECTION

113

SC-15 SYSTEM AND SC-15 COLLABORATIVE COMPUTING

COMMUNICATIONS DEVICES
PROTECTION

114
 SC-20 SYSTEM AND SC-20 SECURE NAME /ADDRESS
COMMUNICATIONS RESOLUTION SERVICE
PROTECTION (AUTHORITATIVE SOURCE)

115

SC-21 SYSTEM AND SC-21 SECURE NAME /ADDRESS

COMMUNICATIONS RESOLUTION SERVICE
PROTECTION (RECURSIVE OR CACHING
RESOLVER)

116

SC-22 SYSTEM AND SC-22 ARCHITECTURE AND

COMMUNICATIONS PROVISIONING FOR
PROTECTION NAME/ADDRESS RESOLUTION
SERVICE

117
 SC-39 SYSTEM AND SC-39 PROCESS ISOLATION
COMMUNICATIONS
PROTECTION

118

SI-01 SYSTEM AND SI-1 SYSTEM AND INFORMATION

INFORMATION INTEGRITY POLICY AND
INTEGRITY PROCEDURES

119
 SI-02 SYSTEM AND SI-2 FLAW REMEDIATION
INFORMATION
INTEGRITY

120
 SI-03 SYSTEM AND SI-3 MALICIOUS CODE PROTECTION
INFORMATION
INTEGRITY

121
 SI-04 SYSTEM AND SI-4 INFORMATION SYSTEM
INFORMATION MONITORING
INTEGRITY

122

SI-05 SYSTEM AND SI-5 SECURITY ALERTS, ADVISORIES,

INFORMATION AND DIRECTIVES
INTEGRITY

123
 SI-12 SYSTEM AND SI-12 INFORMATION HANDLING AND
INFORMATION RETENTION
INTEGRITY

124

SI-16 SYSTEM AND SI-16 MEMORY PROTECTION

INFORMATION
INTEGRITY

125
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
NIST Control Description
(From NIST SP 800-53r4 1/23/15)

The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizat
entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected secur
controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regul
policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conver
can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the secu
program in general and for particular information systems, if needed.

The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-100.
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignme
organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other att
(as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined proc
or conditions];
g. Monitors the use of, information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

Supplemental Guidance: Information system account types include individual, shared, group, system, guest/anonymous, emergency,
developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented b
organizational information systems. The identification of authorized users of the information system and the specification of access privileges
the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receiv
additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer)
responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by a
by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day,
week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenan
system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel
requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts
intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a ne
short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to cris
situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization
processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for sp
tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic
disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temp
accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may requir
specialized training. Related controls: AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, IA-2, IA-4, IA-5, IA-8, CM-5, CM-6, CM-1
3, MA-4, MA-5, PL-4, SC-13.
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicab
access control policies.

Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforc
mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users o
processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition
enforcing authorized access at the information system level and recognizing that information systems can host many applications and service
support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and se
level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-2
9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3.

References: None.
The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organiza
defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until releas
an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of
unsuccessful attempts is exceeded.

Supplemental Guidance: This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential fo
denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined ti
period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different info
system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both
operating system and the application levels. Related controls: AC-2, AC-9, AC-14, IA-5.

References: None.

The information system:

a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that
provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, an
guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on
further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that g
prohibit those activities; and
3. Includes a description of the authorized uses of the system.

Supplemental Guidance: System use notifications can be implemented using messages or warning banners displayed before individuals log
information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such
human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on sp
organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel fo
review and approval of warning banner content.

Control Enhancements: None.

References: None.
The organization:
a. Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authen
consistent with organizational missions/business functions; and
b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or
authentication.

Supplemental Guidance: This control addresses situations in which organizations determine that no identification or authentication is required
organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including
example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phon
receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may
certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for
example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmoni
use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to
situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be
performed on organizational information systems without identification and authentication and thus, the values for assignment statements can
none. Related controls: CP-2, IA-2.

Control Enhancements: None.

(1) PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION | NECESSARY USES

[Withdrawn: Incorporated into AC-14].

References: None.

The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remo
access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections.

Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users)
communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless
Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The u
encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security co
(e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organiza
that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN d
not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately m
network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or sys
designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such
authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements a
required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-
AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4.

References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121.

The organization:
a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
b. Authorizes wireless access to the information system prior to allowing such connections.

Supplemental Guidance: Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless
networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls
AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4.

References: NIST Special Publications 800-48, 800-94, 800-97.

The organization:
a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-contro
mobile devices; and
b. Authorizes the connection of mobile devices to organizational information systems.

Supplemental Guidance: A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single
individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-
removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication
capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote loc
Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usua
close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The
processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, dependin
the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilitie
organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance fo
mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protec
software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critica
software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling
unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices go
beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in th
catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring proces
There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-
addresses mobile devices that are not organization-controlled. Related controls: AC-3, AC-7, AC-18, AC-20, CA-9, CM-2, IA-2, IA-3, MP-2, M
MP-5, PL-4, SC-7, SC-43, SI-3, SI-4.

References: OMB Memorandum 06-16; NIST Special Publications 800-114, 800-124, 800-164.
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operat
and/or maintaining external information systems, allowing authorized individuals to:
a. Access the information system from external information systems; and
b. Process, store, or transmit organization-controlled information using external information systems.

Supplemental Guidance: External information systems are information systems or components of information systems that are outside of the
authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the
application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) pers
owned information systems/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned comput
communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports)
information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned b
operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information system
the processing, storage, or transmission of
organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or softwar
service) from organizational information systems.

For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to th
agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that n
explicit terms and conditions are required. Information systems within these organizations
would not be considered external. These situations occur when, for example, there are pre-existing sharing/trust agreements (either implicit or
explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified b
applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, o
individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of b
with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may
depending upon the
trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on
local, or tribal governments.

This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g.,
individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external informat
systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applicatio
can be accessed on organizational information systems from external information systems; and the highest security category of information th
be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems
be established, organizations may impose restrictions on organizational personnel using those external systems. Related controls: AC-3, AC-
19, CA-3, PL-4, SA-9.

References: FIPS Publication 199.

The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic inform
is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency]
removes such information, if discovered.

Supplemental Guidance: In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the
general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information
control addresses information systems that are controlled by the organization and accessible to the general public, typically without identificati
authentication. The posting of information on
non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13.

Control Enhancements: None.

References: None.
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination a
organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training
controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected secu
controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regul
policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conver
can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the secu
program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishi
policy and procedures. Related control: PM-9.

Control Enhancements: None.

References: NIST Special Publications 800-12, 800-16, 800-50, 800-100.

The organization provides basic security awareness training to information system users (including managers, senior executives, and contrac
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.

Supplemental Guidance: Organizations determine the appropriate content of security awareness training and security awareness techniques
on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a b
understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The c
also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, o
supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen
messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4.

References: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); Executive Order 13587; NIST Special Publication 800-50.
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
a. Before authorizing access to the information system or performing assigned duties;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.

Supplemental Guidance: Organizations determine the appropriate content of security training based on the assigned roles and responsibilitie
individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In
addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials,
information system managers, system/network administrators, personnel conducting configuration management and auditing activities, person
performing independent verification and validation activities, security control assessors, and other personnel having access to system-level so
adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses
management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasur
Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations als
provide the training necessary for individuals to carry out their responsibilities related to operations and
supply chain security within the context of organizational information security programs. Role-based security training also applies to contracto
providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16.

References: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); NIST Special Publications 800-16, 800-50.

The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific
information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period].

Supplemental Guidance: Documentation for specialized training may be maintained by individual supervisors at the option of the organization
Related controls: AT-2, AT-3, PM-14.

Control Enhancements: None.

References: None.

The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among
organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected secu
controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regul
policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conver
can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the secu
program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishi
policy and procedures. Related control: PM-9.

Control Enhancements: None.

References: NIST Special Publications 800-12, 800-100.

The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit- related information to enhance mutual support and
guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after- the-fact investigations of security incidents;
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (th
subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].

Supplemental Guidance: An event is any observable occurrence in an organizational information system. Organizations identify audit events
those events which are significant and relevant to the security of information systems and the environments in which those systems operate in
to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related
information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable e
organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with oth
information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For exa
organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but
activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including
need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable even
are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at v
levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critic
aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditabl
events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are
distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-1
4, MP-2, MP-4, SI-4.

References: NIST Special Publication 800-92; Web: http://idmanagement.gov.

The information system generates audit records containing information that establishes what type of event occurred, when the event occurred
the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event

Supplemental Guidance: Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time sta
source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access contro
flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state
information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11.

References: None.

The organization allocates audit record storage capacity in accordance with [Assignment:
organization-defined audit record storage requirements].

Supplemental Guidance: Organizations consider the types of auditing to be performed and the audit processing requirements when allocating
storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the poten
loss or reduction of auditing capability. Related controls: AU-2, AU-5, AU-6, AU-7, AU-11, SI-4.

References: None.
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrit
oldest audit records, stop generating audit records)].

Supplemental Guidance: Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms
audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failure
by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct infor
system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories
combined), or both. Related controls: AU-4, SI-12.

References: None.

The organization:
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment:
organization-defined inappropriate or unusual activity]; and
b. Reports findings to [Assignment: organization-defined personnel or roles].

Supplemental Guidance: Audit review, analysis, and reporting covers information security-related auditing performed by organizations includi
example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuratio
settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equip
delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported t
organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations ar
prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or
systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, A
AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, S
7.

References: None.

The information system:

a. Uses internal system clocks to generate time stamps for audit records; and
b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and me
[Assignment: organization-defined granularity of time measurement].

Supplemental Guidance: Time stamps generated by the information system include date and time. Time is commonly expressed in Coordina
Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time
measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchron
within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system compo
Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the n
of the mechanisms used to support those capabilities. Related controls: AU-3, AU-12.

References: None.
The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

Supplemental Guidance: Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfu
information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is address
media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6.

References: None.

The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide su
for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

Supplemental Guidance: Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, aud
other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA
requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actio
standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules
provide federal policy on record retention. Related controls: AU-4, AU-5, AU-9, MP-6.

References: None.

The information system:

a. Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information sys
components];
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of
information system; and
c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

Supplemental Guidance: Audit records can be generated from many different information system components. The list of audited events is th
events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of
generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7.

References: None.
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordin
among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and
authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected secur
controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regul
policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conver
can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the secu
program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishi
policy and procedures. Related control: PM-9.

Control Enhancements: None.

References: NIST Special Publications 800-12, 800-37, 800-53A, 800-100.

The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to
determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect
meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].

Supplemental Guidance: Organizations assess security controls in organizational information systems and the environments in which those s
operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system
development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii)
weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as par
security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implem
security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans a
Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system
monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessm
results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the
security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security
requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to tho
activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or rol
appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decision
provided to authorizing officials or authorizing official designated representatives.

To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing inform
system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessm
results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor indepen
Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with addi
assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls durin
continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational con
monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audi
audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5
11, SA-12, SI-4.

References: Executive Order 13587; FIPS Publication 199; NIST Special Publications 800-37, 800-39, 800-53A, 800-115, 800-137.
The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security
assessments.

Supplemental Guidance: Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of
organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to
development, operation, or management of the organizational information systems under assessment or to the determination of security contr
effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assess
are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place them
in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organ
or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independe
based on the security categories of information systems and/or the ultimate risk to organizational operations, organizational assets, or individu
Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be
make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independenc
example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of ass
conducting assessments. In special situations,
for example, when organizations that own the information systems are small or organizational structures require that assessments are conduc
individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can b
achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completen
accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to
authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby
reducing the need to
repeat assessments.

The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated;
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].

Supplemental Guidance: This control applies to dedicated connections between information systems (i.e., system interconnections) and does
apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be
introduced when information systems are connected to other systems with different security requirements and security controls, both within
organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the
appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconne
Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respec
security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop
Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective system
Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections esta
between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the
networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in pla
during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security contro
Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4.

References: FIPS Publication 199; NIST Special Publication 800-47.

The organization:
a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct
weaknesses or deficiencies noted during
the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls
assessments, security impact analyses, and continuous monitoring activities.

Supplemental Guidance: Plans of action and milestones are key documents in security authorization packages and are subject to federal rep
requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4.

References: OMB Memorandum 02-01; NIST Special Publication 800-37.

The organization:
a. Assigns a senior-level executive or manager as the authorizing official for the information system;
b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
c. Updates the security authorization [Assignment: organization-defined frequency].

Supplemental Guidance: Security authorizations are official management decisions, conveyed through authorization decision documents, by
organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to
organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security co
Authorizing officials provide budgetary
oversight for organizational information systems or assume responsibility for the mission/business operations supported by those systems. Th
security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through th
security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation
use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with unders
and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information sy
by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so se
reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical informatio
contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an o
basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information
systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of
continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions. Related controls: CA-2
PM-9, PM-10.

Control Enhancements: None.

References: OMB Circular A-130; OMB Memorandum 11-33; NIST Special Publications 800-37, 800-137.
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for
assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignm
organization-defined frequency].

Supplemental Guidance: Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to
organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and
information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring
programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain
security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing
mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through
reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoin
security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware
inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide
information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the se
categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4.

References: OMB Memorandum 11-33; NIST Special Publications 800-37, 800-39, 800-53A, 800-115, 800-137; US-CERT Technical Cyber S
Alerts; DoD Information Assurance Vulnerability Alerts.

The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the
information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communica

Supplemental Guidance: This control applies to connections between organizational information systems and (separate) constituent system
components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, pr
copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can aut
internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, a
copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related co
AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4.

References: None.
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among
organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; a
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected secur
controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regu
policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conver
can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the secu
program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishi
policy and procedures. Related control: PM-9.

Control Enhancements: None.

References: NIST Special Publications 800-12, 800-100.

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

Supplemental Guidance: This control establishes baseline configurations for information systems and system components including
communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon se
specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds,
releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., sta
software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers
patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement
those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational inform
systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3,
CM-8, CM-9, SA-10, PM-5, PM-7.

References: NIST Special Publication 800-128.

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

Supplemental Guidance: Organizational personnel with information security responsibilities (e.g., Information System Administrators, Informa
System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analys
Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information system
the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security contr
requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the co
Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional s
controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems. Related con
CA-2, CA-7, CM-3, CM-9, SA-4, SA-5, SA-10, SI-2.

References: NIST Special Publication 800-128.

The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assig
organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined informati
system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

Supplemental Guidance: Configuration settings are the set of parameters that can be changed in hardware, software, or firmware component
information system that affect the security posture and/or functionality of the system. Information technology products for which security- relat
configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web
proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, route
gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications.
Security-related parameters are those parameters impacting the security state of information systems including the parameters required to sa
other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permissio
settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configur
settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration
baseline.

Common secure configurations (also referred to as security configuration checklists, lockdown

and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established
benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring
information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizat
including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, a
other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Bas
(USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (
and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, trac
control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls:
19, CM-2, CM-3, CM-7, SI-4.

References: OMB Memoranda 07-11, 07-18, 08-22; NIST Special Publications 800-70, 800-128; Web: http://nvd.nist.gov, http://checklists.nist
http://www.nsa.gov.

The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or re
functions, ports, protocols, and/or services].

Supplemental Guidance: Information systems can provide a wide variety of functions and services. Some of the functions and services, provi
default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes conv
to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any
component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but
both). Organizations review functions and services provided by information systems or individual components of information systems, to deter
which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file shar
Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protoco
Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or
unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protection
as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. R
controls: AC-6, CM-2, RA-5, SA-5, SC-7.

References: DoD Instruction 8551.01.

The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountab
and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency].

Supplemental Guidance: Organizations may choose to implement centralized information system component inventories that include compon
from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific infor
required for proper component accountability (e.g., information system association, information system owner). Information deemed necessar
effective accountability of information system components includes, for example, hardware inventory specifications, software license informati
software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory
specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM

References: NIST Special Publication 800-128.

The organization:
a. Uses software and associated documentation in accordance with contract agreements and copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distrib
display, performance, or reproduction of copyrighted work.

Supplemental Guidance: Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated metho
(e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7.

References: None.

The organization:
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency].

Supplemental Guidance: If provided the necessary privileges, users have the ability to install software in organizational information systems.
maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Pe
software installations may include, for example, updates and security patches to existing software and downloading applications from organiza
approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software th
organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-develope
provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), auto
methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5
6, CM-7, PL-4.

References: None.
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among
organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected secur
controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regul
policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conver
can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the secu
program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishi
policy and procedures. Related control: PM-9.

Control Enhancements: None.

References: Federal Continuity Directive 1; NIST Special Publications 800-12, 800-34, 800-100.

The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemente
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by ro
organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency];
e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems
encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by ro
organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification.

Supplemental Guidance: Contingency planning for information systems is part of an overall organizational program for achieving continuity of
operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alterna
mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such pl
throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware developm
be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organization
information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system
recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to informa
system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiven
such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include
example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in
reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can
that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6
CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11.

References: Federal Continuity Directive 1; NIST Special Publication 800-34.

The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.

Supplemental Guidance: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational
personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to k
when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require addition
training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more spec
training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other govern
entities for purposes of coordination on
contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency pla
Related controls: AT-2, AT-3, CP-2, IR-2.

References: Federal Continuity Directive 1; NIST Special Publications 800-16, 800-50.

The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defin
tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed.

Supplemental Guidance: Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weakness
the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exerci
Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organiz
operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, a
timelines of corrective actions. Related controls: CP-2, CP-3, IR-3.

References: Federal Continuity Directive 1; FIPS Publication 199; NIST Special Publications 800-34, 800-84.

The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent wi
recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent
recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined freque
consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.

Supplemental Guidance: System-level information includes, for example, system-state information, operating system and application software
licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to prote
integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup inform
while in transit is beyond the
scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements f
backing up information. Related controls: CP-2, CP-6, MP-4, MP-5, SC-13.

References: NIST Special Publication 800-34.

The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or fai

Supplemental Guidance: Recovery is executing information system contingency plan activities to restore organizational missions/business fu
Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states
Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and establish
organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information syste
capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information sy
capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the sy
against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automat
mechanisms and manual procedures. Related controls: CA-2, CA-6, CA-7, CP-2, CP-6, CP-7, CP-9, SC-24.

References: Federal Continuity Directive 1; NIST Special Publication 800-34.

The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination
organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication
controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected secu
controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regula
policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conver
can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the secu
program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishi
policy and procedures. Related control: PM-9.

Control Enhancements: None.

References: FIPS Publication 201; NIST Special Publications 800-12, 800-63, 800-73, 800-76, 800-78, 800-100.
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Supplemental Guidance: Organizational users include employees or individuals that organizations deem to have equivalent status of employe
(e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented
14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require u
identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations
employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof
Access to organizational information systems is defined as either local access or network access. Local access is any access to organizationa
information systems by users (or processes acting on behalf of users) where such access is
obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or proc
acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of n
access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide are
networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization- controlled endpoint
non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity o
information traversing the network.

Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Se
Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or
different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number
(ii) something you have (e.g.,
cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and sm
cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and
authenticating users at the information system level
(i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide
increased information security. Identification and authentication requirements for other than organizational users are described in IA-8. Relate
controls: AC-2, AC-3, AC-14, AC-17, AC-18, IA-4, IA-5, IA-8.

References: HSPD-12; OMB Memoranda 04-04, 06-16, 11-11; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800
FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.

The information system implements multifactor authentication for network access to privileged accounts.

Supplemental Guidance: Related control: AC-6.

The information system accepts and electronically verifies Personal Identity Verification (PIV)
credentials.

Supplemental Guidance: This control enhancement applies to organizations implementing logical access control systems (LACS) and physic
access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform
FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the
requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4.
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity].

Supplemental Guidance: Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or d
unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonym
accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instan
the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necess
associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems
access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or
identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37.

References: FIPS Publication 201; NIST Special Publications 800-73, 800-76, 800-78.

The organization manages information system authenticators by:

a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authentica
and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes.

Supplemental Guidance: Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial
authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum
password length). In many cases, developers ship information system components with factory default authentication credentials to allow for i
installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security ri
requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individua
by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or
encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support indi
authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, m
password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections duri
verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining
possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised
authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary a
such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2
AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28.

References: OMB Memoranda 04-04, 11-11; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78; FICAM Roadm
and Implementation Guidance
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, m
upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined num
(c) Stores and transmits only encrypted representations of passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, life
maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.

Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or grou
authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply whe
passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password
mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encryp
versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes
required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwo
Related control: IA-6.

The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token
requirements].

Supplemental Guidance: Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government
Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI.

The information system obscures feedback of authentication information during the authentication process to protect the information from pos
exploitation/use by unauthorized individuals.

Supplemental Guidance: The feedback from information systems does not provide information that would allow unauthorized individuals to
compromise authentication mechanisms. For some types of information systems or system components, for example, desktops/notebooks wi
relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for ex
mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of
typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly.
Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input device
displaying feedback for a very limited time before fully obscuring it. Related control: PE-18.

Control Enhancements: None.

References: None.

The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federa
Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

Supplemental Guidance: Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing th
module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-1
13.

Control Enhancements: None.

References: FIPS Publication 140; Web: csrc.nist.gov/groups/STM/cmvp/index.html.

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational us

Supplemental Guidance: Non-organizational users include information system users other than organizational users explicitly covered by IA-2
These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC
accordance with the E-Authentication E-Government initiative, authentication of non- organizational users accessing federal information syste
may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizati
use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ea
use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identificat
authentication requirements for access to information systems by organizational users. Related controls: AC-2, AC-14, AC-17, AC-18, IA-2, IA
5, MA-4, RA-3, SA-12, SC-8.

References: OMB Memoranda 04-04, 11-11, 10-06-2011; FICAM Roadmap and Implementation Guidance; FIPS Publication 201; NIST Spec
Publications 800-63, 800-116; National Strategy for Trusted Identities in Cyberspace; Web: http://idmanagement.gov.

The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

Supplemental Guidance: This control enhancement applies to logical access control systems (LACS) and physical access control systems (P
Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and sup
guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 t
enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4.

The information system accepts only FICAM-approved third-party credentials.

Supplemental Guidance: This control enhancement typically applies to organizational information systems that are accessible to the general
for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the F
Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed
of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government re
parties to trust such credentials at their approved assurance levels. Related control: AU-2.

The organization employs only FICAM-approved information system components in [Assignment:

organization-defined information systems] to accept third-party credentials.

Supplemental Guidance: This control enhancement typically applies to information systems that are accessible to the general public, for exam
public-facing websites. FICAM-approved information system components include, for example, information technology products and software
libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program. Related control: SA-4.

The information system conforms to FICAM-issued profiles.

Supplemental Guidance: This control enhancement addresses open identity management standards. To ensure that these standards are viab
robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United Sta
Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, dire
policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols su
SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange). Related control: SA-4.
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organi
entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected secu
controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regula
policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conver
can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the secu
program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishi
policy and procedures. Related control: PM-9.

Control Enhancements: None.

References: NIST Special Publications 800-12, 800-61, 800-83, 800-100.

The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.

Supplemental Guidance: Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizati
personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know
call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remedi
incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident respo
training includes user training in the identification and reporting of suspicious activities, both from external and internal sources. Related contro
3, CP-3, IR-8.

References: NIST Special Publications 800-16, 800-50.

The organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication
recovery;
b. Coordinates incident handling activities with contingency planning activities; and
c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, an
implements the resulting changes accordingly.

Supplemental Guidance: Organizations recognize that incident response capability is dependent on the capabilities of organizational informat
systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part
definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from
variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and re
supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example,
mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, l
departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR
8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7.

References: Executive Order 13587; NIST Special Publication 800-61.

The organization tracks and documents information system security incidents.

Supplemental Guidance: Documenting information system security incidents includes, for example, maintaining records about each incident,
status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident inform
can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monito
physical access monitoring, and user/administrator reports. Related controls: AU-6, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7.

References: NIST Special Publication 800-61.

The organization:
a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organizatio
defined time period]; and
b. Reports security incident information to [Assignment: organization-defined authorities].

Supplemental Guidance: The intent of this control is to address both specific incident reporting requirements within an organization and the fo
incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, th
receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content a
timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, pol
standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) repo
security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-
Concept of Operations for Federal Cyber Security Incident Handling. Related controls: IR-4, IR-5, IR-8.

References: NIST Special Publication 800-61; Web: http://www.us-cert.gov.

The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice
assistance to users of the information system for the handling and reporting of security incidents.

Supplemental Guidance: Incident response support resources provided by organizations include, for example, help desks, assistance groups
access to forensics services, when required. Related controls: AT-2, IR-4, IR-6, IR-8, SA-9.
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/
role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, exec
or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and
role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification.

Supplemental Guidance: It is important that organizations develop and implement a coordinated approach to incident response. Organization
missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capa
As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external
organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information
systems. Related controls: MP-2, MP-4, MP-5.

Control Enhancements: None.

References: NIST Special Publication 800-61.

The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among
organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected secu
controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regu
policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conver
can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the secu
program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishi
policy and procedures. Related control: PM-9.

Control Enhancements: None.

References: NIST Special Publications 800-12, 800-100.

The organization:
a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with
manufacturer or vendor specifications and/or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or
removed to another location;
c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system
components from organizational facilities for off-site maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance
repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actio
and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.

Supplemental Guidance: This control addresses the information security aspects of the information system maintenance program and applies
types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty,
house, software maintenance agreement). System maintenance also includes those components not directly associated with information proc
and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records in
for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary;
description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification nu
if applicable). The level of detail included in maintenance records can be informed by
the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement compo
for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2.

References: None.

The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security p
the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed.

Supplemental Guidance: Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through
network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities c
out by individuals physically present at the information system or information system component and not communicating across a network
connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access
requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor
authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase
biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3
IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17.

References: FIPS Publications 140-2, 197, 201; NIST Special Publications 800-63, 800-88; CNSS Policy 15.
The organization:
a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities
personnel who do not possess the required access authorizations.

Supplemental Guidance: This control applies to individuals performing hardware or software maintenance on organizational information syste
while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the sys
(e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance perfo
on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previo
identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultant
require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no
Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may
one-time use or for very limited time periods. Related controls: AC-2, IA-8, MP-2, PE-2, PE-3, PE-4, RA-3.

References: None.

The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organiza
entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected secu
controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regu
policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conver
can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the secu
program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishi
policy and procedures. Related control: PM-9.

Control Enhancements: None.

References: NIST Special Publications 800-12, 800-100.

The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-d
personnel or roles].

Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes
magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for exam
paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community ho
unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for ex
limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the developme
team. Related controls: AC-3, IA-2, MP-4, PE-2, PE-3, PL-2.
The organization:
a. Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release fo
using [Assignment: organization- defined sanitization techniques and procedures] in accordance with applicable federal and organizational sta
and policies; and
b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the informatio

Supplemental Guidance: This control applies to all information system media, both digital and non- digital, subject to disposal or reuse, whet
not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, netw
components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved
reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information
unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods
recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use
discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public
domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitiza
non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sectio
words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the docume
NSA standards and policies control the sanitization process for media containing classified information. Related controls: MA-2, MA-4, RA-3, S

References: FIPS Publication 199; NIST Special Publications 800-60, 800-88; Web:
http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml.

The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignm
organization-defined information systems or system components] using [Assignment: organization-defined security safeguards].

Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes
magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for exam
paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In
contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for exam
restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.
policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage
devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to i
read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for exampl
devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally,
organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, porta
storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL

References: None.
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordina
among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmenta
protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected secu
controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regul
policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conver
can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the secu
program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishi
policy and procedures. Related control: PM-9.

Control Enhancements: None.

References: NIST Special Publications 800-12, 800-100.

The organization:
a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
b. Issues authorization credentials for facility access;
c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required.

Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others)
permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, ident
cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smar
or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have
been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3.

References: None
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system
by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control
systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicl
accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised
individuals are transferred or terminated.

Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others)
permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed
including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physica
access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizatio
facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secur
areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and
guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and a
management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can
procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by
card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems an
components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals
be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6,
MP-4, PE-2, PE-4, PE-5, PS-3, RA-3.

Supplemental Guidance: Related controls: CA-2, CA-7.

The organization:
a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined ev
potential indications of events]; and
c. Coordinates results of reviews and investigations with the organizational incident response capability.

Supplemental Guidance: Organizational incident response capabilities include investigations of and responses to detected physical security
incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical ac
activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesse
unusual lengths of time; and (iv) out-of-sequence accesses. Related controls: CA-7, IR-4, IR-8.

References: None.
The organization:
a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and
b. Reviews visitor access records [Assignment: organization-defined frequency].

Supplemental Guidance: Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms o
identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access r
are not required for publicly accessible areas.

References: None.

The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outag
disruption and that covers emergency exits and evacuation routes within the facility.

Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for ex
data centers, server rooms, and mainframe computer rooms. Related controls: CP-2, CP-7.

References: None.

The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an
independent energy source.

Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for ex
data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices/systems include, for example, sprinkler
systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors.

References: None.

The organization:
a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined
acceptable levels]; and
b. Monitors temperature and humidity levels [Assignment: organization-defined frequency].

Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources, for example, da
centers, server rooms, and mainframe computer rooms. Related control: AT-3.

References: None.

The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves tha
accessible, working properly, and known to key personnel.

Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for ex
data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves
shut off water supplies in specific areas of concern, without affecting entire organizations. Related control: AT-3.

References: None.
The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and
the facility and maintains records of those items.

Supplemental Guidance: Effectively enforcing authorizations for entry and exit of information system components may require restricting acce
delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, S

References: None.

The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organiza
entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected secur
controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regula
policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conver
can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the secu
program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishi
policy and procedures. Related control: PM-9.

Control Enhancements: None.

References: NIST Special Publications 800-12, 800-18, 800-100.

The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization’s enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable;
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementa
decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel
roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation
security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification.

Supplemental Guidance: Security plans relate security requirements to a set of security controls and control enhancements. Security plans al
describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed,
technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (inc
the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and
implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operation
assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance
security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized
requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity,
Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.

Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effe
security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifica
where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maint
security-related information in other established management/operational areas related to enterprise architecture, system development life cy
systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan informa
instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC
6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-
17.

References: NIST Special Publication 800-18.

The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilit
expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of
behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and d. Requires individuals who have signed a p
version of the rules of behavior to read and
resign when the rules of behavior are revised/updated.

Supplemental Guidance: This control enhancement applies to organizational users. Organizations consider rules of behavior based on individ
user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users.
Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/informati
from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the
systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL
(the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training progr
conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of
behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, S

References: NIST Special Publication 800-18.

The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organiz
entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected secu
controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regul
policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conver
can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the secu
program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishi
policy and procedures. Related control: PM-9.

Control Enhancements: None.

References: NIST Special Publications 800-12, 800-100.

The organization:
a. Assigns a risk designation to all organizational positions;
b. Establishes screening criteria for individuals filling those positions; and
c. Reviews and updates position risk designations [Assignment: organization-defined frequency].

Supplemental Guidance: Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide
inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening
include explicit information security role appointment requirements (e.g., training, security clearances). Related controls: AT-3, PL-2, PS-3.

Control Enhancements: None.

References: 5 C.F.R. 731.106(a).

The organization:
a. Screens individuals prior to authorizing access to the information system; and
b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indica
the frequency of such rescreening].

Supplemental Guidance: Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulati
policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define differe
rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or tran
by the systems. Related controls: AC-2, IA-4, PE-2, PS-2.

References: 5 C.F.R. 731.106; FIPS Publications 199, 201; NIST Special Publications 800-60, 800-73, 800-76, 800-78; ICD 704.
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].

Supplemental Guidance: Information system-related property includes, for example, hardware authentication tokens, system administration
technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security
constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security to
interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on
employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses
nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is
essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individ
that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6.

References: None.

The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities whe
individuals are reassigned or transferred to other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following
formal transfer action];
c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].

Supplemental Guidance: This control applies when reassignments or transfers of individuals are permanent or of such extended durations as
make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or exten
Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning
and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) ch
information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at p
work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4.

Control Enhancements: None.

References: None.
The organization:
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or
[Assignment: organization-defined frequency].

Supplemental Guidance: Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior
conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to
by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatu
acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8.

References: None.

The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of
party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organi
defined time period]; and
e. Monitors provider compliance.

Supplemental Guidance: Third-party providers include, for example, service bureaus, contractors, and other organizations providing informatio
system development, information technology services, outsourced applications, and network and security management. Organizations explici
include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizationa
facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ens
appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-relate
characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or termina

Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21.

Control Enhancements: None.

References: NIST Special Publication 800-35.

The organization:
a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and
b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employ
sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

Supplemental Guidance: Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies
standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies
procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. Related
controls: PL-4, PS-6.

Control Enhancements: None.

References: None.

The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizat
entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected secu
controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regul
policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conver
can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the secu
program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishi
policy and procedures. Related control: PM-9.

Control Enhancements: None.

References: NIST Special Publications 800-12, 800-30, 800-100.

The organization:
a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regu
standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated
representative.

Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security
categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational informa
and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categoriza
process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information syst
owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other
organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level
impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and alo
CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, M
RA-3, SC-7.

Control Enhancements: None.

References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-60.

The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption
modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information sy
or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security sta
the system.

Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take in
account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation
on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers,
contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing
entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information s
may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public acce
federal information systems.

Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level,
mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can al
conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implemen
security control assessment, information
system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the
implementation of other controls in order to complete the
first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, parti
during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9.

Control Enhancements: None.

References: OMB Memorandum 04-04; NIST Special Publication 800-30, 800-39; Web:idmanagement.gov.
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in
accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and rep
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability
management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment
and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defi
personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

Supplemental Guidance: Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans.
Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerab
such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require ad
approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these a
approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews.
Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should
accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms.
Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and th
the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability
information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security co
assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider usin
that express vulnerability impact by the

Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2.

References: NIST Special Publications 800-40, 800-70, 800-115; Web: http://cwe.mitre.org, http://nvd.nist.gov.

The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination a
organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition
controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected secu
controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regul
policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conver
can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the secu
program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishi
policy and procedures. Related control: PM-9.

Control Enhancements: None.

References: NIST Special Publications 800-12, 800-100.

The organization:
a. Determines information security requirements for the information system or information system service in mission/business process plannin
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its
planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation.

Supplemental Guidance: Resource allocation for information security includes funding for the initial information system or information system
acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11.

Control Enhancements: None.

References: NIST Special Publication 800-65.

The organization:
a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information sec
considerations;
b. Defines and documents information security roles and responsibilities throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into system development life cycle activities.

Supplemental Guidance: A well-defined system development life cycle provides the foundation for the successful development, implementatio
operation of organizational information systems. To apply the required security controls within the system development life cycle requires a ba
understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security
engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system componen
(including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chie
information security officers, security architects, security engineers, and information system security officers in system development life cycle
activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers
individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are eff
integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles a
responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effecti
integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed earl
system development life cycle and that those considerations are directly related to the organizational mission/business processes. This proce
facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk manageme
information security strategies. Related controls: AT-3, PM-7, SA-8.

Control Enhancements: None.

References: NIST Special Publications 800-37, 800-64.

The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the
information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directive
policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria.

Supplemental Guidance: Information system components are discrete, identifiable information technology assets (e.g., hardware, software, o
firmware) that represent the building blocks of an information system. Information system components include commercial information techno
products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength require
associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and
resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodo
and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has bee
implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system
development life cycle.

Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that
been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values
through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Secu
documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail r
in security documentation is based on the security category or classification level of the information system and the degree to which organizat
depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizationa
management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions,
protocols, and services. Acceptance criteria for information systems, information system components, and information system services are de
the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103
contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12.

References: HSPD-12; ISO/IEC 15408; FIPS Publications 140-2, 201; NIST Special Publications 800-23, 800-35, 800-36, 800-37, 800-64, 80
800-137; Federal Acquisition Regulation; Web: http://www.niap-ccevs.org, http://fips201ep.cio.gov, http://www.acquisition.gov/far.
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such document
either unavailable or nonexistent and [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and e. Distributes documentation to [Assignment:
organization-defined personnel or roles].

Supplemental Guidance: This control helps organizational personnel understand the implementation and operation of security controls assoc
with information systems, system components, and information system services. Organizations consider establishing specific measures to de
the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the
information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate se
documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection prov
selected information system, component, or service documentation is commensurate with the security category or classification of the system
example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level o
protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increas
of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system ope
after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4.

References: None.

The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ
[Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulat
standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external servic
providers on an ongoing basis.

Supplemental Guidance: External information system services are services that are implemented outside of the authorization boundaries of
organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and
policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating
information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencie
required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through join
ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain
exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For s
external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider
potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chai
trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relations
the relationships can be monitored over time. External information system services documentation includes government, service providers, en
security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security co
describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls
IR-7, PS-7.

References: NIST Special Publication 800-35.

The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordin
among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communicati
protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected secu
controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regul
policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conver
can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the secu
program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishi
policy and procedures. Related control: PM-9.

Control Enhancements: None.

References: NIST Special Publications 800-12, 800-100.

The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defin
types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safegu

Supplemental Guidance: A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For examp
boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks f
being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also
the susceptibility to denial of service attacks. Related controls: SC-6, SC-7.

References: None.

The information system:

a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal
organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged
accordance with an organizational security architecture.

Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analy
virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateway
residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitariz
zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web t
designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizatio
consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of s
services. Commercial telecommunications services are commonly based on network components and consolidated management systems sh
all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission se
may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, S
SC-13.

References: FIPS Publication 199; NIST Special Publications 800-41, 800-77.

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordan
[Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].

Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mech
with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executiv
Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations mana
trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizationa
information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17.

References: NIST Special Publications 800-56, 800-57.

The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in
accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Supplemental Guidance: Cryptography can be employed to support a variety of security solutions including, for example, the protection of cla
and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized
individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be us
support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography a
NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography
required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography re
(e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography). Related c
AC-2, AC-3, AC-7, AC-17, AC-18, AU-9, AU-10, CM-11, CP-9, IA-3, IA-7, MA-4, MP-2, MP-4, MP-5, SA-4, SC-8, SC-12, SC-28, SI-7.

References: FIPS Publication 140; Web: http://csrc.nist.gov/cryptval, http://www.cnss.gov.

The information system:

a. Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions
remote activation is to be allowed]; and
b. Provides an explicit indication of use to users physically present at the devices.

Supplemental Guidance: Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit
indication of use includes, for example, signals to users when collaborative computing devices are activated. Related control: AC-21.

References: None.
The information system:
a. Provides additional data origin and integrity artifacts along with the authoritative name resolution data the system returns in response to ex
name/address resolution queries; and
b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification
chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

Supplemental Guidance: This control enables external clients including, for example, remote Internet clients, to obtain origin authentication an
integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information
systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts inc
for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. Th
means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS
security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS t
between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related c
AU-10, SC-8, SC-12, SC-13, SC-21, SC-22.

References: OMB Memorandum 08-23; NIST Special Publication 800-81.

The information system requests and performs data origin authentication and data integrity verification on the name/address resolution respon
the system receives from authoritative sources.

Supplemental Guidance: Each client of name resolution services either performs this validation on its own, or has authenticated channels to t
validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive re
or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenti
channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between
host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. Rel
controls: SC-20, SC-22.

References: NIST Special Publication 800-81.

The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement
internal/external role separation.

Supplemental Guidance: Information systems that provide name and address resolution services include, for example, domain name system
servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system
servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy th
servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers
internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with exter
roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks includin
the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists)
Related controls: SC-2, SC-20, SC-21, SC-24.

Control Enhancements: None.

References: NIST Special Publication 800-81.

The information system maintains a separate execution domain for each executing process.

Supplemental Guidance: Information systems can maintain separate execution domains for each executing process by assigning each proce
separate address space. Each information system process has a distinct address space so that communication between processes is perform
manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate
execution domains for executing processes can be achieved, for example, by implementing separate address spaces. This capability is availa
most commercial operating systems that employ multi-state processor technologies. Related controls: AC-3, AC-4, AC-6, SA-4, SA-5, SA-8, S
SC-3.

References: None.

The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination a
organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity
controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency].

Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected secu
controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regula
policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conver
can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the secu
program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishi
policy and procedures. Related control: PM-9.

Control Enhancements: None.

References: NIST Special Publications 800-12, 800-100.

The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization- defined time period] of the release of the updates
d. Incorporates flaw remediation into the organizational configuration management process.
Supplemental Guidance: Organizations identify information systems affected by announced software flaws including potential vulnerabilities
resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Securit
relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws
discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take
advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) data
in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration managem
processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified inc
for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defin
periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security catego
the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw reme
may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remedi
activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determ
that the testing of software and/or firmware updates is not necessary or practical,
for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-r
software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, C
CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11.
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration
management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external
sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with
organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined
action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availabilit
information system.

Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy s
remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan
horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or h
files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, elec
mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system
vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies
variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and
comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-she
software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other ty
cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always d
such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration
management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions o
than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warran
For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection
malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM
MP-2, SA-4, SA-8, SA-12, SA-13,
SC-7, SC-26, SC-44, SI-2, SI-4, SI-7.

References: NIST Special Publication 800-83.

The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization- defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization- defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii)
hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations
assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible source
information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders,
directives, policies, or regulations; and
g. Provides [Assignment: or ganization-defined information system monitoring information] to [Assignment: organization-defined personnel or
[Selection (one or more): as needed; [Assignment: organization-defined frequency]].

Supplemental Guidance: Information system monitoring includes external and internal monitoring. External monitoring includes the observatio
events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the
observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing aud
activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitor
objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniqu
(e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring so
network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server far
supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-1
Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity o
monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such
objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP pro
Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system
monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device th
communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating thro
external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC
AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7.

References: NIST Special Publications 800-61, 800-83, 800-92, 800-94, 800-137.

The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on a
ongoing basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles];
[Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncomplia

Supplemental Guidance: The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to m
situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the respo
and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and t
potential immediate adverse effects
on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely
manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, an
peer/supporting organizations. Related control: SI-2.

References: NIST Special Publication 800-40.

The organization handles and retains information within the information system and information output from the system in accordance with ap
federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

Supplemental Guidance: Information handling and retention requirements cover the full life cycle of information, in some cases extending bey
the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. Related contr
AC-16, AU-5, AU-11, MP-2, MP-4.

Control Enhancements: None.

References: None.

The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code exe

Supplemental Guidance: Some adversaries launch attacks with the intent of executing code in non- executable regions of memory or in mem
locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address s
layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing th
greater strength of mechanism. Related controls: AC-25, SC-3.

Control Enhancements: None.

References: None.
FedRAMP SSP Low Moderate Baseline Revision 4
L Low FedRAMP-Defined Assignment / LM Additional FedRAMP Parameter
125 Selection Parameters Requirements and Guidance
(Numbering matches SSP)

x AC-1 (b) (1) [at least every 3 years] x

AC-1 (b) (2) [at least annually]
x AC-2 (j) [at least annually] x

x
x AC-7(a) [not more than three] x
[fifteen minutes]

AC-7(b) [locks the account/node for thirty

minutes]

x AC-8 (a) [see additional Requirements AC-8 Requirement: The service x

and Guidance] provider shall determine elements
AC-8 (c) [see additional Requirements of the cloud environment that
and Guidance] require the System Use
Notification control. The elements
of the cloud environment that
require System Use Notification
are approved and accepted by the
JAB.
AC-08 Requirement: The service
provider shall determine how
System Use Notification is going to
be verified and provide appropriate
periodicity of the check. The
System Use Notification
verification and periodicity are
approved and accepted by the
JAB.
AC-8 Guidance: If performed as
part of a Configuration Baseline
check, then the % of items
requiring setting that are checked
and that pass (or fail) check can be
provided. AC-8 Requirement: If not
performed as part of a
Configuration Baseline check, then
there must be documented
x

x
x

x
x

x AC-22 (d) [at least quarterly] x

x AT-1 (b) (1) [at least every 3 years] x
AT-1 (b) (2) [at least annually]

x AT-2(c) [at least annually] x

x AT-3 (c) [at least annually] x

x AT-4 (b) [At least one year] x

x AU-1 (b) (1) [at least every 3 years] x

AU-1 (b) (2) [at least annually]
x AU-2 (a) [Successful and unsuccessful AU-2 Requirement: Coordination x
account logon events, account between service provider and
management events, object access, consumer shall be documented
policy change, privilege functions, and accepted by the JAB/AO.
process tracking, and system events For
Web applications: all administrator
activity, authentication checks,
authorization checks, data deletions,
data access, data changes, and
permission changes]
AU-2 (d) [organization-defined subset of
the auditable events defined in AU-2 a to
be audited continually for each identified
event]

x
x AU-5 (b) [organization-defined actions to x
be taken (overwrite oldest record)

x AU-6 (a)-1 [at least weekly] AU-6 Requirement: Coordination x

between service provider and
consumer shall be documented
and accepted by the JAB/AO. In
multi-tennant environments,
capability and means for providing
review, analysis, and reporting to
consumer for data pertaining to
consumer shall be documented.

x
x

x AU-11 [at least ninety days] AU-11. Requirement: The service x

provider retains audit records on-
line for at least ninety days and
further preserves audit records off-
line for a period that is in
accordance with NARA
requirements.

x AU-12 (a) [all information system and x

network components where audit
capability is deployed/available]
x CA-1 (b) (1) [at least every 3 years] x
CA-1 (b) (2) [at least annually]
x CA-2 (b) [at least annually] x
CA-2 (d) [individuals or roles to include
FedRAMP PMO]
x CA-2(1) Requirement: Must use an
accredited 3PAO for JAB
authorization

x CA-3 (c) [at least annually and on input x

from FedRAMP]
x CA-5 (b) [at least monthly] CA-5 Guidance: Requirement: x
POA&Ms must be provided at least
monthly.

x CA-6 (c) [at least every three years or CA-6c. Guidance: Significant x
when a significant change occurs] change is defined in NIST Special
Publication 800-37 Revision 1,
Appendix F. The service provider
describes the types of changes to
the information system or the
environment of operations that
would impact the risk posture. The
types of changes are approved
and accepted by the JAB/AO.
x CA-7 (g) [To meet Federal and CA-7 Requirement: Operating x
FedRAMP requirements] System Scans: at least monthly
Database and Web Application
Scans: at least monthly All scans
performed by Independent
Assessor: at least annually
CA-7 Guidance: CSPs must
provide evidence of closure and
remediation of high vulnerabilities
within the timeframe for standard
POA&M updates.
Operating System Scans: at least
monthly
Database and Web Application
Scans: at least monthly
All scans performed by
Independent Assessor: at least
annually

x
x CM-1 (b) (1) [at least every 3 years] x
CM-1 (b) (2) [at least annually]

x
x CM-6 (a) [United States Government CM-6 (a) Requirement 1: The x
Configuration Baseline (USGCB)] service provider shall use the
Center for Internet Security
guidelines (Level 1) to establish
configuration settings or
establishes its own configuration
settings if USGCB is not available.
CM-6 (a) Requirement 2: The
service provider shall ensure that
checklists for configuration settings
are Security Content Automation
Protocol (SCAP) validated or
SCAP compatible (if validated
checklists are not available).
CM-6 (a) Guidance: Information on
the USGCB checklists can be
found at:
http://usgcb.nist.gov/usgcb_faq.ht
ml#usgcbfaq_usgcbfdcc

x CM-7 (b) [United States Government CM-7 (b) Requirement: The x

Configuration Baseline (USGCB)] service provider shall use the
Center for Internet Security
guidelines (Level 1) to establish list
of prohibited or restricted
functions, ports, protocols, and/or
services or establishes its own list
of prohibited or restricted
functions, ports, protocols, and/or
services if USGCB is not available.
CM-7. Guidance: Information on
the USGCB checklists can be
found at:
http://usgcb.nist.gov/usgcb_faq.ht
ml#usgcbfaq_usgcbfdcc.
(Partially derived from AC-17(8).)
x CM-8 (b) [at least monthly] CM-8 Requirement: must be x
provided at least monthly or when
there is a change.

x CM-11 (c) [Continuously (via CM-7 (5))] x

x CP-1 (b)(1) [at least every 3 years] x
CP-1 (b)(2) [at least annually]

x CP-2 (d) [at least annually] CP-2 Requirement: For JAB x

authorizations the contingency lists
include designated FedRAMP
personnel.
x CP-3 (a) [10 days] x
CP-3 (c) [at least annually]

x CP-4 (a)-1 [at least annually for CP-4 (a). Requirement: The x
moderate impact systems; at least every service provider develops test
three years for low impact systems] plans in accordance with NIST
CP-4 (a)-2 [functional exercises for Special Publication 800-34 (as
moderate impact systems; classroom amended); plans are approved by
exercises/table top written tests for low the JAB/AO prior to initiating
impact systems] testing.

x CP-9 (a) [daily incremental; weekly full] CP-9 Requirement: The service x
CP-9 (b) [daily incremental; weekly full] provider shall determine what
CP-9 (c) [daily incremental; weekly full] elements of the cloud environment
require the Information System
Backup control. The service
provider shall determine how
Information System Backup is
going to be verified and
appropriate periodicity of the
check.
CP-9 (a) Requirement: The service
provider maintains at least three
backup copies of user-level
information (at least one of which
is available online) or provides an
equivalent alternative.
CP-9 (b) Requirement: The service
provider maintains at least three
backup copies of system-level
information (at least one of which
x

x IA-1 (b) (1) [at least every 3 years] x

IA-1 (b) (2) [at least annually]
x

x IA-2 (12) Guidance: Include

Common Access Card (CAC), i.e.,
the DoD technical implementation
of PIV/FIPS 201/HSPD-12.
x IA-4 (d) [at least two years] IA-4 (e) Requirement: The service x
IA-4 (e) [ninety days for user identifiers] provider defines time period of
(See additional requirements and inactivity for device identifiers.
guidance) Guidance: For DoD clouds, see
DoD cloud website for specific
DoD requirements that go above
and beyond FedRAMP
http://iase.disa.mil/cloud_security/
Pages/index.aspx.

x IA-5 (g) [to include sixty days for x

passwords]
x IA-5 (1) (a) [case sensitive, minimum of x
twelve characters, and at least one each
of upper-case letters, lower-case letters,
numbers, and special characters]
IA-5 (1) (b) [at least one]
IA-5 (1) (d) [one day minimum, sixty day
maximum]
IA-5 (1) (e) [twenty four]

x
x

x
x IR-1 (b) (1) [at least every 3 years] x
IR-1 (b) (2) [at least annually]

x IR-2 (c) [at least annually] x

x IR-4 Requirement: The service

provider ensures that individuals
conducting incident handling meet
personnel security requirements
commensurate with the
criticality/sensitivity of the
information being processed,
stored, and transmitted by the
information system.
x

x IR-6 (a) [US-CERT incident reporting IR-6 Requirement: Reports x

timelines as specified in NIST Special security incident information
Publication 800-61 (as amended)] according to FedRAMP Incident
Communications Procedure.

x
x IR-8 (b) [see additional FedRAMP IR-8 (b) Additional FedRAMP x
Requirements and Guidance] Requirements and Guidance: The
IR-8 (c) [at least annually] service provider defines a list of
IR-8 (e) [see additional FedRAMP incident response personnel
Requirements and Guidance] (identified by name and/or by role)
and organizational elements. The
incident response list includes
designated FedRAMP personnel.
IR-8 (e) Additional FedRAMP
Requirements and Guidance: The
service provider defines a list of
incident response personnel
(identified by name and/or by role)
and organizational elements. The
incident response list includes
designated FedRAMP personnel.

x MA-1 (b) (1) [at least every 3 years] x

MA-1 (b) (2) [at least annually]
x

x
x

x MP-1 (b) (1) [at least every 3 years] x

MP-1 (b) (2) [at least annually]

x
x

x
x PE-1 (b) (1) [at least every 3 years] x
PE-1 (b) (2) [at least annually]

x PE-2 (c) [at least annually] x

x PE-3 (a) (2) [CSP defined physical x
access control systems/devices AND
guards]
PE-3 (d) [in all circumstances within
restricted access area where the
information system resides]
PE-3 (f) [at least annually]
PE-3 (g) [at least annually]

x PE-6 (b) [at least monthly] x

x PE-8 (a) [for a minimum of one year] x
PE-8 (b) [at least monthly]

x PE-14 (a) [consistent with American PE-14 (a). Requirements: The x

Society of Heating, Refrigerating and Air- service provider measures
conditioning Engineers (ASHRAE) temperature at server inlets and
document entitled Thermal Guidelines humidity levels by dew point.
for Data Processing Environments]

PE-14 (b) [continuously]

x
x PE-16 [all information system x
components]

x PL-1 (b) (1) [at least every 3 years] x

PL-1 (b) (2) [at least annually]
x PL-2 (c) [at least annually] x

x PL-4 (c) [At least every 3 years] x

x PS-1 (b) (1) [at least every 3 years] x
PS-1 (b) (2) [at least annually]

x PS-2 (c) [at least every three years] x

x PS-3 (b) [for national security x

clearances; a reinvestigation is required
during the 5th year for top secret security
clearance, the 10th year for secret
security clearance, and 15th year for
confidential security clearance

For moderate risk law enforcement and

high impact public trust level, a
reinvestigation is required during the 5th
year There is no reinvestigation for other
moderate risk positions or any low risk
positions]
x PS-4 (a) [same day] x

x PS-5 (d)-2 [five days of the time period x

following the formal transfer action (DoD
24 hours)]
x PS-6 (b) [at least annually] x
PS-6 (c) (2) [at least annually]

x PS-7 (d)-2 [organization-defined time x

period – same day]
x

x RA-1 (b) (1) [at least every 3 years] x

RA-1 (b) (2) [at least annually]
x

x RA-3 (b) [security assessment report] RA-3 Guidance: Significant change x

is defined in NIST Special
RA-3 (c) [at least every three (3) years or Publication 800-37 Revision 1,
when a significant change occurs] Appendix F.

RA-3 (d) [to include all Authoring

Officials and FedRAMP ISSOs]
RA-3 (e) [at least every three (3) years or
when a significant change occurs]
x RA-5 (a) [monthly operating RA-5 (a) Requirement: an x
system/infrastructure; monthly web accredited independent assessor
applications and databases] scans operating
RA-5 (d) [high-risk vulnerabilities systems/infrastructure, web
mitigated within thirty days from date of applications, and databases once
discovery; moderate-risk vulnerabilities annually.
mitigated within ninety days from date of RA-5 (e) Requirement: to include
discovery] the Risk Executive; for JAB
authorizations to include
FedRAMP

x SA-1 (b) (1) [at least every 3 years] x

SA-1 (b) (2) [at least annually]
x

x
x SA-4 Guidance: The use of
Common Criteria (ISO/IEC 15408)
evaluated products is strongly
preferred.
See http://www.niap-ccevs.org/vpl
or
http://www.commoncriteriaportal.or
g/products.html.
x

x SA-9 (a) [FedRAMP Security Controls x

Baseline(s) if Federal information is
processed or stored within the external
system]
SA-9 (c) [Federal/FedRAMP Continuous
Monitoring requirements must be met for
external systems where Federal
information is processed or stored]
x SC-1 (b) (1) [at least every 3 years] x
SC-1 (b) (2) [at least annually]

x
x SC-12 Guidance: Federally
approved cryptography

x SC-13 [FIPS-validated or NSA-approved x

cryptography]

x SC-15 (a) [no exceptions] SC-15 Additional FedRAMP x

Requirements and Guidance:
Requirement: The information
system provides disablement
(instead of physical disconnect) of
collaborative computing devices in
a manner that supports ease of
use.
x

x
x

x SI-1 (b) (1) [at least every 3 years] x

SI-1 (b) (2) [at least annually]
x SI-2 (c) [within 30 days of release of x
updates]
x SI-3 (c) (1)-1 [at least weekly] x
SI-3 (c) (1)-2 [to include endpoints]
SI-3 (c) (2) [to include alerting
administrator or defined security
personnel]
x SI-4 Guidance: See US-CERT
Incident Response Reporting
Guidelines.

x SI-5 (a) [to include US-CERT] x

SI-5 (c) [to include system security
personnel and administrators with
configuration/patch-management
responsibilities]
x