Home / Frameworks / DoD SRG

DoD SRG vRev 5

DoD Cloud Computing Security Requirements Guide - FedRAMP+ controls by Impact Level

This is a reference tool, not an authoritative source. For official documentation, visit public.cyber.mil.

622 All

345 IL4 Mod 429 IL4 High 588 IL5 618 IL6

AC — Access Control (65 controls)

AC-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

AC-2Account Management

IL4 ModIL4 HighIL5IL6

AC-2(1)Account Management | Automated System Account Management

IL4 ModIL4 HighIL5IL6

AC-2(2)Account Management | Automated Temporary and Emergency Account Management

IL4 ModIL4 HighIL5IL6

AC-2(3)Account Management | Disable Accounts

IL4 ModIL4 HighIL5IL6

AC-2(4)Account Management | Automated Audit Actions

IL4 ModIL4 HighIL5IL6

AC-2(5)Account Management | Inactivity Logout

IL4 ModIL4 HighIL5IL6

AC-2(7)Account Management | Privileged User Accounts

IL4 ModIL4 HighIL5IL6

AC-2(9)Account Management | Restrictions on Use of Shared and Group Accounts

IL4 ModIL4 HighIL5IL6

AC-2(11)Account Management | Usage Conditions

IL4 HighIL5IL6

AC-2(12)Account Management | Account Monitoring for Atypical Usage

IL4 ModIL4 HighIL5IL6

AC-2(13)Account Management | Disable Accounts for High-risk Individuals

IL4 ModIL4 HighIL5IL6

AC-3Access Enforcement

IL4 ModIL4 HighIL5IL6

AC-3(2)Access Enforcement | Dual Authorization

IL6

AC-3(4)Access Enforcement | Discretionary Access Control

IL5IL6

AC-4Information Flow Enforcement

IL4 ModIL4 HighIL5IL6

AC-4(4)Information Flow Enforcement | Flow Control of Encrypted Information

IL4 HighIL5IL6

AC-4(21)Information Flow Enforcement | Physical or Logical Separation of Information Flows

IL4 ModIL4 HighIL5IL6

AC-5Separation of Duties

IL4 ModIL4 HighIL5IL6

AC-6Least Privilege

IL4 ModIL4 HighIL5IL6

AC-6(1)Least Privilege | Authorize Access to Security Functions

IL4 ModIL4 HighIL5IL6

AC-6(2)Least Privilege | Non-privileged Access for Nonsecurity Functions

IL4 ModIL4 HighIL5IL6

AC-6(3)Least Privilege | Network Access to Privileged Commands

IL4 HighIL5IL6

AC-6(5)Least Privilege | Privileged Accounts

IL4 ModIL4 HighIL5IL6

AC-6(7)Least Privilege | Review of User Privileges

IL4 ModIL4 HighIL5IL6

AC-6(8)Least Privilege | Privilege Levels for Code Execution

IL4 HighIL5IL6

AC-6(9)Least Privilege | Log Use of Privileged Functions

IL4 ModIL4 HighIL5IL6

AC-6(10)Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions

IL4 ModIL4 HighIL5IL6

AC-7Unsuccessful Logon Attempts

IL4 ModIL4 HighIL5IL6

AC-8System Use Notification

IL4 ModIL4 HighIL5IL6

AC-10Concurrent Session Control

IL4 HighIL5IL6

AC-11Device Lock

IL4 ModIL4 HighIL5IL6

AC-11(1)Device Lock | Pattern-hiding Displays

IL4 ModIL4 HighIL5IL6

AC-12Session Termination

IL4 ModIL4 HighIL5IL6

AC-12(1)Session Termination | User-initiated Logouts

IL5IL6

AC-12(2)Session Termination | Termination Message

IL5IL6

AC-14Permitted Actions Without Identification or Authentication

IL4 ModIL4 HighIL5IL6

AC-16Security and Privacy Attributes

IL5IL6

AC-16(5)Security and Privacy Attributes | Attribute Displays on Objects to Be Output

IL6

AC-16(6)Security and Privacy Attributes | Maintenance of Attribute Association

IL5IL6

AC-16(7)Security and Privacy Attributes | Consistent Attribute Interpretation

IL5IL6

AC-17Remote Access

IL4 ModIL4 HighIL5IL6

AC-17(1)Remote Access | Monitoring and Control

IL4 ModIL4 HighIL5IL6

AC-17(2)Remote Access | Protection of Confidentiality and Integrity Using Encryption

IL4 ModIL4 HighIL5IL6

AC-17(3)Remote Access | Managed Access Control Points

IL4 ModIL4 HighIL5IL6

AC-17(4)Remote Access | Privileged Commands and Access

IL4 ModIL4 HighIL5IL6

AC-17(6)Remote Access | Protection of Mechanism Information

IL5IL6

AC-17(9)Remote Access | Disconnect or Disable Access

IL5IL6

AC-17(10)Remote Access | Authenticate Remote Commands

IL5IL6

AC-18Wireless Access

IL4 ModIL4 HighIL5IL6

AC-18(1)Wireless Access | Authentication and Encryption

IL4 ModIL4 HighIL5IL6

AC-18(3)Wireless Access | Disable Wireless Networking

IL4 ModIL4 HighIL5IL6

AC-18(4)Wireless Access | Restrict Configurations by Users

IL4 HighIL5IL6

AC-18(5)Wireless Access | Antennas and Transmission Power Levels

IL4 HighIL5IL6

AC-19Access Control for Mobile Devices

IL4 ModIL4 HighIL5IL6

AC-19(4)Access Control for Mobile Devices | Restrictions for Classified Information

IL6

AC-19(5)Access Control for Mobile Devices | Full Device or Container-based Encryption

IL4 ModIL4 HighIL5IL6

AC-20Use of External Systems

IL4 ModIL4 HighIL5IL6

AC-20(1)Use of External Systems | Limits on Authorized Use

IL4 ModIL4 HighIL5IL6

AC-20(2)Use of External Systems | Portable Storage Devices -- Restricted Use

IL4 ModIL4 HighIL5IL6

AC-20(3)Use of External Systems | Non-organizationally Owned Systems -- Restricted Use

IL5IL6

AC-20(4)Use of External Systems | Network Accessible Storage Devices -- Prohibited Use

IL6

AC-21Information Sharing

IL4 ModIL4 HighIL5IL6

AC-22Publicly Accessible Content

IL4 ModIL4 HighIL5IL6

AC-23Data Mining Protection

IL5IL6

AT — Awareness and Training (12 controls)

AT-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

AT-2Literacy Training and Awareness

IL4 ModIL4 HighIL5IL6

AT-2(2)Literacy Training and Awareness | Insider Threat

IL4 ModIL4 HighIL5IL6

AT-2(3)Literacy Training and Awareness | Social Engineering and Mining

IL4 ModIL4 HighIL5IL6

AT-2(4)Literacy Training and Awareness | Suspicious Communications and Anomalous System Behavior

IL5IL6

AT-2(5)Literacy Training and Awareness | Advanced Persistent Threat

IL5IL6

AT-2(6)Literacy Training and Awareness | Cyber Threat Environment

IL5IL6

AT-3Role-based Training

IL4 ModIL4 HighIL5IL6

AT-3(1)Role-based Training | Environmental Controls

IL5IL6

AT-3(2)Role-based Training | Physical Security Controls

IL5IL6

AT-4Training Records

IL4 ModIL4 HighIL5IL6

AT-6Training Feedback

IL5IL6

AU — Audit and Accountability (37 controls)

AU-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

AU-2Event Logging

IL4 ModIL4 HighIL5IL6

AU-3Content of Audit Records

IL4 ModIL4 HighIL5IL6

AU-3(1)Content of Audit Records | Additional Audit Information

IL4 ModIL4 HighIL5IL6

AU-4Audit Log Storage Capacity

IL4 ModIL4 HighIL5IL6

AU-5Response to Audit Logging Process Failures

IL4 ModIL4 HighIL5IL6

AU-5(1)Response to Audit Logging Process Failures | Storage Capacity Warning

IL4 ModIL4 HighIL5IL6

AU-5(2)Response to Audit Logging Process Failures | Real-time Alerts

IL4 HighIL5IL6

AU-6Audit Record Review, Analysis, and Reporting

IL4 ModIL4 HighIL5IL6

AU-6(1)Audit Record Review, Analysis, and Reporting | Automated Process Integration

IL4 ModIL4 HighIL5IL6

AU-6(3)Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories

IL4 ModIL4 HighIL5IL6

AU-6(4)Audit Record Review, Analysis, and Reporting | Central Review and Analysis

IL4 HighIL5IL6

AU-6(5)Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records

IL4 HighIL5IL6

AU-6(6)Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring

IL4 HighIL5IL6

AU-6(7)Audit Record Review, Analysis, and Reporting | Permitted Actions

IL4 HighIL5IL6

AU-6(8)Audit Record Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands

IL6

AU-6(9)Audit Record Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sources

IL6

AU-7Audit Record Reduction and Report Generation

IL4 ModIL4 HighIL5IL6

AU-7(1)Audit Record Reduction and Report Generation | Automatic Processing

IL4 ModIL4 HighIL5IL6

AU-8Time Stamps

IL4 ModIL4 HighIL5IL6

AU-9Protection of Audit Information

IL4 ModIL4 HighIL5IL6

AU-9(2)Protection of Audit Information | Store on Separate Physical Systems or Components

IL4 HighIL5IL6

AU-9(3)Protection of Audit Information | Cryptographic Protection

IL4 HighIL5IL6

AU-9(4)Protection of Audit Information | Access by Subset of Privileged Users

IL4 ModIL4 HighIL5IL6

AU-9(5)Protection of Audit Information | Dual Authorization

IL5IL6

AU-9(6)Protection of Audit Information | Read-only Access

IL5IL6

AU-10Non-repudiation

IL4 HighIL5IL6

AU-11Audit Record Retention

IL4 ModIL4 HighIL5IL6

AU-12Audit Record Generation

IL4 ModIL4 HighIL5IL6

AU-12(1)Audit Record Generation | System-wide and Time-correlated Audit Trail

IL4 HighIL5IL6

AU-12(3)Audit Record Generation | Changes by Authorized Individuals

IL4 HighIL5IL6

AU-14Session Audit

IL5IL6

AU-14(1)Session Audit | System Start-up

IL5IL6

AU-14(3)Session Audit | Remote Viewing and Listening

IL5IL6

AU-16Cross-organizational Audit Logging

IL5IL6

AU-16(1)Cross-organizational Audit Logging | Identity Preservation

IL5IL6

AU-16(2)Cross-organizational Audit Logging | Sharing of Audit Information

IL5IL6

CA — Assessment, Authorization, and Monitoring (20 controls)

CA-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

CA-2Control Assessments

IL4 ModIL4 HighIL5IL6

CA-2(1)Control Assessments | Independent Assessors

IL4 ModIL4 HighIL5IL6

CA-2(2)Control Assessments | Specialized Assessments

IL4 HighIL5IL6

CA-2(3)Control Assessments | Leveraging Results from External Organizations

IL4 ModIL4 HighIL5IL6

CA-3Information Exchange

IL4 ModIL4 HighIL5IL6

CA-3(6)Information Exchange | Transfer Authorizations

IL4 HighIL5IL6

CA-5Plan of Action and Milestones

IL4 ModIL4 HighIL5IL6

CA-6Authorization

IL4 ModIL4 HighIL5IL6

CA-7Continuous Monitoring

IL4 ModIL4 HighIL5IL6

CA-7(1)Continuous Monitoring | Independent Assessment

IL4 ModIL4 HighIL5IL6

CA-7(3)Continuous Monitoring | Trend Analyses

IL5IL6

CA-7(4)Continuous Monitoring | Risk Monitoring

IL4 ModIL4 HighIL5IL6

CA-7(5)Continuous Monitoring | Consistency Analysis

IL5IL6

CA-7(6)Continuous Monitoring | Automation Support for Monitoring

IL5IL6

CA-8Penetration Testing

IL4 ModIL4 HighIL5IL6

CA-8(1)Penetration Testing | Independent Penetration Testing Agent or Team

IL4 ModIL4 HighIL5IL6

CA-8(2)Penetration Testing | Red Team Exercises

IL4 ModIL4 HighIL5IL6

CA-8(3)Penetration Testing | Facility Penetration Testing

IL5IL6

CA-9Internal System Connections

IL4 ModIL4 HighIL5IL6

CM — Configuration Management (43 controls)

CM-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

CM-2Baseline Configuration

IL4 ModIL4 HighIL5IL6

CM-2(2)Baseline Configuration | Automation Support for Accuracy and Currency

IL4 ModIL4 HighIL5IL6

CM-2(3)Baseline Configuration | Retention of Previous Configurations

IL4 ModIL4 HighIL5IL6

CM-2(7)Baseline Configuration | Configure Systems and Components for High-risk Areas

IL4 ModIL4 HighIL5IL6

CM-3Configuration Change Control

IL4 ModIL4 HighIL5IL6

CM-3(1)Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes

IL4 HighIL5IL6

CM-3(2)Configuration Change Control | Testing, Validation, and Documentation of Changes

IL4 ModIL4 HighIL5IL6

CM-3(4)Configuration Change Control | Security and Privacy Representatives

IL4 ModIL4 HighIL5IL6

CM-3(5)Configuration Change Control | Automated Security Response

IL5IL6

CM-3(6)Configuration Change Control | Cryptography Management

IL4 HighIL5IL6

CM-3(7)Configuration Change Control | Review System Changes

IL5IL6

CM-3(8)Configuration Change Control | Prevent or Restrict Configuration Changes

IL5IL6

CM-4Impact Analyses

IL4 ModIL4 HighIL5IL6

CM-4(1)Impact Analyses | Separate Test Environments

IL4 HighIL5IL6

CM-4(2)Impact Analyses | Verification of Controls

IL4 ModIL4 HighIL5IL6

CM-5Access Restrictions for Change

IL4 ModIL4 HighIL5IL6

CM-5(1)Access Restrictions for Change | Automated Access Enforcement and Audit Records

IL4 ModIL4 HighIL5IL6

CM-5(5)Access Restrictions for Change | Privilege Limitation for Production and Operation

IL4 ModIL4 HighIL5IL6

CM-5(6)Access Restrictions for Change | Limit Library Privileges

IL5IL6

CM-6Configuration Settings

IL4 ModIL4 HighIL5IL6

CM-6(1)Configuration Settings | Automated Management, Application, and Verification

IL4 ModIL4 HighIL5IL6

CM-6(2)Configuration Settings | Respond to Unauthorized Changes

IL4 HighIL5IL6

CM-7Least Functionality

IL4 ModIL4 HighIL5IL6

CM-7(1)Least Functionality | Periodic Review

IL4 ModIL4 HighIL5IL6

CM-7(2)Least Functionality | Prevent Program Execution

IL4 ModIL4 HighIL5IL6

CM-7(3)Least Functionality | Registration Compliance

IL5IL6

CM-7(5)Least Functionality | Authorized Software -- Allow-by-exception

IL4 ModIL4 HighIL5IL6

CM-7(8)Least Functionality | Binary or Machine Executable Code

IL5IL6

CM-7(9)Least Functionality | Prohibiting The Use of Unauthorized Hardware

IL5IL6

CM-8System Component Inventory

IL4 ModIL4 HighIL5IL6

CM-8(1)System Component Inventory | Updates During Installation and Removal

IL4 ModIL4 HighIL5IL6

CM-8(2)System Component Inventory | Automated Maintenance

IL4 HighIL5IL6

CM-8(3)System Component Inventory | Automated Unauthorized Component Detection

IL4 ModIL4 HighIL5IL6

CM-8(4)System Component Inventory | Accountability Information

IL4 HighIL5IL6

CM-9Configuration Management Plan

IL4 ModIL4 HighIL5IL6

CM-10Software Usage Restrictions

IL4 ModIL4 HighIL5IL6

CM-10(1)Software Usage Restrictions | Open-source Software

IL5IL6

CM-11User-installed Software

IL4 ModIL4 HighIL5IL6

CM-11(2)User-installed Software | Software Installation with Privileged Status

IL5IL6

CM-12Information Location

IL4 ModIL4 HighIL5IL6

CM-12(1)Information Location | Automated Tools to Support Information Location

IL4 ModIL4 HighIL5IL6

CM-14Signed Components

IL4 HighIL5IL6

CP — Contingency Planning (35 controls)

CP-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

CP-2Contingency Plan

IL4 ModIL4 HighIL5IL6

CP-2(1)Contingency Plan | Coordinate with Related Plans

IL4 ModIL4 HighIL5IL6

CP-2(2)Contingency Plan | Capacity Planning

IL4 HighIL5IL6

CP-2(3)Contingency Plan | Resume Mission and Business Functions

IL4 ModIL4 HighIL5IL6

CP-2(5)Contingency Plan | Continue Mission and Business Functions

IL4 HighIL5IL6

CP-2(8)Contingency Plan | Identify Critical Assets

IL4 ModIL4 HighIL5IL6

CP-3Contingency Training

IL4 ModIL4 HighIL5IL6

CP-3(1)Contingency Training | Simulated Events

IL4 HighIL5IL6

CP-4Contingency Plan Testing

IL4 ModIL4 HighIL5IL6

CP-4(1)Contingency Plan Testing | Coordinate with Related Plans

IL4 ModIL4 HighIL5IL6

CP-4(2)Contingency Plan Testing | Alternate Processing Site

IL4 HighIL5IL6

CP-6Alternate Storage Site

IL4 ModIL4 HighIL5IL6

CP-6(1)Alternate Storage Site | Separation from Primary Site

IL4 ModIL4 HighIL5IL6

CP-6(2)Alternate Storage Site | Recovery Time and Recovery Point Objectives

IL4 HighIL5IL6

CP-6(3)Alternate Storage Site | Accessibility

IL4 ModIL4 HighIL5IL6

CP-7Alternate Processing Site

IL4 ModIL4 HighIL5IL6

CP-7(1)Alternate Processing Site | Separation from Primary Site

IL4 ModIL4 HighIL5IL6

CP-7(2)Alternate Processing Site | Accessibility

IL4 ModIL4 HighIL5IL6

CP-7(3)Alternate Processing Site | Priority of Service

IL4 ModIL4 HighIL5IL6

CP-7(4)Alternate Processing Site | Preparation for Use

IL4 HighIL5IL6

CP-8Telecommunications Services

IL4 ModIL4 HighIL5IL6

CP-8(1)Telecommunications Services | Priority of Service Provisions

IL4 ModIL4 HighIL5IL6

CP-8(2)Telecommunications Services | Single Points of Failure

IL4 ModIL4 HighIL5IL6

CP-8(3)Telecommunications Services | Separation of Primary and Alternate Providers

IL4 HighIL5IL6

CP-8(4)Telecommunications Services | Provider Contingency Plan

IL4 HighIL5IL6

CP-9System Backup

IL4 ModIL4 HighIL5IL6

CP-9(1)System Backup | Testing for Reliability and Integrity

IL4 ModIL4 HighIL5IL6

CP-9(2)System Backup | Test Restoration Using Sampling

IL4 HighIL5IL6

CP-9(3)System Backup | Separate Storage for Critical Information

IL4 HighIL5IL6

CP-9(5)System Backup | Transfer to Alternate Storage Site

IL4 HighIL5IL6

CP-9(8)System Backup | Cryptographic Protection

IL4 ModIL4 HighIL5IL6

CP-10System Recovery and Reconstitution

IL4 ModIL4 HighIL5IL6

CP-10(2)System Recovery and Reconstitution | Transaction Recovery

IL4 ModIL4 HighIL5IL6

CP-10(4)System Recovery and Reconstitution | Restore Within Time Period

IL4 HighIL5IL6

GRR — DoD Governance, Risk and Resilience (10 controls)

GRR-1DoD PKI authentication

IL4 ModIL4 HighIL5IL6

GRR-2DoD IP addressing

IL4 ModIL4 HighIL5IL6

GRR-3Data Locations

IL4 ModIL4 HighIL5IL6

GRR-4Management Plane Connectivity

IL4 ModIL4 HighIL5IL6

GRR-5CSO Personnel

IL4 ModIL4 HighIL5IL6

GRR-6Private Connection Availability Between CSP'S/CSO's Network and DoD Network

IL4 ModIL4 HighIL5

GRR-7Reliance on Internet-Based Capabilities

IL4 ModIL4 HighIL5

GRR-8Raliance of Internet Access

IL4 ModIL4 HighIL5

GRR-9CSP/CSO's Protection

IL4 ModIL4 HighIL5

GRR-10Defense in depth architecture

IL4 ModIL4 HighIL5IL6

IA — Identification and Authentication (37 controls)

IA-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

IA-2Identification and Authentication (organizational Users)

IL4 ModIL4 HighIL5IL6

IA-2(1)Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts

IL4 ModIL4 HighIL5IL6

IA-2(2)Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts

IL4 ModIL4 HighIL5IL6

IA-2(5)Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication

IL4 ModIL4 HighIL5IL6

IA-2(6)Identification and Authentication (organizational Users) | Access to Accounts --separate Device

IL4 ModIL4 HighIL5IL6

IA-2(8)Identification and Authentication (organizational Users) | Access to Accounts -- Replay Resistant

IL4 ModIL4 HighIL5IL6

IA-2(12)Identification and Authentication (organizational Users) | Acceptance of PIV Credentials

IL4 ModIL4 HighIL5IL6

IA-3Device Identification and Authentication

IL4 ModIL4 HighIL5IL6

IA-3(1)Device Identification and Authentication | Cryptographic Bidirectional Authentication

IL5IL6

IA-4Identifier Management

IL4 ModIL4 HighIL5IL6

IA-4(4)Identifier Management | Identify User Status

IL4 ModIL4 HighIL5IL6

IA-4(9)Identifier Management | Attribute Maintenance and Protection

IL5IL6

IA-5Authenticator Management

IL4 ModIL4 HighIL5IL6

IA-5(1)Authenticator Management | Password-based Authentication

IL4 ModIL4 HighIL5IL6

IA-5(2)Authenticator Management | Public Key-based Authentication

IL4 ModIL4 HighIL5IL6

IA-5(6)Authenticator Management | Protection of Authenticators

IL4 ModIL4 HighIL5IL6

IA-5(7)Authenticator Management | No Embedded Unencrypted Static Authenticators

IL4 ModIL4 HighIL5IL6

IA-5(8)Authenticator Management | Multiple System Accounts

IL4 HighIL5IL6

IA-5(13)Authenticator Management | Expiration of Cached Authenticators

IL4 HighIL5IL6

IA-5(14)Authenticator Management | Managing Content of PKI Trust Stores

IL5IL6

IA-5(16)Authenticator Management | In-person or Trusted External Party Authenticator Issuance

IL5IL6

IA-6Authentication Feedback

IL4 ModIL4 HighIL5IL6

IA-7Cryptographic Module Authentication

IL4 ModIL4 HighIL5IL6

IA-8Identification and Authentication (non-organizational Users)

IL4 ModIL4 HighIL5IL6

IA-8(1)Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies

IL4 ModIL4 HighIL5IL6

IA-8(2)Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators

IL4 ModIL4 HighIL5IL6

IA-8(4)Identification and Authentication (non-organizational Users) | Use of Defined Profiles

IL4 ModIL4 HighIL5IL6

IA-9Service Identification and Authentication

IL5IL6

IA-10Adaptive Authentication

IL5IL6

IA-11Re-authentication

IL4 ModIL4 HighIL5IL6

IA-12Identity Proofing

IL4 ModIL4 HighIL5IL6

IA-12(1)Identity Proofing | Supervisor Authorization

IL5IL6

IA-12(2)Identity Proofing | Identity Evidence

IL4 ModIL4 HighIL5IL6

IA-12(3)Identity Proofing | Identity Evidence Validation and Verification

IL4 ModIL4 HighIL5IL6

IA-12(4)Identity Proofing | In-person Validation and Verification

IL4 HighIL5IL6

IA-12(5)Identity Proofing | Address Confirmation

IL4 ModIL4 HighIL5IL6

IR — Incident Response (33 controls)

IR-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

IR-2Incident Response Training

IL4 ModIL4 HighIL5IL6

IR-2(1)Incident Response Training | Simulated Events

IL4 HighIL5IL6

IR-2(2)Incident Response Training | Automated Training Environments

IL4 HighIL5IL6

IR-3Incident Response Testing

IL4 ModIL4 HighIL5IL6

IR-3(2)Incident Response Testing | Coordination with Related Plans

IL4 ModIL4 HighIL5IL6

IR-4Incident Handling

IL4 ModIL4 HighIL5IL6

IR-4(1)Incident Handling | Automated Incident Handling Processes

IL4 ModIL4 HighIL5IL6

IR-4(2)Incident Handling | Dynamic Reconfiguration

IL4 HighIL5IL6

IR-4(3)Incident Handling | Continuity of Operations

IL5IL6

IR-4(4)Incident Handling | Information Correlation

IL4 HighIL5IL6

IR-4(6)Incident Handling | Insider Threats

IL4 HighIL5IL6

IR-4(7)Incident Handling | Insider Threats -- Intra-organization Coordination

IL5IL6

IR-4(8)Incident Handling | Correlation with External Organizations

IL5IL6

IR-4(10)Incident Handling | Supply Chain Coordination

IL5IL6

IR-4(11)Incident Handling | Integrated Incident Response Team

IL4 HighIL5IL6

IR-4(12)Incident Handling | Malicious Code and Forensic Analysis

IL5IL6

IR-4(13)Incident Handling | Behavior Analysis

IL5IL6

IR-4(14)Incident Handling | Security Operations Center

IL5IL6

IR-5Incident Monitoring

IL4 ModIL4 HighIL5IL6

IR-5(1)Incident Monitoring | Automated Tracking, Data Collection, and Analysis

IL4 HighIL5IL6

IR-6Incident Reporting

IL4 ModIL4 HighIL5IL6

IR-6(1)Incident Reporting | Automated Reporting

IL4 ModIL4 HighIL5IL6

IR-6(2)Incident Reporting | Vulnerabilities Related to Incidents

IL5IL6

IR-6(3)Incident Reporting | Supply Chain Coordination

IL4 ModIL4 HighIL5IL6

IR-7Incident Response Assistance

IL4 ModIL4 HighIL5IL6

IR-7(1)Incident Response Assistance | Automation Support for Availability of Information and Support

IL4 ModIL4 HighIL5IL6

IR-7(2)Incident Response Assistance | Coordination with External Providers

IL5IL6

IR-8Incident Response Plan

IL4 ModIL4 HighIL5IL6

IR-9Information Spillage Response

IL4 ModIL4 HighIL5IL6

IR-9(2)Information Spillage Response | Training

IL4 ModIL4 HighIL5IL6

IR-9(3)Information Spillage Response | Post-spill Operations

IL4 ModIL4 HighIL5IL6

IR-9(4)Information Spillage Response | Exposure to Unauthorized Personnel

IL4 ModIL4 HighIL5IL6

MA — Maintenance (23 controls)

MA-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

MA-2Controlled Maintenance

IL4 ModIL4 HighIL5IL6

MA-2(2)Controlled Maintenance | Automated Maintenance Activities

IL4 HighIL5IL6

MA-3Maintenance Tools

IL4 ModIL4 HighIL5IL6

MA-3(1)Maintenance Tools | Inspect Tools

IL4 ModIL4 HighIL5IL6

MA-3(2)Maintenance Tools | Inspect Media

IL4 ModIL4 HighIL5IL6

MA-3(3)Maintenance Tools | Prevent Unauthorized Removal

IL4 ModIL4 HighIL5IL6

MA-3(4)Maintenance Tools | Restricted Tool Use

IL5IL6

MA-3(5)Maintenance Tools | Execution with Privilege

IL5IL6

MA-3(6)Maintenance Tools | Software Updates and Patches

IL5IL6

MA-4Nonlocal Maintenance

IL4 ModIL4 HighIL5IL6

MA-4(1)Nonlocal Maintenance | Logging and Review

IL5IL6

MA-4(3)Nonlocal Maintenance | Comparable Security and Sanitization

IL4 HighIL5IL6

MA-4(4)Nonlocal Maintenance | Authentication and Separation of Maintenance Sessions

IL5IL6

MA-4(6)Nonlocal Maintenance | Cryptographic Protection

IL5IL6

MA-4(7)Nonlocal Maintenance | Disconnect Verification

IL5IL6

MA-5Maintenance Personnel

IL4 ModIL4 HighIL5IL6

MA-5(1)Maintenance Personnel | Individuals Without Appropriate Access

IL4 ModIL4 HighIL5IL6

MA-5(2)Maintenance Personnel | Security Clearances for Classified Systems

IL6

MA-5(3)Maintenance Personnel | Citizenship Requirements for Classified Systems

IL6

MA-5(4)Maintenance Personnel | Foreign Nationals

IL6

MA-5(5)Maintenance Personnel | Non-system Maintenance

IL4 ModIL4 HighIL5IL6

MA-6Timely Maintenance

IL4 ModIL4 HighIL5IL6

MP — Media Protection (15 controls)

MP-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

MP-2Media Access

IL4 ModIL4 HighIL5IL6

MP-3Media Marking

IL4 ModIL4 HighIL5IL6

MP-4Media Storage

IL4 ModIL4 HighIL5IL6

MP-5Media Transport

IL4 ModIL4 HighIL5IL6

MP-5(3)Media Transport | Custodians

IL6

MP-6Media Sanitization

IL4 ModIL4 HighIL5IL6

MP-6(1)Media Sanitization | Review, Approve, Track, Document, and Verify

IL4 HighIL5IL6

MP-6(2)Media Sanitization | Equipment Testing

IL4 HighIL5IL6

MP-6(3)Media Sanitization | Nondestructive Techniques

IL4 HighIL5IL6

MP-7Media Use

IL4 ModIL4 HighIL5IL6

MP-8Media Downgrading

IL6

MP-8(1)Media Downgrading | Documentation of Process

IL6

MP-8(2)Media Downgrading | Equipment Testing

IL6

MP-8(4)Media Downgrading | Classified Information

IL6

PE — Physical and Environmental Protection (33 controls)

PE-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

PE-2Physical Access Authorizations

IL4 ModIL4 HighIL5IL6

PE-2(3)Physical Access Authorizations | Restrict Unescorted Access

IL6

PE-3Physical Access Control

IL4 ModIL4 HighIL5IL6

PE-3(1)Physical Access Control | System Access

IL4 HighIL5IL6

PE-3(2)Physical Access Control | Facility and Systems

IL6

PE-3(3)Physical Access Control | Continuous Guards

IL6

PE-4Access Control for Transmission

IL4 ModIL4 HighIL5IL6

PE-5Access Control for Output Devices

IL4 ModIL4 HighIL5IL6

PE-6Monitoring Physical Access

IL4 ModIL4 HighIL5IL6

PE-6(1)Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment

IL4 ModIL4 HighIL5IL6

PE-6(4)Monitoring Physical Access | Monitoring Physical Access to Systems

IL4 HighIL5IL6

PE-8Visitor Access Records

IL4 ModIL4 HighIL5IL6

PE-8(1)Visitor Access Records | Automated Records Maintenance and Review

IL4 HighIL5IL6

PE-8(3)Visitor Access Records | Limit Personally Identifiable Information Elements

IL5IL6

PE-9Power Equipment and Cabling

IL4 ModIL4 HighIL5IL6

PE-10Emergency Shutoff

IL4 ModIL4 HighIL5IL6

PE-11Emergency Power

IL4 ModIL4 HighIL5IL6

PE-11(1)Emergency Power | Alternate Power Supply -- Minimal Operational Capability

IL4 HighIL5IL6

PE-12Emergency Lighting

IL4 ModIL4 HighIL5IL6

PE-13Fire Protection

IL4 ModIL4 HighIL5IL6

PE-13(1)Fire Protection | Detection Systems -- Automatic Activation and Notification

IL4 ModIL4 HighIL5IL6

PE-13(2)Fire Protection | Suppression Systems -- Automatic Activation and Notification

IL4 ModIL4 HighIL5IL6

PE-14Environmental Controls

IL4 ModIL4 HighIL5IL6

PE-14(2)Environmental Controls | Monitoring with Alarms and Notifications

IL4 HighIL5IL6

PE-15Water Damage Protection

IL4 ModIL4 HighIL5IL6

PE-15(1)Water Damage Protection | Automation Support

IL4 HighIL5IL6

PE-16Delivery and Removal

IL4 ModIL4 HighIL5IL6

PE-17Alternate Work Site

IL4 ModIL4 HighIL5IL6

PE-18Location of System Components

IL4 HighIL5IL6

PE-19Information Leakage

IL6

PE-19(1)Information Leakage | National Emissions Policies and Procedures

IL6

PE-22Component Marking

IL5IL6

PL — Planning (11 controls)

PL-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

PL-2System Security and Privacy Plans

IL4 ModIL4 HighIL5IL6

PL-4Rules of Behavior

IL4 ModIL4 HighIL5IL6

PL-4(1)Rules of Behavior | Social Media and External Site/application Usage Restrictions

IL4 ModIL4 HighIL5IL6

PL-7Concept of Operations

IL5IL6

PL-8Security and Privacy Architectures

IL4 ModIL4 HighIL5IL6

PL-8(1)Security and Privacy Architectures | Defense in Depth

IL5IL6

PL-8(2)Security and Privacy Architectures | Supplier Diversity

IL5IL6

PL-9Central Management

IL5IL6

PL-10Baseline Selection

IL4 ModIL4 HighIL5IL6

PL-11Baseline Tailoring

IL4 ModIL4 HighIL5IL6

PM — Program Management (1 controls)

PM-12Insider Threat Program

IL6

PS — Personnel Security (16 controls)

PS-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

PS-2Position Risk Designation

IL4 ModIL4 HighIL5IL6

PS-3Personnel Screening

IL4 ModIL4 HighIL5IL6

PS-3(1)Personnel Screening | Classified Information

IL6

PS-3(3)Personnel Screening | Information Requiring Special Protective Measures

IL4 ModIL4 HighIL5IL6

PS-3(4)Personnel Screening | Citizenship Requirements

IL4 ModIL4 HighIL5IL6

PS-4Personnel Termination

IL4 ModIL4 HighIL5IL6

PS-4(1)Personnel Termination | Post-employment Requirements

IL5IL6

PS-4(2)Personnel Termination | Automated Actions

IL4 HighIL5IL6

PS-5Personnel Transfer

IL4 ModIL4 HighIL5IL6

PS-6Access Agreements

IL4 ModIL4 HighIL5IL6

PS-6(2)Access Agreements | Classified Information Requiring Special Protection

IL6

PS-6(3)Access Agreements | Post-employment Requirements

IL5IL6

PS-7External Personnel Security

IL4 ModIL4 HighIL5IL6

PS-8Personnel Sanctions

IL4 ModIL4 HighIL5IL6

PS-9Position Descriptions

IL4 ModIL4 HighIL5IL6

RA — Risk Assessment (18 controls)

RA-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

RA-2Security Categorization

IL4 ModIL4 HighIL5IL6

RA-3Risk Assessment

IL4 ModIL4 HighIL5IL6

RA-3(1)Risk Assessment | Supply Chain Risk Assessment

IL4 ModIL4 HighIL5IL6

RA-3(2)Risk Assessment | Use of All-source Intelligence

IL5IL6

RA-3(3)Risk Assessment | Dynamic Threat Awareness

IL5IL6

RA-5Vulnerability Monitoring and Scanning

IL4 ModIL4 HighIL5IL6

RA-5(2)Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned

IL4 ModIL4 HighIL5IL6

RA-5(3)Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage

IL4 ModIL4 HighIL5IL6

RA-5(4)Vulnerability Monitoring and Scanning | Discoverable Information

IL4 HighIL5IL6

RA-5(5)Vulnerability Monitoring and Scanning | Privileged Access

IL4 ModIL4 HighIL5IL6

RA-5(8)Vulnerability Monitoring and Scanning | Review Historic Audit Logs

IL4 HighIL5IL6

RA-5(10)Vulnerability Monitoring and Scanning | Correlate Scanning Information

IL5IL6

RA-5(11)Vulnerability Monitoring and Scanning | Public Disclosure Program

IL4 ModIL4 HighIL5IL6

RA-6Technical Surveillance Countermeasures Survey

IL6

RA-7Risk Response

IL4 ModIL4 HighIL5IL6

RA-9Criticality Analysis

IL4 ModIL4 HighIL5IL6

RA-10Threat Hunting

IL5IL6

SA — System and Services Acquisition (70 controls)

SA-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

SA-2Allocation of Resources

IL4 ModIL4 HighIL5IL6

SA-3System Development Life Cycle

IL4 ModIL4 HighIL5IL6

SA-3(1)System Development Life Cycle | Manage Preproduction Environment

IL5IL6

SA-3(2)System Development Life Cycle | Use of Live or Operational Data

IL5IL6

SA-4Acquisition Process

IL4 ModIL4 HighIL5IL6

SA-4(1)Acquisition Process | Functional Properties of Controls

IL4 ModIL4 HighIL5IL6

SA-4(2)Acquisition Process | Design and Implementation Information for Controls

IL4 ModIL4 HighIL5IL6

SA-4(3)Acquisition Process | Development Methods, Techniques, and Practices

IL5IL6

SA-4(5)Acquisition Process | System, Component, and Service Configurations

IL4 ModIL4 HighIL5IL6

SA-4(6)Acquisition Process | Use of Information Assurance Products

IL6

SA-4(7)Acquisition Process | NIAP-approved Protection Profiles

IL5IL6

SA-4(9)Acquisition Process | Functions, Ports, Protocols, and Services in Use

IL4 ModIL4 HighIL5IL6

SA-4(10)Acquisition Process | Use of Approved PIV Products

IL4 ModIL4 HighIL5IL6

SA-5System Documentation

IL4 ModIL4 HighIL5IL6

SA-8Security and Privacy Engineering Principles

IL4 ModIL4 HighIL5IL6

SA-8(1)Security and Privacy Engineering Principles | Clear Abstractions

IL5IL6

SA-8(2)Security and Privacy Engineering Principles | Least Common Mechanism

IL5IL6

SA-8(3)Security and Privacy Engineering Principles | Modularity and Layering

IL5IL6

SA-8(4)Security and Privacy Engineering Principles | Partially Ordered Dependencies

IL5IL6

SA-8(5)Security and Privacy Engineering Principles | Efficiently Mediated Access

IL5IL6

SA-8(6)Security and Privacy Engineering Principles | Minimized Sharing

IL5IL6

SA-8(7)Security and Privacy Engineering Principles | Reduced Complexity

IL5IL6

SA-8(8)Security and Privacy Engineering Principles | Secure Evolvability

IL5IL6

SA-8(9)Security and Privacy Engineering Principles | Trusted Components

IL5IL6

SA-8(10)Security and Privacy Engineering Principles | Hierarchical Trust

IL5IL6

SA-8(11)Security and Privacy Engineering Principles | Inverse Modification Threshold

IL5IL6

SA-8(12)Security and Privacy Engineering Principles | Hierarchical Protection

IL5IL6

SA-8(13)Security and Privacy Engineering Principles | Minimized Security Elements

IL5IL6

SA-8(14)Security and Privacy Engineering Principles | Least Privilege

IL5IL6

SA-8(15)Security and Privacy Engineering Principles | Predicate Permission

IL5IL6

SA-8(16)Security and Privacy Engineering Principles | Self-reliant Trustworthiness

IL5IL6

SA-8(17)Security and Privacy Engineering Principles | Secure Distributed Composition

IL5IL6

SA-8(18)Security and Privacy Engineering Principles | Trusted Communications Channels

IL5IL6

SA-8(19)Security and Privacy Engineering Principles | Continuous Protection

IL5IL6

SA-8(20)Security and Privacy Engineering Principles | Secure Metadata Management

IL5IL6

SA-8(21)Security and Privacy Engineering Principles | Self-analysis

IL5IL6

SA-8(22)Security and Privacy Engineering Principles | Accountability and Traceability

IL5IL6

SA-8(23)Security and Privacy Engineering Principles | Secure Defaults

IL5IL6

SA-8(24)Security and Privacy Engineering Principles | Secure Failure and Recovery

IL5IL6

SA-8(25)Security and Privacy Engineering Principles | Economic Security

IL5IL6

SA-8(26)Security and Privacy Engineering Principles | Performance Security

IL5IL6

SA-8(27)Security and Privacy Engineering Principles | Human Factored Security

IL5IL6

SA-8(28)Security and Privacy Engineering Principles | Acceptable Security

IL5IL6

SA-8(29)Security and Privacy Engineering Principles | Repeatable and Documented Procedures

IL5IL6

SA-8(30)Security and Privacy Engineering Principles | Procedural Rigor

IL5IL6

SA-8(31)Security and Privacy Engineering Principles | Secure System Modification

IL5IL6

SA-8(32)Security and Privacy Engineering Principles | Sufficient Documentation

IL5IL6

SA-9External System Services

IL4 ModIL4 HighIL5IL6

SA-9(1)External System Services | Risk Assessments and Organizational Approvals

IL4 ModIL4 HighIL5IL6

SA-9(2)External System Services | Identification of Functions, Ports, Protocols, and Services

IL4 ModIL4 HighIL5IL6

SA-9(3)External System Services | Establish and Maintain Trust Relationship with Providers

IL4 ModIL4 HighIL5IL6

SA-9(5)External System Services | Processing, Storage, and Service Location

IL4 ModIL4 HighIL5IL6

SA-9(6)External System Services | Organization-controlled Cryptographic Keys

IL4 ModIL4 HighIL5IL6

SA-9(7)External System Services | Organization-controlled Integrity Checking

IL4 ModIL4 HighIL5IL6

SA-9(8)External System Services | Processing and Storage Location -- U.S. Jurisdiction

IL4 ModIL4 HighIL5IL6

SA-10Developer Configuration Management

IL4 ModIL4 HighIL5IL6

SA-10(1)Developer Configuration Management | Software and Firmware Integrity Verification

IL5IL6

SA-10(3)Developer Configuration Management | Hardware Integrity Verification

IL5IL6

SA-10(7)Developer Configuration Management | Security and Privacy Representatives

IL5IL6

SA-11Developer Testing and Evaluation

IL4 ModIL4 HighIL5IL6

SA-11(1)Developer Testing and Evaluation | Static Code Analysis

IL4 ModIL4 HighIL5IL6

SA-11(2)Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses

IL4 ModIL4 HighIL5IL6

SA-15Development Process, Standards, and Tools

IL4 ModIL4 HighIL5IL6

SA-15(3)Development Process, Standards, and Tools | Criticality Analysis

IL4 ModIL4 HighIL5IL6

SA-15(7)Development Process, Standards, and Tools | Automated Vulnerability Analysis

IL5IL6

SA-16Developer-provided Training

IL4 HighIL5IL6

SA-17Developer Security and Privacy Architecture and Design

IL4 HighIL5IL6

SA-21Developer Screening

IL4 HighIL5IL6

SA-22Unsupported System Components

IL4 ModIL4 HighIL5IL6

SC — System and Communications Protection (67 controls)

SC-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

SC-2Separation of System and User Functionality

IL4 ModIL4 HighIL5IL6

SC-3Security Function Isolation

IL4 HighIL5IL6

SC-4Information in Shared System Resources

IL4 ModIL4 HighIL5IL6

SC-5Denial-of-service Protection

IL4 ModIL4 HighIL5IL6

SC-7Boundary Protection

IL4 ModIL4 HighIL5IL6

SC-7(3)Boundary Protection | Access Points

IL4 ModIL4 HighIL5IL6

SC-7(4)Boundary Protection | External Telecommunications Services

IL4 ModIL4 HighIL5IL6

SC-7(5)Boundary Protection | Deny by Default -- Allow by Exception

IL4 ModIL4 HighIL5IL6

SC-7(7)Boundary Protection | Split Tunneling for Remote Devices

IL4 ModIL4 HighIL5IL6

SC-7(8)Boundary Protection | Route Traffic to Authenticated Proxy Servers

IL4 ModIL4 HighIL5IL6

SC-7(9)Boundary Protection | Restrict Threatening Outgoing Communications Traffic

IL5IL6

SC-7(10)Boundary Protection | Prevent Exfiltration

IL4 HighIL5IL6

SC-7(11)Boundary Protection | Restrict Incoming Communications Traffic

IL5IL6

SC-7(12)Boundary Protection | Host-based Protection

IL4 ModIL4 HighIL5IL6

SC-7(13)Boundary Protection | Isolation of Security Tools, Mechanisms, and Support Components

IL5IL6

SC-7(14)Boundary Protection | Protect Against Unauthorized Physical Connections

IL5IL6

SC-7(15)Boundary Protection | Networked Privileged Accesses

IL5IL6

SC-7(18)Boundary Protection | Fail Secure

IL4 ModIL4 HighIL5IL6

SC-7(20)Boundary Protection | Dynamic Isolation and Segregation

IL4 HighIL5IL6

SC-7(21)Boundary Protection | Isolation of System Components

IL4 HighIL5IL6

SC-7(25)Boundary Protection | Unclassified National Security System Connections

IL5IL6

SC-7(26)Boundary Protection | Classified National Security System Connections

IL6

SC-7(28)Boundary Protection | Connections to Public Networks

IL5IL6

SC-7(29)Boundary Protection | Separate Subnets to Isolate Functions

IL5IL6

SC-8Transmission Confidentiality and Integrity

IL4 ModIL4 HighIL5IL6

SC-8(1)Transmission Confidentiality and Integrity | Cryptographic Protection

IL4 ModIL4 HighIL5IL6

SC-8(2)Transmission Confidentiality and Integrity | Pre- and Post-transmission Handling

IL5IL6

SC-8(3)Transmission Confidentiality and Integrity | Cryptographic Protection for Message Externals

IL6

SC-8(4)Transmission Confidentiality and Integrity | Conceal or Randomize Communications

IL6

SC-10Network Disconnect

IL4 ModIL4 HighIL5IL6

SC-12Cryptographic Key Establishment and Management

IL4 ModIL4 HighIL5IL6

SC-12(1)Cryptographic Key Establishment and Management | Availability

IL4 HighIL5IL6

SC-12(2)Cryptographic Key Establishment and Management | Symmetric Keys

IL6

SC-12(3)Cryptographic Key Establishment and Management | Asymmetric Keys

IL6

SC-12(6)Cryptographic Key Establishment and Management | Physical Control of Keys

IL4 ModIL4 HighIL5IL6

SC-13Cryptographic Protection

IL4 ModIL4 HighIL5IL6

SC-15Collaborative Computing Devices and Applications

IL4 ModIL4 HighIL5IL6

SC-15(3)Collaborative Computing Devices and Applications | Disabling and Removal in Secure Work Areas

IL6

SC-16Transmission of Security and Privacy Attributes

IL5IL6

SC-16(1)Transmission of Security and Privacy Attributes | Integrity Verification

IL5IL6

SC-16(2)Transmission of Security and Privacy Attributes | Anti-spoofing Mechanisms

IL5IL6

SC-16(3)Transmission of Security and Privacy Attributes | Cryptographic Binding

IL5IL6

SC-17Public Key Infrastructure Certificates

IL4 ModIL4 HighIL5IL6

SC-18Mobile Code

IL4 ModIL4 HighIL5IL6

SC-18(1)Mobile Code | Identify Unacceptable Code and Take Corrective Actions

IL5IL6

SC-18(2)Mobile Code | Acquisition, Development, and Use

IL4 ModIL4 HighIL5IL6

SC-18(3)Mobile Code | Prevent Downloading and Execution

IL5IL6

SC-18(4)Mobile Code | Prevent Automatic Execution

IL5IL6

SC-20Secure Name/address Resolution Service (authoritative Source)

IL4 ModIL4 HighIL5IL6

SC-21Secure Name/address Resolution Service (recursive or Caching Resolver)

IL4 ModIL4 HighIL5IL6

SC-22Architecture and Provisioning for Name/address Resolution Service

IL4 ModIL4 HighIL5IL6

SC-23Session Authenticity

IL4 ModIL4 HighIL5IL6

SC-23(1)Session Authenticity | Invalidate Session Identifiers at Logout

IL5IL6

SC-23(3)Session Authenticity | Unique System-generated Session Identifiers

IL5IL6

SC-23(5)Session Authenticity | Allowed Certificate Authorities

IL5IL6

SC-24Fail in Known State

IL4 ModIL4 HighIL5IL6

SC-28Protection of Information at Rest

IL4 ModIL4 HighIL5IL6

SC-28(1)Protection of Information at Rest | Cryptographic Protection

IL4 ModIL4 HighIL5IL6

SC-28(3)Protection of Information at Rest | Cryptographic Keys

IL5IL6

SC-38Operations Security

IL5IL6

SC-39Process Isolation

IL4 ModIL4 HighIL5IL6

SC-41Port and I/O Device Access

IL6

SC-42Sensor Capability and Data

IL6

SC-45System Time Synchronization

IL4 ModIL4 HighIL5IL6

SC-45(1)System Time Synchronization | Synchronization with Authoritative Time Source

IL4 ModIL4 HighIL5IL6

SC-46Cross Domain Policy Enforcement

IL4 ModIL4 HighIL5IL6

SI — System and Information Integrity (54 controls)

SI-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

SI-2Flaw Remediation

IL4 ModIL4 HighIL5IL6

SI-2(2)Flaw Remediation | Automated Flaw Remediation Status

IL4 ModIL4 HighIL5IL6

SI-2(3)Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions

IL4 ModIL4 HighIL5IL6

SI-2(4)Flaw Remediation | Automated Patch Management Tools

IL5IL6

SI-2(6)Flaw Remediation | Removal of Previous Versions of Software and Firmware

IL5IL6

SI-3Malicious Code Protection

IL4 ModIL4 HighIL5IL6

SI-3(10)Malicious Code Protection | Malicious Code Analysis

IL5IL6

SI-4System Monitoring

IL4 ModIL4 HighIL5IL6

SI-4(1)System Monitoring | System-wide Intrusion Detection System

IL4 ModIL4 HighIL5IL6

SI-4(2)System Monitoring | Automated Tools and Mechanisms for Real-time Analysis

IL4 ModIL4 HighIL5IL6

SI-4(4)System Monitoring | Inbound and Outbound Communications Traffic

IL4 ModIL4 HighIL5IL6

SI-4(5)System Monitoring | System-generated Alerts

IL4 ModIL4 HighIL5IL6

SI-4(10)System Monitoring | Visibility of Encrypted Communications

IL4 HighIL5IL6

SI-4(11)System Monitoring | Analyze Communications Traffic Anomalies

IL4 HighIL5IL6

SI-4(12)System Monitoring | Automated Organization-generated Alerts

IL4 HighIL5IL6

SI-4(14)System Monitoring | Wireless Intrusion Detection

IL4 HighIL5IL6

SI-4(15)System Monitoring | Wireless to Wireline Communications

IL5IL6

SI-4(16)System Monitoring | Correlate Monitoring Information

IL4 ModIL4 HighIL5IL6

SI-4(18)System Monitoring | Analyze Traffic and Covert Exfiltration

IL4 ModIL4 HighIL5IL6

SI-4(19)System Monitoring | Risk for Individuals

IL4 HighIL5IL6

SI-4(20)System Monitoring | Privileged Users

IL4 HighIL5IL6

SI-4(21)System Monitoring | Probationary Periods

IL6

SI-4(22)System Monitoring | Unauthorized Network Services

IL4 HighIL5IL6

SI-4(23)System Monitoring | Host-based Devices

IL4 ModIL4 HighIL5IL6

SI-4(24)System Monitoring | Indicators of Compromise

IL5IL6

SI-4(25)System Monitoring | Optimize Network Traffic Analysis

IL5IL6

SI-5Security Alerts, Advisories, and Directives

IL4 ModIL4 HighIL5IL6

SI-5(1)Security Alerts, Advisories, and Directives | Automated Alerts and Advisories

IL4 HighIL5IL6

SI-6Security and Privacy Function Verification

IL4 ModIL4 HighIL5IL6

SI-6(3)Security and Privacy Function Verification | Report Verification Results

IL5IL6

SI-7Software, Firmware, and Information Integrity

IL4 ModIL4 HighIL5IL6

SI-7(1)Software, Firmware, and Information Integrity | Integrity Checks

IL4 ModIL4 HighIL5IL6

SI-7(2)Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations

IL4 HighIL5IL6

SI-7(5)Software, Firmware, and Information Integrity | Automated Response to Integrity Violations

IL4 HighIL5IL6

SI-7(7)Software, Firmware, and Information Integrity | Integration of Detection and Response

IL4 ModIL4 HighIL5IL6

SI-7(8)Software, Firmware, and Information Integrity | Auditing Capability for Significant Events

IL5IL6

SI-7(9)Software, Firmware, and Information Integrity | Verify Boot Process

IL5IL6

SI-7(10)Software, Firmware, and Information Integrity | Protection of Boot Firmware

IL5IL6

SI-7(15)Software, Firmware, and Information Integrity | Code Authentication

IL4 HighIL5IL6

SI-7(17)Software, Firmware, and Information Integrity | Runtime Application Self-protection

IL5IL6

SI-8Spam Protection

IL4 ModIL4 HighIL5IL6

SI-8(2)Spam Protection | Automatic Updates

IL4 ModIL4 HighIL5IL6

SI-10Information Input Validation

IL4 ModIL4 HighIL5IL6

SI-10(3)Information Input Validation | Predictable Behavior

IL5IL6

SI-10(5)Information Input Validation | Restrict Inputs to Trusted Sources and Approved Formats

IL5IL6

SI-10(6)Information Input Validation | Injection Prevention

IL5IL6

SI-11Error Handling

IL4 ModIL4 HighIL5IL6

SI-12Information Management and Retention

IL4 ModIL4 HighIL5IL6

SI-12(3)Information Management and Retention | Information Disposal

IL5IL6

SI-15Information Output Filtering

IL5IL6

SI-16Memory Protection

IL4 ModIL4 HighIL5IL6

SI-20Tainting

IL6

SI-21Information Refresh

IL5IL6

SR — Supply Chain Risk Management (22 controls)

SR-1Policy and Procedures

IL4 ModIL4 HighIL5IL6

SR-2Supply Chain Risk Management Plan

IL4 ModIL4 HighIL5IL6

SR-2(1)Supply Chain Risk Management Plan | Establish SCRM Team

IL4 ModIL4 HighIL5IL6

SR-3Supply Chain Controls and Processes

IL4 ModIL4 HighIL5IL6

SR-3(1)Supply Chain Controls and Processes | Diverse Supply Base

IL5IL6

SR-3(2)Supply Chain Controls and Processes | Limitation of Harm

IL5IL6

SR-3(3)Supply Chain Controls and Processes | Sub-tier Flow Down

IL5IL6

SR-4Provenance

IL5IL6

SR-5Acquisition Strategies, Tools, and Methods

IL4 ModIL4 HighIL5IL6

SR-5(1)Acquisition Strategies, Tools, and Methods | Adequate Supply

IL5IL6

SR-5(2)Acquisition Strategies, Tools, and Methods | Assessments Prior to Selection, Acceptance, Modification, or Update

IL5IL6

SR-6Supplier Assessments and Reviews

IL4 ModIL4 HighIL5IL6

SR-6(1)Supplier Assessments and Reviews | Testing and Analysis

IL5IL6

SR-7Supply Chain Operations Security

IL5IL6

SR-8Notification Agreements

IL4 ModIL4 HighIL5IL6

SR-9Tamper Resistance and Detection

IL4 HighIL5IL6

SR-9(1)Tamper Resistance and Detection | Multiple Stages of System Development Life Cycle

IL4 HighIL5IL6

SR-10Inspection of Systems or Components

IL4 ModIL4 HighIL5IL6

SR-11Component Authenticity

IL4 ModIL4 HighIL5IL6

SR-11(1)Component Authenticity | Anti-counterfeit Training

IL4 ModIL4 HighIL5IL6

SR-11(2)Component Authenticity | Configuration Control for Component Service and Repair

IL4 ModIL4 HighIL5IL6

SR-12Component Disposal

IL4 ModIL4 HighIL5IL6