NIST SP 800-171A Rev 3 vRev 3
Assessing CUI Security Rev 3
Framework data extracted from the Secure Controls Framework (SCF) v2025.4 Set Theory Relationship Mapping (STRM) files, licensed under CC BY-ND 4.0 . Attribution required per license terms.
638 All
03.01 — Access Control (113 requirements)
03.01.01Account Management Assessment
A.03.01.01.ODP[01]Account Management ODP[01]
A.03.01.01.ODP[02]Account Management ODP[02]
A.03.01.01.ODP[03]Account Management ODP[03]
A.03.01.01.ODP[04]Account Management ODP[04]
A.03.01.01.ODP[05]Account Management ODP[05]
A.03.01.01.ODP[06]Account Management ODP[06]
A.03.01.01.a[01]Account Management a[01]
A.03.01.01.a[02]Account Management a[02]
A.03.01.01.b[01]Account Management b[01]
A.03.01.01.b[02]Account Management b[02]
A.03.01.01.b[03]Account Management b[03]
A.03.01.01.b[04]Account Management b[04]
A.03.01.01.b[05]Account Management b[05]
A.03.01.01.c.01Account Management c.01
A.03.01.01.c.02Account Management c.02
A.03.01.01.c.03Account Management c.03
A.03.01.01.d.01Account Management d.01
A.03.01.01.d.02Account Management d.02
A.03.01.01.eAccount Management e
A.03.01.01.f.01Account Management f.01
A.03.01.01.f.02Account Management f.02
A.03.01.01.f.03Account Management f.03
A.03.01.01.f.04Account Management f.04
A.03.01.01.f.05Account Management f.05
A.03.01.01.g.01Account Management g.01
A.03.01.01.g.02Account Management g.02
A.03.01.01.g.03Account Management g.03
A.03.01.01.hAccount Management h
03.01.02Access Enforcement Assessment
A.03.01.02[01]approved authorizations for logical access to CUI are enforced in accordance ...
A.03.01.02[02]approved authorizations for logical access to system resources are enforced i...
03.01.03Information Flow Enforcement Assessment
A.03.01.03[01]approved authorizations are enforced for controlling the flow of CUI within t...
A.03.01.03[02]approved authorizations are enforced for controlling the flow of CUI between ...
03.01.04Separation of Duties Assessment
A.03.01.04.aSeparation of Duties a
03.01.05Least Privilege Assessment
A.03.01.05.ODP[01]Least Privilege ODP[01]
A.03.01.05.ODP[02]Least Privilege ODP[02]
A.03.01.05.ODP[03]Least Privilege ODP[03]
A.03.01.05.aLeast Privilege a
A.03.01.05.b[01]Least Privilege b[01]
A.03.01.05.b[02]Least Privilege b[02]
A.03.01.05.cLeast Privilege c
A.03.01.05.dLeast Privilege d
03.01.06Least Privilege - Privileged Accounts Assessment
A.03.01.06.ODP[01]Least Privilege - Privileged Accounts ODP[01]
A.03.01.06.aLeast Privilege - Privileged Accounts a
A.03.01.06.bLeast Privilege - Privileged Accounts b
03.01.07Least Privilege - Privileged Functions Assessment
A.03.01.07.aLeast Privilege - Privileged Functions a
A.03.01.07.bLeast Privilege - Privileged Functions b
03.01.08Unsuccessful Logon Attempts Assessment
A.03.01.08.ODP[01]Unsuccessful Logon Attempts ODP[01]
A.03.01.08.ODP[02]Unsuccessful Logon Attempts ODP[02]
A.03.01.08.ODP[03]Unsuccessful Logon Attempts ODP[03]
A.03.01.08.ODP[04]Unsuccessful Logon Attempts ODP[04]
A.03.01.08.aUnsuccessful Logon Attempts a
A.03.01.08.bUnsuccessful Logon Attempts b
03.01.09Privacy and Security Notices Assessment
A.03.01.09Privacy and Security Notices
03.01.10Session Lock Assessment
A.03.01.10.ODP[01]Session Lock ODP[01]
A.03.01.10.ODP[02]Session Lock ODP[02]
A.03.01.10.aSession Lock a
A.03.01.10.bSession Lock b
A.03.01.10.cSession Lock c
03.01.11Session Termination Assessment
A.03.01.11.ODP[01]Session Termination ODP[01]
A.03.01.11Session Termination
03.01.12Remote Access Assessment
A.03.01.12.a[01]Remote Access a[01]
A.03.01.12.a[02]Remote Access a[02]
A.03.01.12.a[03]Remote Access a[03]
A.03.01.12.a[04]Remote Access a[04]
A.03.01.12.bRemote Access b
A.03.01.12.c[01]Remote Access c[01]
A.03.01.12.c[02]Remote Access c[02]
A.03.01.12.d[1]Remote Access d[1]
A.03.01.12.d[2]Remote Access d[2]
03.01.13Remote Access - Managed Access Control Points Assessment
03.01.14Remote Access - Cryptographic Protection Assessment
03.01.15Remote Access - Managed Access Control Points Assessment
03.01.16Wireless Access Assessment
A.03.01.16.a[01]Wireless Access a[01]
A.03.01.16.a[02]Wireless Access a[02]
A.03.01.16.a[03]Wireless Access a[03]
A.03.01.16.a[04]Wireless Access a[04]
A.03.01.16.bWireless Access b
A.03.01.16.cWireless Access c
A.03.01.16.d[01]Wireless Access d[01]
A.03.01.16.d[02]Wireless Access d[02]
03.01.17Wireless Access - Authentication and Encryption Assessment
03.01.18Mobile Device Connection Assessment
A.03.01.18.a[01]Mobile Device Connection a[01]
A.03.01.18.a[02]Mobile Device Connection a[02]
A.03.01.18.a[03]Mobile Device Connection a[03]
A.03.01.18.bMobile Device Connection b
A.03.01.18.cMobile Device Connection c
03.01.19Access Control for CUI on Public Systems Assessment
03.01.20Use of External Systems Assessment
A.03.01.20.ODP[01]Use of External Systems ODP[01]
A.03.01.20.aUse of External Systems a
A.03.01.20.bUse of External Systems b
A.03.01.20.c.01Use of External Systems c.01
A.03.01.20.c.02Use of External Systems c.02
A.03.01.20.dUse of External Systems d
03.01.21Portable Storage Devices Assessment
03.01.22Publicly Accessible Content Assessment
A.03.01.22.aPublicly Accessible Content a
A.03.01.22.b[01]Publicly Accessible Content b[01]
A.03.01.22.b[02]Publicly Accessible Content b[02]
03.02 — Awareness and Training (28 requirements)
03.02.01Literacy Training and Awareness Assessment
A.03.02.01.ODP[01]Literacy Training and Awareness ODP[01]
A.03.02.01.ODP[02]Literacy Training and Awareness ODP[02]
A.03.02.01.ODP[03]Literacy Training and Awareness ODP[03]
A.03.02.01.ODP[04]Literacy Training and Awareness ODP[04]
A.03.02.01.a.01[01]Literacy Training and Awareness a.01[01]
A.03.02.01.a.01[02]Literacy Training and Awareness a.01[02]
A.03.02.01.a.02Literacy Training and Awareness a.02
A.03.02.01.a.03[01]Literacy Training and Awareness a.03[01]
A.03.02.01.a.03[02]Literacy Training and Awareness a.03[02]
A.03.02.01.a.03[03]Literacy Training and Awareness a.03[03]
A.03.02.01.a.03[04]Literacy Training and Awareness a.03[04]
A.03.02.01.a.03[05]Literacy Training and Awareness a.03[05]
A.03.02.01.a.03[06]Literacy Training and Awareness a.03[06]
A.03.02.01.b[01]Literacy Training and Awareness b[01]
A.03.02.01.b[02]Literacy Training and Awareness b[02]
03.02.02Role-Based Training Assessment
A.03.02.02.ODP[01]Role-Based Training ODP[01]
A.03.02.02.ODP[02]Role-Based Training ODP[02]
A.03.02.02.ODP[03]Role-Based Training ODP[03]
A.03.02.02.ODP[04]Role-Based Training ODP[04]
A.03.02.02.a.01[01]Role-Based Training a.01[01]
A.03.02.02.a.01[02]Role-Based Training a.01[02]
A.03.02.02.a.01[03]Role-Based Training a.01[03]
A.03.02.02.a.02Role-Based Training a.02
A.03.02.02.b[01]Role-Based Training b[01]
A.03.02.02.b[02]Role-Based Training b[02]
03.02.03Literacy Training and Awareness (Incorporated) Assessment
03.03 — Audit and Accountability (45 requirements)
03.03.01Event Logging Assessment
A.03.03.01.ODP[01]Event Logging ODP[01]
A.03.03.01.ODP[02]Event Logging ODP[02]
A.03.03.01.aEvent Logging a
A.03.03.01.b[01]Event Logging b[01]
A.03.03.01.b[02]Event Logging b[02]
03.03.02Audit Record Content Assessment
A.03.03.02.a.01Audit Record Content a.01
A.03.03.02.a.02Audit Record Content a.02
A.03.03.02.a.03Audit Record Content a.03
A.03.03.02.a.04Audit Record Content a.04
A.03.03.02.a.05Audit Record Content a.05
A.03.03.02.a.06Audit Record Content a.06
A.03.03.02.bAudit Record Content b
03.03.03Audit Record Generation Assessment
A.03.03.03.aAudit Record Generation a
A.03.03.03.bAudit Record Generation b
03.03.04Audit Logging Process Failure Response Assessment
A.03.03.04.ODP[01]Audit Logging Process Failure Response ODP[01]
A.03.03.04.ODP[02]Audit Logging Process Failure Response ODP[02]
A.03.03.04.aAudit Logging Process Failure Response a
A.03.03.04.bAudit Logging Process Failure Response b
03.03.05Audit Record Review, Analysis, and Reporting Assessment
A.03.03.05.ODP[01]Audit Record Review, Analysis, and Reporting ODP[01]
A.03.03.05.aAudit Record Review, Analysis, and Reporting a
A.03.03.05.bAudit Record Review, Analysis, and Reporting b
A.03.03.05.c[01]Audit Record Review, Analysis, and Reporting c[01]
A.03.03.05.c[02]Audit Record Review, Analysis, and Reporting c[02]
03.03.06Audit Record Reduction and Report Generation Assessment
A.03.03.06.a[01]Audit Record Reduction and Report Generation a[01]
A.03.03.06.a[02]Audit Record Reduction and Report Generation a[02]
A.03.03.06.a[03]Audit Record Reduction and Report Generation a[03]
A.03.03.06.a[04]Audit Record Reduction and Report Generation a[04]
A.03.03.06.b[01]Audit Record Reduction and Report Generation b[01]
A.03.03.06.b[02]Audit Record Reduction and Report Generation b[02]
03.03.07Time Stamps Assessment
A.03.03.07.ODP[01]Time Stamps ODP[01]
A.03.03.07.aTime Stamps a
A.03.03.07.b[01]Time Stamps b[01]
A.03.03.07.b[02]Time Stamps b[02]
03.03.08Audit Record Protection Assessment
A.03.03.08.a[01]Audit Record Protection a[01]
A.03.03.08.a[02]Audit Record Protection a[02]
A.03.03.08.bAudit Record Protection b
03.03.09Audit Record Protection (Incorporated) Assessment
03.04 — Configuration Management (72 requirements)
03.04.01Baseline Configuration Assessment
A.03.04.01.ODP[01]Baseline Configuration ODP[01]
A.03.04.01.a[01]Baseline Configuration a[01]
A.03.04.01.a[02]Baseline Configuration a[02]
A.03.04.01.b[01]Baseline Configuration b[01]
A.03.04.01.b[02]Baseline Configuration b[02]
A.03.04.01.b[03]Baseline Configuration b[03]
A.03.04.01.b[04]Baseline Configuration b[04]
03.04.02Configuration Settings Assessment
A.03.04.02.ODP[01]Configuration Settings ODP[01]
A.03.04.02.a[01]Configuration Settings a[01]
A.03.04.02.a[02]Configuration Settings a[02]
A.03.04.02.b[01]Configuration Settings b[01]
A.03.04.02.b[02]Configuration Settings b[02]
03.04.03Configuration Change Control Assessment
A.03.04.03.aConfiguration Change Control a
A.03.04.03.b[01]Configuration Change Control b[01]
A.03.04.03.b[02]Configuration Change Control b[02]
A.03.04.03.c[01]Configuration Change Control c[01]
A.03.04.03.c[02]Configuration Change Control c[02]
A.03.04.03.d[01]Configuration Change Control d[01]
A.03.04.03.d[02]Configuration Change Control d[02]
03.04.04Impact Analyses Assessment
A.03.04.04.aImpact Analyses a
A.03.04.04.bImpact Analyses b
03.04.05Access Restrictions for Change Assessment
A.03.04.05[01]physical access restrictions associated with changes to the system are define...
A.03.04.05[02]physical access restrictions associated with changes to the system are approved
A.03.04.05[03]physical access restrictions associated with changes to the system are enforced
A.03.04.05[04]logical access restrictions associated with changes to the system are defined...
A.03.04.05[05]logical access restrictions associated with changes to the system are approved
A.03.04.05[06]logical access restrictions associated with changes to the system are enforced
03.04.06Least Functionality Assessment
A.03.04.06.ODP[01]Least Functionality ODP[01]
A.03.04.06.ODP[02]Least Functionality ODP[02]
A.03.04.06.ODP[03]Least Functionality ODP[03]
A.03.04.06.ODP[04]Least Functionality ODP[04]
A.03.04.06.ODP[05]Least Functionality ODP[05]
A.03.04.06.ODP[06]Least Functionality ODP[06]
A.03.04.06.b[01]Least Functionality b[01]
A.03.04.06.b[02]Least Functionality b[02]
A.03.04.06.b[03]Least Functionality b[03]
A.03.04.06.b[04]Least Functionality b[04]
A.03.04.06.b[05]Least Functionality b[05]
A.03.04.06.cLeast Functionality c
A.03.04.06.dLeast Functionality d
03.04.07Nonessential Functionality Assessment
03.04.08Application Execution Policy Assessment
A.03.04.08.ODP[01]Application Execution Policy ODP[01]
A.03.04.08.aApplication Execution Policy a
A.03.04.08.bApplication Execution Policy b
A.03.04.08.cApplication Execution Policy c
03.04.09User-Installed Software Assessment
03.04.10System Component Inventory Assessment
A.03.04.10.ODP[01]System Component Inventory ODP[01]
A.03.04.10.aSystem Component Inventory a
A.03.04.10.b[01]System Component Inventory b[01]
A.03.04.10.b[02]System Component Inventory b[02]
A.03.04.10.c[01]System Component Inventory c[01]
A.03.04.10.c[02]System Component Inventory c[02]
A.03.04.10.c[03]System Component Inventory c[03]
03.04.11Information Location Assessment
A.03.04.11.a[01]Information Location a[01]
A.03.04.11.a[02]Information Location a[02]
A.03.04.11.a[03]Information Location a[03]
A.03.04.11.b[01]Information Location b[01]
A.03.04.11.b[02]Information Location b[02]
03.04.12System and Component Configuration for High-Risk Areas Assessment
A.03.04.12.ODP[01]System and Component Configuration for High-Risk Areas ODP[01]
A.03.04.12.ODP[02]System and Component Configuration for High-Risk Areas ODP[02]
A.03.04.12.aSystem and Component Configuration for High-Risk Areas a
A.03.04.12.bSystem and Component Configuration for High-Risk Areas b
03.05 — Identification and Authentication (56 requirements)
03.05.01Identification and Authentication (Users) Assessment
A.03.05.01.ODP[01]Identification and Authentication (Users) ODP[01]
A.03.05.01.a[01]Identification and Authentication (Users) a[01]
A.03.05.01.a[02]Identification and Authentication (Users) a[02]
A.03.05.01.a[03]Identification and Authentication (Users) a[03]
A.03.05.01.bIdentification and Authentication (Users) b
03.05.02Device Identification and Authentication Assessment
A.03.05.02.ODP[01]Device Identification and Authentication ODP[01]
A.03.05.02[01]<A
A.03.05.02[02]<A
03.05.03Multi-Factor Authentication Assessment
A.03.05.03[01]multi-factor authentication for access to privileged accounts is implemented
A.03.05.03[02]multi-factor authentication for access to non-privileged accounts is implemented
03.05.04Replay-Resistant Authentication Assessment
A.03.05.04[01]replay-resistant authentication mechanisms for access to privileged accounts ...
A.03.05.04[02]replay-resistant authentication mechanisms for access to non-privileged accou...
03.05.05Identifier Management Assessment
A.03.05.05.ODP[01]Identifier Management ODP[01]
A.03.05.05.ODP[02]Identifier Management ODP[02]
A.03.05.05.aIdentifier Management a
A.03.05.05.b[01]Identifier Management b[01]
A.03.05.05.b[02]Identifier Management b[02]
A.03.05.05.cIdentifier Management c
A.03.05.05.dIdentifier Management d
03.05.06Password-Based Authentication Assessment
03.05.07Authenticator Management Assessment
A.03.05.07.ODP[01]Authenticator Management ODP[01]
A.03.05.07.ODP[02]Authenticator Management ODP[02]
A.03.05.07.a[01]Authenticator Management a[01]
A.03.05.07.a[02]Authenticator Management a[02]
A.03.05.07.a[03]Authenticator Management a[03]
A.03.05.07.bAuthenticator Management b
A.03.05.07.cAuthenticator Management c
A.03.05.07.dAuthenticator Management d
A.03.05.07.eAuthenticator Management e
A.03.05.07.fAuthenticator Management f
03.05.08Authenticator Feedback Assessment
03.05.09Cryptographic Module Authentication Assessment
03.05.10Adaptive Authentication Assessment
03.05.11Credential Management Assessment
A.03.05.11Credential Management
03.05.12PKI-Based Authentication Assessment
A.03.05.12.ODP[01]PKI-Based Authentication ODP[01]
A.03.05.12.ODP[02]PKI-Based Authentication ODP[02]
A.03.05.12.aPKI-Based Authentication a
A.03.05.12.bPKI-Based Authentication b
A.03.05.12.c[01]PKI-Based Authentication c[01]
A.03.05.12.c[02]PKI-Based Authentication c[02]
A.03.05.12.c[03]PKI-Based Authentication c[03]
A.03.05.12.c[04]PKI-Based Authentication c[04]
A.03.05.12.c[05]PKI-Based Authentication c[05]
A.03.05.12.c[06]PKI-Based Authentication c[06]
A.03.05.12.dPKI-Based Authentication d
A.03.05.12.ePKI-Based Authentication e
A.03.05.12.f[01]PKI-Based Authentication f[01]
A.03.05.12.f[02]PKI-Based Authentication f[02]
03.06 — Incident Response (41 requirements)
03.06.01Incident Handling Assessment
A.03.06.01[01]an incident-handling capability that is consistent with the incident response...
A.03.06.01[02]the incident handling capability includes preparation
A.03.06.01[03]the incident handling capability includes detection and analysis
A.03.06.01[04]the incident handling capability includes containment
A.03.06.01[05]the incident handling capability includes eradication
A.03.06.01[06]the incident handling capability includes recovery
03.06.02Incident Monitoring, Reporting, and Response Assistance Assessment
A.03.06.02.ODP[01]Incident Monitoring, Reporting, and Response Assistance ODP[01]
A.03.06.02.ODP[02]Incident Monitoring, Reporting, and Response Assistance ODP[02]
A.03.06.02.a[01]Incident Monitoring, Reporting, and Response Assistance a[01]
A.03.06.02.a[02]Incident Monitoring, Reporting, and Response Assistance a[02]
A.03.06.02.bIncident Monitoring, Reporting, and Response Assistance b
A.03.06.02.cIncident Monitoring, Reporting, and Response Assistance c
A.03.06.02.dIncident Monitoring, Reporting, and Response Assistance d
03.06.03Incident Response Testing Assessment
A.03.06.03.ODP[01]Incident Response Testing ODP[01]
A.03.06.03Incident Response Testing
03.06.04Incident Reporting Assessment
A.03.06.04.ODP[01]Incident Reporting ODP[01]
A.03.06.04.ODP[02]Incident Reporting ODP[02]
A.03.06.04.ODP[03]Incident Reporting ODP[03]
A.03.06.04.ODP[04]Incident Reporting ODP[04]
A.03.06.04.a.01Incident Reporting a.01
A.03.06.04.a.02Incident Reporting a.02
A.03.06.04.a.03Incident Reporting a.03
A.03.06.04.b[01]Incident Reporting b[01]
A.03.06.04.b[02]Incident Reporting b[02]
A.03.06.04.b[03]Incident Reporting b[03]
A.03.06.04.b[04]Incident Reporting b[04]
03.06.05Information Sharing Assessment
A.03.06.05.a.01Information Sharing a.01
A.03.06.05.a.02Information Sharing a.02
A.03.06.05.a.03Information Sharing a.03
A.03.06.05.a.04Information Sharing a.04
A.03.06.05.a.05Information Sharing a.05
A.03.06.05.a.06Information Sharing a.06
A.03.06.05.b[01]Information Sharing b[01]
A.03.06.05.b[02]Information Sharing b[02]
A.03.06.05.cInformation Sharing c
A.03.06.05.dInformation Sharing d
03.07 — Maintenance (22 requirements)
03.07.01System Maintenance Assessment
03.07.02Controlled Maintenance Assessment
03.07.03Maintenance Tools Assessment
03.07.04Nonlocal Maintenance Assessment
A.03.07.04.a[01]Nonlocal Maintenance a[01]
A.03.07.04.a[02]Nonlocal Maintenance a[02]
A.03.07.04.a[03]Nonlocal Maintenance a[03]
A.03.07.04.bNonlocal Maintenance b
A.03.07.04.cNonlocal Maintenance c
03.07.05Maintenance Personnel Assessment
A.03.07.05.a[01]Maintenance Personnel a[01]
A.03.07.05.a[02]Maintenance Personnel a[02]
A.03.07.05.b[01]Maintenance Personnel b[01]
A.03.07.05.b[02]Maintenance Personnel b[02]
A.03.07.05.c[01]Maintenance Personnel c[01]
A.03.07.05.c[02]Maintenance Personnel c[02]
03.07.06Timely Maintenance Assessment
A.03.07.06.aTimely Maintenance a
A.03.07.06.bTimely Maintenance b
A.03.07.06.cTimely Maintenance c
A.03.07.06.d[01]Timely Maintenance d[01]
A.03.07.06.d[02]Timely Maintenance d[02]
03.08 — Media Protection (25 requirements)
03.08.01Media Storage Assessment
A.03.08.01[01]system media that contain CUI are physically controlled
A.03.08.01[02]system media that contain CUI are securely stored
03.08.02Media Access Assessment
A.03.08.02Media Access
03.08.03Media Sanitization Assessment
A.03.08.03Media Sanitization
03.08.04Media Marking Assessment
A.03.08.04[01]system media that contain CUI are marked to indicate distribution limitations
A.03.08.04[02]system media that contain CUI are marked to indicate handling caveats
A.03.08.04[03]system media that contain CUI are marked to indicate applicable CUI markings
03.08.05Media Transport Assessment
A.03.08.05.a[01]Media Transport a[01]
A.03.08.05.a[02]Media Transport a[02]
A.03.08.05.bMedia Transport b
A.03.08.05.cMedia Transport c
03.08.06Media Use Assessment
03.08.07Media Downgrading Assessment
A.03.08.07.ODP[01]Media Downgrading ODP[01]
A.03.08.07.aMedia Downgrading a
A.03.08.07.bMedia Downgrading b
03.08.08CUI Backup Storage Assessment
03.08.09CUI on Mobile Devices Assessment
A.03.08.09.aCUI on Mobile Devices a
A.03.08.09.bCUI on Mobile Devices b
03.09 — Personnel Security (13 requirements)
03.09.01Personnel Screening Assessment
A.03.09.01.ODP[01]Personnel Screening ODP[01]
A.03.09.01.aPersonnel Screening a
A.03.09.01.bPersonnel Screening b
03.09.02Personnel Actions Assessment
A.03.09.02.ODP[01]Personnel Actions ODP[01]
A.03.09.02.a.01Personnel Actions a.01
A.03.09.02.a.02[01]Personnel Actions a.02[01]
A.03.09.02.a.02[02]Personnel Actions a.02[02]
A.03.09.02.a.03Personnel Actions a.03
A.03.09.02.b.01[01]Personnel Actions b.01[01]
A.03.09.02.b.01[02]Personnel Actions b.01[02]
A.03.09.02.b.02Personnel Actions b.02
03.10 — Physical Protection (32 requirements)
03.10.01Physical Access Authorizations Assessment
A.03.10.01.ODP[01]Physical Access Authorizations ODP[01]
A.03.10.01.a[01]Physical Access Authorizations a[01]
A.03.10.01.a[02]Physical Access Authorizations a[02]
A.03.10.01.a[03]Physical Access Authorizations a[03]
A.03.10.01.bPhysical Access Authorizations b
A.03.10.01.cPhysical Access Authorizations c
A.03.10.01.dPhysical Access Authorizations d
03.10.02Physical Access Control Assessment
A.03.10.02.ODP[01]Physical Access Control ODP[01]
A.03.10.02.ODP[02]Physical Access Control ODP[02]
A.03.10.02.a[01]Physical Access Control a[01]
A.03.10.02.a[02]Physical Access Control a[02]
A.03.10.02.b[01]Physical Access Control b[01]
A.03.10.02.b[02]Physical Access Control b[02]
03.10.03Visitor Access Records Assessment
03.10.04Physical Access Logging Assessment
03.10.05Manage Physical Access Assessment
03.10.06Alternative Work Sites Assessment
A.03.10.06.ODP[01]Alternative Work Sites ODP[01]
A.03.10.06.aAlternative Work Sites a
A.03.10.06.bAlternative Work Sites b
03.10.07Monitoring Physical Access Assessment
A.03.10.07.a.01Monitoring Physical Access a.01
A.03.10.07.a.02Monitoring Physical Access a.02
A.03.10.07.bMonitoring Physical Access b
A.03.10.07.c[01]Monitoring Physical Access c[01]
A.03.10.07.c[02]Monitoring Physical Access c[02]
A.03.10.07.dMonitoring Physical Access d
A.03.10.07.eMonitoring Physical Access e
03.10.08Physical Access to Transmission Lines Assessment
A.03.10.08Physical Access to Transmission Lines
03.11 — Risk Assessment (21 requirements)
03.11.01Risk Assessment Assessment
A.03.11.01.ODP[01]Risk Assessment ODP[01]
A.03.11.01.aRisk Assessment a
A.03.11.01.bRisk Assessment b
03.11.02Vulnerability Monitoring and Scanning Assessment
A.03.11.02.ODP[01]Vulnerability Monitoring and Scanning ODP[01]
A.03.11.02.ODP[02]Vulnerability Monitoring and Scanning ODP[02]
A.03.11.02.ODP[03]Vulnerability Monitoring and Scanning ODP[03]
A.03.11.02.ODP[04]Vulnerability Monitoring and Scanning ODP[04]
A.03.11.02.a[01]Vulnerability Monitoring and Scanning a[01]
A.03.11.02.a[02]Vulnerability Monitoring and Scanning a[02]
A.03.11.02.a[03]Vulnerability Monitoring and Scanning a[03]
A.03.11.02.a[04]Vulnerability Monitoring and Scanning a[04]
A.03.11.02.bVulnerability Monitoring and Scanning b
A.03.11.02.c[01]Vulnerability Monitoring and Scanning c[01]
A.03.11.02.c[02]Vulnerability Monitoring and Scanning c[02]
03.11.03Risk Response Assessment
03.11.04Risk Response Assessment
A.03.11.04[01]findings from security assessments are responded to
A.03.11.04[02]findings from security monitoring are responded to
A.03.11.04[03]findings from security audits are responded to
03.12 — Security Assessment and Monitoring (25 requirements)
03.12.01Security Assessment Assessment
A.03.12.01.ODP[01]Security Assessment ODP[01]
A.03.12.01Security Assessment
03.12.02Plan of Action and Milestones Assessment
A.03.12.02.a.01Plan of Action and Milestones a.01
A.03.12.02.a.02Plan of Action and Milestones a.02
A.03.12.02.b.01Plan of Action and Milestones b.01
A.03.12.02.b.02Plan of Action and Milestones b.02
A.03.12.02.b.03Plan of Action and Milestones b.03
03.12.03Continuous Monitoring Assessment
A.03.12.03[01]a system-level continuous monitoring strategy is developed
A.03.12.03[02]a system-level continuous monitoring strategy is implemented
A.03.12.03[03]ongoing monitoring is included in the continuous monitoring strategy
A.03.12.03[04]security assessments are included in the continuous monitoring strategy
03.12.04System and Network Security Architecture Assessment
03.12.05Information Exchange Assessment
A.03.12.05.ODP[01]Information Exchange ODP[01]
A.03.12.05.ODP[02]Information Exchange ODP[02]
A.03.12.05.a[01]Information Exchange a[01]
A.03.12.05.a[02]Information Exchange a[02]
A.03.12.05.b[01]Information Exchange b[01]
A.03.12.05.b[02]Information Exchange b[02]
A.03.12.05.b[03]Information Exchange b[03]
A.03.12.05.c[01]Information Exchange c[01]
A.03.12.05.c[02]Information Exchange c[02]
03.13 — System and Communications Protection (44 requirements)
03.13.01Boundary Protection Assessment
A.03.13.01.a[01]Boundary Protection a[01]
A.03.13.01.a[02]Boundary Protection a[02]
A.03.13.01.a[03]Boundary Protection a[03]
A.03.13.01.a[04]Boundary Protection a[04]
A.03.13.01.bBoundary Protection b
A.03.13.01.cBoundary Protection c
03.13.02Information in Shared System Resources Assessment
03.13.03Security and Privacy Engineering Assessment
03.13.04CUI Separation Assessment
A.03.13.04[01]unauthorized information transfer via shared system resources is prevented
A.03.13.04[02]unintended information transfer via shared system resources is prevented
03.13.05Transmission Confidentiality and Integrity Assessment
03.13.06Network Disconnect Assessment
A.03.13.06[01]network communications traffic is denied by default
A.03.13.06[02]network communications traffic is allowed by exception
03.13.07Cryptographic Protection Assessment
03.13.08CUI at Rest Assessment
A.03.13.08[01]cryptographic mechanisms are implemented to prevent the unauthorized disclosu...
A.03.13.08[02]cryptographic mechanisms are implemented to prevent the unauthorized disclosu...
03.13.09Connections to Public Networks Assessment
A.03.13.09.ODP[01]Connections to Public Networks ODP[01]
A.03.13.09Connections to Public Networks
03.13.10Collaborative Computing Devices Assessment
A.03.13.10.ODP[01]Collaborative Computing Devices ODP[01]
A.03.13.10[01]cryptographic keys are established in the system in accordance with the follo...
A.03.13.10[02]cryptographic keys are managed in the system in accordance with the following...
03.13.11Mobile Code Assessment
A.03.13.11.ODP[01]Mobile Code ODP[01]
A.03.13.11Mobile Code
03.13.12Voice over Internet Protocol Assessment
A.03.13.12.ODP[01]Voice over Internet Protocol ODP[01]
A.03.13.12.aVoice over Internet Protocol a
A.03.13.12.bVoice over Internet Protocol b
03.13.13DNS and Traffic Filtering Assessment
A.03.13.13.a[01]DNS and Traffic Filtering a[01]
A.03.13.13.a[02]DNS and Traffic Filtering a[02]
A.03.13.13.b[01]DNS and Traffic Filtering b[01]
A.03.13.13.b[02]DNS and Traffic Filtering b[02]
A.03.13.13.b[03]DNS and Traffic Filtering b[03]
03.13.14Technology-Specific Implementation Assessment
03.13.15Session Authenticity Assessment
A.03.13.15Session Authenticity
03.13.16CUI at Rest (Incorporated) Assessment
03.14 — System and Information Integrity (35 requirements)
03.14.01Flaw Remediation Assessment
A.03.14.01.ODP[01]Flaw Remediation ODP[01]
A.03.14.01.ODP[02]Flaw Remediation ODP[02]
A.03.14.01.a[01]Flaw Remediation a[01]
A.03.14.01.a[02]Flaw Remediation a[02]
A.03.14.01.a[03]Flaw Remediation a[03]
A.03.14.01.b[01]Flaw Remediation b[01]
A.03.14.01.b[02]Flaw Remediation b[02]
03.14.02Malicious Code Protection Assessment
A.03.14.02.ODP[01]Malicious Code Protection ODP[01]
A.03.14.02.a[01]Malicious Code Protection a[01]
A.03.14.02.a[02]Malicious Code Protection a[02]
A.03.14.02.bMalicious Code Protection b
A.03.14.02.c.01[01]Malicious Code Protection c.01[01]
A.03.14.02.c.01[02]Malicious Code Protection c.01[02]
A.03.14.02.c.02Malicious Code Protection c.02
03.14.03Security Alerts, Advisories, and Directives Assessment
A.03.14.03.aSecurity Alerts, Advisories, and Directives a
A.03.14.03.b[01]Security Alerts, Advisories, and Directives b[01]
A.03.14.03.b[02]Security Alerts, Advisories, and Directives b[02]
03.14.04System Monitoring Assessment
03.14.05Advanced Email Protections Assessment
03.14.06Spam and Spyware Protection Assessment
A.03.14.06.a.01[01]Spam and Spyware Protection a.01[01]
A.03.14.06.a.01[02]Spam and Spyware Protection a.01[02]
A.03.14.06.a.02Spam and Spyware Protection a.02
A.03.14.06.bSpam and Spyware Protection b
A.03.14.06.c[01]Spam and Spyware Protection c[01]
A.03.14.06.c[02]Spam and Spyware Protection c[02]
03.14.07Sandboxing Assessment
03.14.08Information Management and Retention Assessment
A.03.14.08[01]CUI within the system is managed in accordance with applicable laws, Executiv...
A.03.14.08[02]CUI within the system is retained in accordance with applicable laws, Executi...
A.03.14.08[03]CUI output from the system is managed in accordance with applicable laws, Exe...
A.03.14.08[04]CUI output from the system is retained in accordance with applicable laws, Ex...
03.15 — Planning (28 requirements)
03.15.01Policy and Procedures Assessment
A.03.15.01.ODP[01]Policy and Procedures ODP[01]
A.03.15.01.a[01]Policy and Procedures a[01]
A.03.15.01.a[02]Policy and Procedures a[02]
A.03.15.01.a[03]Policy and Procedures a[03]
A.03.15.01.a[04]Policy and Procedures a[04]
A.03.15.01.b[01]Policy and Procedures b[01]
A.03.15.01.b[02]Policy and Procedures b[02]
03.15.02System Security Plan Assessment
A.03.15.02.ODP[01]System Security Plan ODP[01]
A.03.15.02.a.01System Security Plan a.01
A.03.15.02.a.02System Security Plan a.02
A.03.15.02.a.03System Security Plan a.03
A.03.15.02.a.04System Security Plan a.04
A.03.15.02.a.05System Security Plan a.05
A.03.15.02.a.06System Security Plan a.06
A.03.15.02.a.07System Security Plan a.07
A.03.15.02.a.08System Security Plan a.08
A.03.15.02.b[01]System Security Plan b[01]
A.03.15.02.b[02]System Security Plan b[02]
A.03.15.02.cSystem Security Plan c
03.15.03Rules of Behavior Assessment
A.03.15.03.ODP[01]Rules of Behavior ODP[01]
A.03.15.03.aRules of Behavior a
A.03.15.03.bRules of Behavior b
A.03.15.03.cRules of Behavior c
A.03.15.03.d[01]Rules of Behavior d[01]
A.03.15.03.d[02]Rules of Behavior d[02]
03.16 — System and Services Acquisition (11 requirements)
03.16.01Security Engineering Principles Assessment
A.03.16.01.ODP[01]Security Engineering Principles ODP[01]
A.03.16.01Security Engineering Principles
03.16.02Unsupported System Components Assessment
A.03.16.02.aUnsupported System Components a
A.03.16.02.bUnsupported System Components b
03.16.03External System Services Assessment
A.03.16.03.ODP[01]External System Services ODP[01]
A.03.16.03.aExternal System Services a
A.03.16.03.bExternal System Services b
A.03.16.03.cExternal System Services c
03.17 — Supply Chain Risk Management (27 requirements)
03.17.01Supply Chain Risk Management Plan Assessment
A.03.17.01.ODP[01]Supply Chain Risk Management Plan ODP[01]
A.03.17.01.a[01]Supply Chain Risk Management Plan a[01]
A.03.17.01.a[02]Supply Chain Risk Management Plan a[02]
A.03.17.01.a[03]Supply Chain Risk Management Plan a[03]
A.03.17.01.a[04]Supply Chain Risk Management Plan a[04]
A.03.17.01.a[05]Supply Chain Risk Management Plan a[05]
A.03.17.01.a[06]Supply Chain Risk Management Plan a[06]
A.03.17.01.a[07]Supply Chain Risk Management Plan a[07]
A.03.17.01.a[08]Supply Chain Risk Management Plan a[08]
A.03.17.01.a[09]Supply Chain Risk Management Plan a[09]
A.03.17.01.a[10]Supply Chain Risk Management Plan a[10]
A.03.17.01.b[01]Supply Chain Risk Management Plan b[01]
A.03.17.01.b[02]Supply Chain Risk Management Plan b[02]
A.03.17.01.cSupply Chain Risk Management Plan c
03.17.02Acquisition Strategies, Tools, and Methods Assessment
A.03.17.02[01]acquisition strategies, contract tools, and procurement methods are developed...
A.03.17.02[02]acquisition strategies, contract tools, and procurement methods are developed...
A.03.17.02[03]acquisition strategies, contract tools, and procurement methods are developed...
A.03.17.02[04]acquisition strategies, contract tools, and procurement methods are implement...
A.03.17.02[05]acquisition strategies, contract tools, and procurement methods are implement...
A.03.17.02[06]acquisition strategies, contract tools, and procurement methods are implement...
03.17.03Supply Chain Requirements and Processes Assessment
A.03.17.03.ODP[01]Supply Chain Requirements and Processes ODP[01]
A.03.17.03.a[01]Supply Chain Requirements and Processes a[01]
A.03.17.03.a[02]Supply Chain Requirements and Processes a[02]
A.03.17.03.bSupply Chain Requirements and Processes b