A Draft List of Software Assurance (SwA) Related NIST SP Revision 4 Controls*

Transcription

1 !!!!!!!!!!!!! A Draft List of Software Assurance (SwA) Related NIST SP Revision 4 Controls* Technical Report: UNO-TGRS Robin Gandhi, Harvey Siy, Sayonnha Mandal The University of Nebraska at Omaha Keesha Crosby Tri-Guard Risk Solutions, LTD. * This research is partially funded by DHS Science and Technology Directorate, Software Assurance program. RESTRICTED USE For review only, do not distribute without expressed written consent from the authors for any other purpose.

2 ! EXECUTIVE SUMMARY The objective of the effort documented in this report was to develop a draft list of NIST SP Rev 4 controls applicable to Software Assurance (SwA). In this report we summarize the method used to determine relevance of security controls for software assurance; observations and findings upon applying our method to NIST SP Rev 4 security control catalog; metrics computed to understand the breath and depth of software assurance concerns that cross-cut security control families in NIST SP Rev 4; and an enumeration of critical issues to address. Here are some of the key findings: 1. Relevance for software assurance can be seen through out security control families in NIST SP Rev 4. However, most security controls require expert interpretation to extract such relevance. 2. The control families in NIST SP Rev 4 that have an emphasis on controls for software developers, development processes, or supply-chain do not have detailed guidance about what common software weaknesses should be considered to satisfy or undermine compliance with a control. 3. Many widely accepted best practices to improve secure coding practices such as static and dynamic code analysis, threat modeling, code reviews, penetration testing of software, attack surface review, etc. are included in the control catalog as supplemental guidance or enhancements, but are not assigned to any baseline (low, mod, high). These practices are categorized as assurance controls. It may become very easy for a software developer or organization to tailor them out. 4. To maintain broad applicability NIST SP Rev 4 security controls are often specified independent of specific technologies and platforms. As a result, the controls naturally align well with abstract Class and Base software weaknesses in the Common Weakness Enumeration (CWE). Thus, relationships among CWEs such as parent, child and other non-taxonomic relationships will need to be used to determine relevance for specific technologies and platforms being acquired or certified, putting additional burden in the C&A process. 5. Community consensus and awareness on what qualifies as a software assurance related control and what criteria to use to generate CWE mappings will be key to the continued success of this effort. We expect to use our draft results to solicit feedback from relevant stakeholders such as NIST-FISMA implementation team and the MITRE CWE team. RESTRICTED USE For review only, do not distribute without expressed written consent from the authors for any other purpose.

3 ! REPORT ATTENTION: The findings in this report are preliminary in nature and should be considered in draft form only. The list of relevant software assurance controls is subject to change as the project continues and we receive feedback from relevant stakeholders. An Engagement to Look Forward to: Security Requirements and Software Weaknesses 1. Introduction Certification and Accreditation (C&A) activities are often the biggest driver of security efforts in enterprises of all sizes. Risks from software vulnerabilities are now a significant consideration during C&A activities. Unfortunately, the large collection of software weaknesses is not readily understood in the context of standard C&A security control baselines. The long-term objective of our team is to bridge the gap between C&A security controls and software weaknesses, such that the risks can be understood and effectively addressed. The objective of the effort documented in this report was to develop a draft list of NIST SP Rev 4 controls applicable to Software Assurance (SwA). The rest of the report is structured as follows. In the following method section we elaborate on the development of selection criteria for establishing security control relevance to software assurance and the process followed to review security controls. Next we present our findings and observations, including metrics related to the selection activities. We finally conclude with our plans for the next phase and issues to be addressed, followed by the detailed list of security controls in Appendix A. 2. Method What is Software Assurance? Many government agencies (e.g. NASA, CNSS, DHS, etc.), focus groups (e.g. SAFECode, BSIMM, etc.) as well as many academicians have put forth different definitions/criteria, which address different aspects of software assurance. To gain wide acceptance and community consensus it is important to adopt a definition of Software Assurance (SwA) that is universally accepted. Thus, we have adopted a recent definition that was developed through discussion among several stakeholders in the SwA community and the one that became the basis for the Masters in Software Assurance curriculum project by CERT [1]. The definition is as follows: Software Assurance is the application of technologies and processes to achieve a required level of confidence* that software systems and services function in the intended manner, are free from accidental or intentional vulnerabilities, provide security capabilities appropriate to the threat environment, and recover from intrusions and failures. [1] RESTRICTED USE For review only, do not distribute without expressed written consent from the authors for any other purpose.

4 ! * In this definition, the word confidence implies that there is a basis for the belief that software systems and services function in the intended manner. This was suggested by one of the authors of this report to the MS in SwA team during the curriculum review period to avoid the circular definition problem that the words Assurance and Confidence create. Selection Method In this project, we have used the above definition to establish the selection criteria for security and privacy controls from the NIST SP Rev 4 catalog that are relevant to software assurance. In particular, we identified controls that required the application of technology (T), process (P) or process and technology combined (P+T) to achieve a required level of confidence that software systems and services function in the intended manner, are free from accidental or intentional vulnerabilities, provide security capabilities appropriate to the threat environment, and recover from intrusions and failures. Controls that were found to be not applicable to software assurance were marked with a (N), whereas withdrawn controls were marked as (W) Security controls in all of the 26 families, including privacy families, in Appendix F and J of the NIST SP Rev 4 document were reviewed independently by each project member (total 4 team members) to assign the following categories: P, T, P+T, N or W. Finally, in a group session, each control with divergent categorizations were discussed extensively to reach consensus in a combined categorization, which is reported here. During the individual and group discussions, each team member adhered to the following criteria to determine relevance of a security control to software assurance: Control applicable to a software developer or development process Control applicable to implementation of software artifacts (requirements, design, source code, testing, documentation, build environments, etc.) Control applicable to software lifecycle Control applicable to policies to be enforced by software Control refers to software weaknesses to be avoided Controls that would fail due to a software weakness Control applicable to software configuration and maintenance Control applicable to accidental or intentional vulnerabilities in software Control applicable to security capabilities to be provided by software in a threat environment Control applicable to software recovery from intrusions and failures RESTRICTED USE For review only, do not distribute without expressed written consent from the authors for any other purpose.

5 ! A control with relevance to any of the above criteria was then placed into an appropriate category (P, T, P+T). If a control does not pertain to the above criteria, or is related to infrastructure or network controls then the control is categorized as not applicable (N). Controls that were already marked withdrawn in the NIST SP Rev 4 catalog were categorized as (W) 3. Observations and Findings The tables in Section 4 summarize key metrics for the outcomes of the selection controls relevant to software assurance. In this section, we first discuss the findings that are interesting for the software assurance community. The SwA relevant controls mostly come from Access Control (AC), Security Assessment and Authorization (CA), Configuration Management (CM), Identification and Authentication (IA), Maintenance (MA), Risk Assessment (RI), System and Services Acquisition (SA), System and Communications Protection (SC), and System and Information Integrity (SI). Most controls under Contingency Planning (CP) were considered not applicable because they specify manual recovery operations. All controls in Incident Response (IR) were also not applicable for similar reasons. Similarly, half or more of the controls under Planning (PL) and Program Management (PM) were also not applicable because they specify manual user operations or documentation procedures. All controls in Media Protection (MP), Physical and Environmental Protection (PE) and Personnel Security (PS) were not applicable because they specify steps and operations to physically or manually secure sensitive resources, rather than the internal characteristics of software and services. Most privacy-related controls, e.g., Accountability, Audit, and Risk Management (AR), Individual Participation and Redress (IP), Security (SE), Transparency (TR) and Use Limitation (UL), were also not applicable for similar reasons. While System and Communications Protection (SC) and System and Information Integrity (SI) controls are mostly relevant, nearly a third of the controls were not applicable because they specify security for the network infrastructure (e.g., border protection devices, firewalls, routers, honeypots, wireless devices, etc.). While these are important to system security, protection from network attacks on the software components are already covered elsewhere. We finally note that, many of the System and Services Acquisition (SA) family controls are related to software developers, development processes and practices. While nearly all controls under SA are relevant to software assurance, these controls do not explicitly mention relevant software weaknesses. All of these practices should be using common software weakness enumerations (CWEs) to guide development, acquisition and certification efforts. In future phases, we expect such controls to be mapped to a prioritized list of common software weaknesses for the system and organizational environment under consideration. RESTRICTED USE For review only, do not distribute without expressed written consent from the authors for any other purpose.

6 ! 4. Metrics In this section we report metrics that help to understand the breath and depth of software assurance coverage in the NIST SP Rev 4 control families. Details on the selected controls that become the basis of these metrics can be found in Appendix A of this report. Control Families Total # of control families (including Privacy families) 26 # of families with some or all controls relevant to SwA 17 # of families with no controls relevant to SwA 9 Controls and Control Enhancements Total # of controls and control enhancements (including Privacy families) 958 Total # of SwA related controls (T or P or P+T) 535 Total # of SwA controls that require application of technology (T) 221 Total # of SwA controls that require application of processes (P) 165 Total # of SwA controls that require application of processes and technology (P+T) 149 Total # of controls Not Applicable to SwA or Withdrawn (N or W) 423 Total # of controls Not Applicable to SwA (N) 343 Total # of controls that have been Withdrawn (W) 80 Control Priorities Total # of SwA related controls with priority P1 (highest priority) 185 Total # of SwA related controls with priority P2 (2 nd highest priority) 29 Total # of SwA related controls with priority P3 (3 rd highest priority) 9 Total # of SwA related controls with priority P0 (control not in any baseline) 53 Total # of SwA related controls with no priority code assigned 259 Control Baselines Total # of SwA related controls in Low baseline 66 Total # of SwA related controls in Moderate Baseline 130 Total # of SwA related controls in High Baseline 165 Total # of SwA related controls NOT in any Baseline 174 RESTRICTED USE For review only, do not distribute without expressed written consent from the authors for any other purpose.

7 ! SwA relevance per Control Family Control Family P/T/P+T N/W Total Access Control (AC) Awareness and Training (AT) Audit and Accountability (AU) Security Assessment and Authorization (CA) Configuration Management (CM) Contingency Planning (CP) Identification and Authentication (IA) Incident Response (IR) Maintenance (MA) Media Protection (MP) Physical and Environmental Protection (PE) Planning (PL) Personnel Security (PS) Risk Assessment (RA) System and Services Acquisition (SA) System and Communications Protection (SC) System and Information Integrity (SI) Program Management (PM) Privacy-Authority and Purpose (AP) Privacy-Accountability, Audit, and Risk Management (AR) Privacy-Data Quality and Integrity (DI) Privacy-Data Minimization and Retention (DM) Privacy-Individual Participation and Redress (IP) Privacy-Security (SE) Privacy-Transparency (TR) Privacy-Use Limitation (UL) Total RESTRICTED USE For review only, do not distribute without expressed written consent from the authors for any other purpose.

8 ! Graph based summary of SwA relevance per Control Family 0" 20" 40" 60" 80" 100" 120" 140" 160" Access"Control"(AC)" Awareness"and"Training"(AT)" Audit"and"Accountability"(AU)" Security"Assessment"and"AuthorizaBon"(CA)" ConfiguraBon"Management"(CM)" ConBngency"Planning"(CP)" IdenBficaBon"and"AuthenBcaBon"(IA)" Incident"Response"(IR)" Maintenance"(MA)" Media"ProtecBon"(MP)" Physical"and"Environmental"ProtecBon"(PE)" Planning"(PL)" Personnel"Security"(PS)" Risk"Assessment"(RA)" P/T/P+T" N/W" System"and"Services"AcquisiBon"(SA)" System"and"CommunicaBons"ProtecBon"(SC)" System"and"InformaBon"Integrity"(SI)" Program"Management"(PM)" Authority"and"Purpose"(AP)" Accountability,"Audit,"and"Risk"Management"(AR)" Data"Quality"and"Integrity"(DI)" Data"MinimizaBon"and"RetenBon"(DM)" Individual"ParBcipaBon"and"Redress"(IP)" Security"(SE)" Transparency"(TR)" Use"LimitaBon"(UL)" RESTRICTED USE For review only, do not distribute without expressed written consent from the authors for any other purpose.

9 ! 5. Discussion of Key Issues and Next Steps Software is a key element in a majority of information system components. Thus, relevance for software assurance can be seen through out security control families in NIST SP Rev 4. However, we have identified several issues, as follows: Most security controls require expert interpretation to extract relevance. The granularity (e.g. firmware, hardware, software, system, environment, organization) at which a control is applicable is also often left for interpretation. The control families that have an emphasis on controls for software developers, development processes, or supply chain do not have detailed guidance about what common software weaknesses should be considered to satisfy or undermine compliance with a control. For example, consider the SA-11 control, its control enhancements and baseline assignment summary: RESTRICTED USE For review only, do not distribute without expressed written consent from the authors for any other purpose.

10 ! It is surprising that such an important software assurance related control is not applicable in the Low baseline and its control enhancements are not assigned to any baseline. While the top level control is selected for Moderate and High baselines, much of the rigor in implementing this control lies within the control enhancements. Lack of explicit inclusion of such fundamental software assurance best practices in the baselines limit the effectiveness of FISMA compliance in procuring secure software. These practices are categorized as assurance controls, but it may become very easy for a software developer or organization to just tailor them out. It is our observation that the NIST SP Rev 4 control catalog has a comprehensive set of requirements to develop or procure secure software, but these control assignments need to be elevated and included explicitly in the Low, Moderate and High baselines. To maintain broad applicability NIST SP Rev 4 security controls are often specified independent of specific technologies and platforms. As a result, the controls naturally align well with abstract Class and Base level software weaknesses in the Common Weakness Enumeration (CWE). Thus, relationships between the CWEs and the related controls relationship between NIST SP Rev 4 controls will be essential to unravel the dependencies that apply for specific technologies and platforms being acquired or certified. Going forward, community consensus and awareness on what qualifies as a software assurance related control and what criteria to use to generate CWE mappings will be key to the continued success of this effort. We expect to use our draft results reported here to solicit feedback from relevant stakeholders such as NIST-FISMA implementation team and the Mitre CWE team. Our planned next steps include a push to refine and finalize the list of NIST SP Rev 4 controls that are relevant to software assurance. This list will then be further categorized by extracting explicit and implicit parts for each control. Explicit parts of a control are those that are directly spelled out in the regulatory baseline that have without a doubt implications for software assurance and do not require any interpretation on part of the stakeholders in the C&A process. Implicit parts, on the other hand, require expert knowledge and additional interpretation to determine applicability to software assurance efforts. Once such categorization is available, the task of mapping the explicit and implicit parts to CWEs will commence. It should be noted that the search process for each CWE and Control mapping would require exploring related CWEs and related controls. 6. References [1] Mead, N., Allen, J., Ardis, M., Hilburn, T., Kornecki, A., Linger, R., & McDonald, J. (2010). Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum (CMU/SEI-2010-TR-005). Retrieved November 07, 2013, from the Software Engineering Institute, Carnegie Mellon University website: RESTRICTED USE For review only, do not distribute without expressed written consent from the authors for any other purpose.

11 ! APPENDIX A ATTENTION: The findings in this report are preliminary in nature and should be considered in draft form only. The list of relevant software assurance controls is subject to change as the project continues and we receive feedback from relevant stakeholders. This distribution is limited and review purposes only. Due to the nature of our research, please do not distribute without express written consent from UNO or Tri-Guard Risk Solutions. In this section we have identified NIST SP Rev 4 controls that require the application of technology (T), process (P) or process and technology combined (P+T) to achieve a required level of confidence that software systems and services function in the intended manner, are free from accidental or intentional vulnerabilities, provide security capabilities appropriate to the threat environment, and recover from intrusions and failures. Controls that were found to be not applicable to software assurance were marked with a (N), whereas withdrawn controls were marked as (W) Security controls in all of the 26 families, including privacy families, in Appendix F and J of the NIST SP Rev 4 document were reviewed independently by each project member (total 4 team members) to assign the following categories: P, T, P+T, N or W. Finally, in a group session, each control with divergent categorizations were discussed extensively to reach consensus in a combined categorization, which is reported here. Each control family is reported separately. Each page includes the header shown below. These headings are self explanatory, and are consistent with the summary tables in Appendix D of NIST SP Rev 4 document. CNTL NO. NAME SwA RELATED (P/T/N) PRIO RITY LOW MOD HIGH RESTRICTED USE For review only, do not distribute without expressed written consent from the authors for any other purpose.

12 NAME Access Control (AC) AC-1 Access Control Policy and Procedures P P1 X X X AC-2 Account Management P+T P1 X X X AC-2 (1) ACCOUNT MANAGEMENT AUTOMATED SYSTEM ACCOUNT MANAGEMENT T P1 AC-2 (2) ACCOUNT MANAGEMENT REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS T P1 AC-2 (3) ACCOUNT MANAGEMENT DISABLE INACTIVE ACCOUNTS T P1 AC-2 (4) ACCOUNT MANAGEMENT AUTOMATED AUDIT ACTIONS T P1 X X X AC-2 (5) ACCOUNT MANAGEMENT INACTIVITY LOGOUT P+T P1 AC-2 (6) ACCOUNT MANAGEMENT DYNAMIC PRIVILEGE MANAGEMENT T P1 AC-2 (7) ACCOUNT MANAGEMENT ROLE-BASED SCHEMES P+T P1 AC-2 (8) ACCOUNT MANAGEMENT DYNAMIC ACCOUNT CREATION T P1 AC-2 (9) ACCOUNT MANAGEMENT RESTRICTIONS ON USE OF SHARED GROUPS / ACCOUNTS P P1 AC-2 (10) ACCOUNT MANAGEMENT SHARED / GROUP ACCOUNT CREDENTIAL TERMINATION T P1 AC-2 (11) ACCOUNT MANAGEMENT USAGE CONDITIONS T P1 AC-2 (12) ACCOUNT MANAGEMENT ACCOUNT MONITORING / ATYPICAL USAGE P+T P1 AC-2 (13) ACCOUNT MANAGEMENT DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS P P1 AC-3 Access Enforcement T P1 AC-3 (1) ACCESS ENFORCEMENT RESTRICTED ACCESS TO PRIVILEGED FUNCTIONS W AC-3 (2) ACCESS ENFORCEMENT DUAL AUTHORIZATION T AC-3 (3) ACCESS ENFORCEMENT MANDATORY ACCESS T AC-3 (4) ACCESS ENFORCEMENT DISCRETIONARY ACCESS T AC-3 (5) ACCESS ENFORCEMENT SECURITY-RELEVANT INFORMATION T P1 AC-3 (6) ACCESS ENFORCEMENT PROTECTION OF USER AND SYSTEM INFORMATION W AC-3 (7) ACCESS ENFORCEMENT ROLE-BASED ACCESS T P1 AC-3 (8) ACCESS ENFORCEMENT REVOCATION OF ACCESS AUTHORIZATIONS T P1 AC-3 (9) ACCESS ENFORCEMENT LED RELEASE T P1 AC-3 (10) ACCESS ENFORCEMENT AUDITED OVERRIDE OF ACCESS MECHANISMS P+T P1 AC-4 Information Flow Enforcement T P1 X X AC-4 (1) INFORMATION FLOW ENFORCEMENT OBJECT SECURITY ATTRIBUTES T P1 AC-4 (2) INFORMATION FLOW ENFORCEMENT PROCESSING DOMAINS T P1 AC-4 (3) INFORMATION FLOW ENFORCEMENT DYNAMIC INFORMATION FLOW T P1 AC-4 (4) INFORMATION FLOW ENFORCEMENT CONTENT CHECK ENCRYPTED INFORMATION T P1 AC-4 (5) INFORMATION FLOW ENFORCEMENT EMBEDDED DATA TYPES T P1 AC-4 (6) INFORMATION FLOW ENFORCEMENT METADATA T P1 AC-4 (7) INFORMATION FLOW ENFORCEMENT ONE-WAY FLOW MECHANISMS N P1 AC-4 (8) INFORMATION FLOW ENFORCEMENT SECURITY POLICY FILTERS T P1 AC-4 (9) INFORMATION FLOW ENFORCEMENT HUMAN REVIEWS P P1 AC-4 (10) INFORMATION FLOW ENFORCEMENT ENABLE / DISABLE SECURITY POLICY FILTERS T P1 AC-4 (11) INFORMATION FLOW ENFORCEMENT CONFIGURATION OF SECURITY POLICY FILTERS T P1 AC-4 (12) INFORMATION FLOW ENFORCEMENT DATA TYPE IDENTIFIERS T P1 AC-4 (13) INFORMATION FLOW ENFORCEMENT DECOMPOSITION INTO POLICY- RELEVANT SUBCOMPONENTS T P1 AC-4 (14) INFORMATION FLOW ENFORCEMENT SECURITY POLICY FILTER CONSTRAINTS T P1 AC-4 (15) INFORMATION FLOW ENFORCEMENT DETECTION OF UNSANCTIONED INFORMATION T P1 AC-4 (16) INFORMATION FLOW ENFORCEMENT INFORMATION TRANSFERS ON INTERCONNECTED SYSTEMS W AC-4 (17) INFORMATION FLOW ENFORCEMENT DOMAIN AUTHENTICATION T P1 AC-4 (18) INFORMATION FLOW ENFORCEMENT SECURITY ATTRIBUTE BINDING T P1 AC-4 (19) INFORMATION FLOW ENFORCEMENT VALIDATION OF METADATA T P1 AC-4 (20) INFORMATION FLOW ENFORCEMENT APPROVED SOLUTIONS P+T P1

13 NAME AC-4 (21) INFORMATION FLOW ENFORCEMENT PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS T P1 AC-4 (22) INFORMATION FLOW ENFORCEMENT ACCESS ONLY T P1 AC-5 Separation of Duties P+T P1 AC-6 Least Privilege P+T P1 AC-6 (1) LEAST PRIVILEGE AUTHORIZE ACCESS TO SECURITY FUNCTIONS P P1 X X AC-6 (2) LEAST PRIVILEGE NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS P P1 X X AC-6 (3) LEAST PRIVILEGE NETWORK ACCESS TO PRIVILEGED COMMANDS P P1 X AC-6 (4) LEAST PRIVILEGE SEPARATE PROCESSING DOMAINS T P1 AC-6 (5) LEAST PRIVILEGE PRIVILEGED ACCOUNTS P P1 X X AC-6 (6) LEAST PRIVILEGE PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS P P1 AC-6 (7) LEAST PRIVILEGE REVIEW OF USER PRIVILEGES P P1 AC-6 (8) LEAST PRIVILEGE PRIVILEGE LEVELS FOR CODE EXECUTION T P1 AC-6 (9) LEAST PRIVILEGE AUDITING USE OF PRIVILEGED FUNCTIONS T P1 X X AC-6 (10) LEAST PRIVILEGE PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS T P1 X X AC-7 Unsuccessful Logon Attempts T P2 X X X AC-7 (1) UNSUCCESSFUL LOGON ATTEMPTS AUTOMATIC ACCOUNT LOCK W AC-7 (2) UNSUCCESSFUL LOGON ATTEMPTS PURGE / WIPE MOBILE DEVICE T P2 AC-8 System Use Notification T P1 X X X AC-9 Previous Logon (Access) Notification T P0 AC-9 (1) PREVIOUS LOGON NOTIFICATION UNSUCCESSFUL LOGONS T P0 AC-9 (2) PREVIOUS LOGON NOTIFICATION SUCCESSFUL / UNSUCCESSFUL LOGONS T P0 AC-9 (3) PREVIOUS LOGON NOTIFICATION NOTIFICATION OF ACCOUNT CHANGES T P0 AC-9 (4) PREVIOUS LOGON NOTIFICATION ADDITIONAL LOGON INFORMATION T P0 AC-10 Concurrent Session Control T P3 AC-11 Session Lock T P3 X AC-11 (1) SESSION LOCK PATTERN-HIDING DISPLAYS T P3 X X AC-12 Session Termination T P2 X X AC-12 (1) SESSION TERMINATION USER-INITIATED LOGOUTS / MESSAGE DISPLAYS T P2 AC-13 Supervision and Review Access Control W AC-14 Permitted Actions without Identification or Authentication P P3 X X X AC-14 (1) PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION NECESSARY USES W AC-15 Automated Marking W AC-16 Security Attributes P+T P0 AC-16 (1) SECURITY ATTRIBUTES DYNAMIC ATTRIBUTE ASSOCIATION T P0 AC-16 (2) SECURITY ATTRIBUTES ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALS T P0 AC-16 (3) SECURITY ATTRIBUTES MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY INFORMATION SYSTEM T P0 AC-16 (4) SECURITY ATTRIBUTES ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALS T P0 AC-16 (5) SECURITY ATTRIBUTES ATTRIBUTE DISPLAYS FOR OUTPUT DEVICES T P0 AC-16 (6) SECURITY ATTRIBUTES MAINTENANCE OF ATTRIBUTE ASSOCIATION BY ORGANIZATION N P0 AC-16 (7) SECURITY ATTRIBUTES CONSISTENT ATTRIBUTE INTERPRETATION T P0 AC-16 (8) SECURITY ATTRIBUTES ASSOCIATION TECHNIQUES / TECHNOLOGIES T P0 AC-16 (9) SECURITY ATTRIBUTES ATTRIBUTE REASSIGNMENT P+T P0 AC-16 (10) SECURITY ATTRIBUTES ATTRIBUTE CONFIGURATION BY AUTHORIZED INDIVIDUALS T P0 AC-17 Remote Access P P1 X X X AC-17 (1) REMOTE ACCESS AUTOMATED MONITORING / T P1 X X AC-17 (2) REMOTE ACCESS PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION T P1 X X AC-17 (3) REMOTE ACCESS MANAGED ACCESS POINTS T P1 X X AC-17 (4) REMOTE ACCESS PRIVILEGED COMMANDS / ACCESS P P1 X X

14 NAME AC-17 (5) REMOTE ACCESS MONITORING FOR UNAUTHORIZED CONNECTIONS W AC-17 (6) REMOTE ACCESS PROTECTION OF INFORMATION N P1 AC-17 (7) REMOTE ACCESS ADDITIONAL PROTECTION FOR SECURITY FUNCTION ACCESS W AC-17 (8) REMOTE ACCESS DISABLE NONSECURE NETWORK PROTOCOLS W AC-17 (9) REMOTE ACCESS DISCONNECT / DISABLE ACCESS P+T P1 AC-18 Wireless Access N X X X AC-18 (1) WIRELESS ACCESS AUTHENTICATION AND ENCRYPTION N X X AC-18 (2) WIRELESS ACCESS MONITORING UNAUTHORIZED CONNECTIONS N AC-18 (3) WIRELESS ACCESS DISABLE WIRELESS NETWORKING N AC-18 (4) WIRELESS ACCESS RESTRICT CONFIGURATIONS BY USERS N X AC-18 (5) WIRELESS ACCESS ANTENNAS / TRANSMISSION POWER LEVELS N X AC-19 Access Control for Mobile Devices N X X X AC-19 (1) ACCESS FOR MOBILE DEVICES USE OF WRITABLE / PORTABLE STORAGE DEVICES N AC-19 (2) ACCESS FOR MOBILE DEVICES USE OF PERSONALLY OWNED PORTABLE STORAGE DEVICES N AC-19 (3) ACCESS FOR MOBILE DEVICES USE OF PORTABLE STORAGE DEVICES WITH NO IDENTIFIABLE OWNER N AC-19 (4) ACCESS FOR MOBILE DEVICES RESTRICTIONS FOR CLASSIFIED INFORMATION N AC-19 (5) ACCESS FOR MOBILE DEVICES FULL DEVICE / CONTAINER- BASED ENCRYPTION N X X AC-20 Use of External Information Systems N P1 X X X AC-20 (1) USE OF EXTERNAL INFORMATION SYSTEMS LIMITS ON AUTHORIZED USE N P1 X X AC-20 (2) USE OF EXTERNAL INFORMATION SYSTEMS PORTABLE STORAGE DEVICES N P1 X X AC-20 (3) USE OF EXTERNAL INFORMATION SYSTEMS NON- ORGANIZATIONALLY OWNED SYSTEMS / COMPONENTS / DEVICES N P1 AC-20 (4) USE OF EXTERNAL INFORMATION SYSTEMS NETWORK ACCESSIBLE STORAGE DEVICES N P1 AC-21 Information Sharing P+T P2 X X AC-21 (1) INFORMATION SHARING AUTOMATED DECISION SUPPORT T P2 AC-21 (2) INFORMATION SHARING INFORMATION SEARCH AND RETRIEVAL T P2 AC-22 Publicly Accessible Content N P3 X X X AC-23 Data Mining Protection T P0 AC-24 Access Control Decisions P+T P0 AC-24 (1) ACCESS DECISIONS TRANSMIT ACCESS AUTHORIZATION INFORMATION T P0 AC-24 (2) ACCESS DECISIONS NO USER OR PROCESS IDENTITY T P0 AC-25 Reference Monitor T P0

15 NAME Awareness and Training (AT) AT-1 Security Awareness and Training Policy and Procedures P P1 X X X AT-2 Security Awareness Training P P1 X X X AT-2 (1) SECURITY AWARENESS PRACTICAL EXERCISES T P1 AT-2 (2) SECURITY AWARENESS INSIDER THREAT T P1 X X AT-3 Role-Based Security Training P P1 X X X AT-3 (1) SECURITY TRAINING ENVIRONMENTAL S N P1 AT-3 (2) SECURITY TRAINING PHYSICAL SECURITY S N P1 AT-3 (3) SECURITY TRAINING PRACTICAL EXERCISES P P1 AT-3 (4) SECURITY TRAINING SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR N P1 AT-4 Security Training Records N X X AT-5 Contacts with Security Groups and Associations W

16 NAME Audit and Accountability (AU) AU-1 Audit And Accountability Policy and Procedures P P1 x x x AU-2 Audit Events P+T P1 x AU-2 (1) AUDIT EVENTS COMPILATION OF AUDIT RECORDS FROM MULTIPLE SOURCES W AU-2 (2) AUDIT EVENTS SELECTION OF AUDIT EVENTS BY COMPONENT W AU-2 (3) AUDIT EVENTS REVIEWS AND UPDATES N P1 x x AU-2 (4) AUDIT EVENTS PRIVILEGED FUNCTIONS W AU-3 Content of Audit Records P+T P1 x AU-3 (1) CONTENT OF AUDIT RECORDS ADDITIONAL AUDIT INFORMATION P+T P1 x x AU-3 (2) CONTENT OF AUDIT RECORDS CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT P+T P1 x AU-4 Audit Storage Capacity N P1 x x x AU-4 (1) AUDIT STORAGE CAPACITY TRANSFER TO ALTERNATE STORAGE N AU-5 Response to Audit Processing Failures T P1 x x AU-5 (1) RESPONSE TO AUDIT PROCESSING FAILURES AUDIT STORAGE CAPACITY T P1 x AU-5 (2) RESPONSE TO AUDIT PROCESSING FAILURES REAL-TIME ALERTS T P1 x AU-5 (3) RESPONSE TO AUDIT PROCESSING FAILURES CONFIGURABLE TRAFFIC VOLUME THRESHOLDS T AU-5 (4) RESPONSE TO AUDIT PROCESSING FAILURES SHUTDOWN ON FAILURE T AU-6 Audit Review, Analysis, and Reporting P+T P1 x AU-6 (1) AUDIT REVIEW, ANALYSIS, AND REPORTING PROCESS INTEGRATION N P1 x x AU-6 (2) AUDIT REVIEW, ANALYSIS, AND REPORTING AUTOMATED SECURITY ALERTS N AU-6 (3) AUDIT REVIEW, ANALYSIS, AND REPORTING CORRELATE AUDIT REPOSITORIES N x x AU-6 (4) AUDIT REVIEW, ANALYSIS, AND REPORTING CENTRAL REVIEW AND ANALYSIS P+T AU-6 (5) AUDIT REVIEW, ANALYSIS, AND REPORTING INTEGRATION / SCANNING AND MONITORING CAPABILITIES P+T x AU-6 (6) AUDIT REVIEW, ANALYSIS, AND REPORTING CORRELATION WITH PHYSICAL MONITORING N x AU-6 (7) AUDIT REVIEW, ANALYSIS, AND REPORTING PERMITTED ACTIONS P+T AU-6 (8) AUDIT REVIEW, ANALYSIS, AND REPORTING FULL TEXT ANALYSIS OF PRIVILEGED COMMANDS N AU-6 (9) AUDIT REVIEW, ANALYSIS, AND REPORTING CORRELATION WITH INFORMATION FROM NONTECHNICAL SOURCES N AU-6 (10) AUDIT REVIEW, ANALYSIS, AND REPORTING AUDIT LEVEL ADJUSTMENT N AU-7 Audit Reduction and Report Generation P+T AU-7 (1) AUDIT REDUCTION AND REPORT GENERATION AUTOMATIC PROCESSING P+T P2 x x AU-7 (2) AUDIT REDUCTION AND REPORT GENERATION AUTOMATIC SORT AND SEARCH T AU-8 Time Stamps T P1 x AU-8 (1) TIME STAMPS SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE T P1 x x AU-8 (2) TIME STAMPS SECONDARY AUTHORITATIVE TIME SOURCE T AU-9 Protection of Audit Information N P1 x AU-9 (1) PROTECTION OF AUDIT INFORMATION HARDWARE WRITE-ONCE MEDIA N AU-9 (2) PROTECTION OF AUDIT INFORMATION AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS N P1 x AU-9 (3) PROTECTION OF AUDIT INFORMATION CRYPTOGRAPHIC PROTECTION N P1 x AU-9 (4) PROTECTION OF AUDIT INFORMATION ACCESS BY SUBSET OF PRIVILEGED USERS N P1 x x AU-9 (5) PROTECTION OF AUDIT INFORMATION DUAL AUTHORIZATION N AU-9 (6) PROTECTION OF AUDIT INFORMATION READ ONLY ACCESS N AU-10 Non- Repudiation T P2 X

17 NAME AU-10 (1) NON-REPUDIATION ASSOCIATION OF IDENTITIES T AU-10 (2) NON-REPUDIATION VALIDATE BINDING OF INFORMATION PRODUCER IDENTITY T AU-10 (3) NON-REPUDIATION CHAIN OF CUSTODY P+T AU-10 (4) NON-REPUDIATION VALIDATE BINDING OF INFORMATION REVIEWER IDENTITY T AU-10 (5) NON-REPUDIATION DIGITAL SIGNATURES W AU-11 Audit Record Retention N AU-11 (1) AUDIT RECORD RETENTION LONG-TERM RETRIEVAL CAPABILITY N AU-12 Audit Generation T AU-12 (1) AUDIT GENERATION SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL T AU-12 (2) AUDIT GENERATION STANDARDIZED FORMATS T AU-12 (3) AUDIT GENERATION CHANGES BY AUTHORIZED INDIVIDUALS P+T AU-13 Monitoring for Information Disclosure N AU-13 (1) MONITORING FOR INFORMATION DISCLOSURE USE OF AUTOMATED TOOLS N AU-13 (2) MONITORING FOR INFORMATION DISCLOSURE REVIEW OF MONITORED SITES N AU-14 Session Audit T AU-14 (1) SESSION AUDIT SYSTEM START-UP T AU-14 (2) SESSION AUDIT CAPTURE/RECORD AND LOG CONTENT T AU-14 (3) SESSION AUDIT REMOTE VIEWING / LISTENING T AU-15 Alternate Audit Capability N AU-16 Cross- Organizational Auditing N AU-16 (1) CROSS-ORGANIZATIONAL AUDITING IDENTITY PRESERVATION N AU-16 (2) CROSS-ORGANIZATIONAL AUDITING SHARING OF AUDIT INFORMATION N

18 NAME Security Assessment and Authorization (CA) CA-1 Security Assessment and Authorization Policy and Procedures P P1 x x x CA-2 Security Assessments P+T P2 x CA-2 (1) SECURITY ASSESSMENTS INDEPENDENT ASSESSORS P+T x CA-2 (2) SECURITY ASSESSMENTS SPECIALIZED ASSESSMENTS P+T x x CA-2 (3) SECURITY ASSESSMENTS EXTERNAL ORGANIZATIONS P+T CA-3 System Interconnections N P2 x CA-3 (1) SYSTEM INTERCONNECTIONS UNCLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS N CA-3 (2) SYSTEM INTERCONNECTIONS CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS N CA-3 (3) SYSTEM INTERCONNECTIONS UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS N CA-3 (4) SYSTEM INTERCONNECTIONS CONNECTIONS TO PUBLIC NETWORKS N CA-3 (5) SYSTEM INTERCONNECTIONS RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS N x x CA-4 Security Certification W CA-5 Plan of Action and Milestones P P3 x x x CA-5 (1) PLAN OF ACTION AND MILESTONES AUTOMATION SUPPORT FOR ACCURACY / CURRENCY T CA-6 Security Authorization N P2 x x x CA-7 Continuous Monitoring P+T P2 x CA-7 (1) CONTINUOUS MONITORING INDEPENDENT ASSESSMENT P+T x x CA-7 (2) CONTINUOUS MONITORING TYPES OF ASSESSMENTS P+T CA-7 (3) CONTINUOUS MONITORING TREND ANALYSES N CA-8 Penetration Testing P+T P2 x CA-8 (1) PENETRATION TESTING INDEPENDENT PENETRATION AGENT OR TEAM P+T CA-8 (2) PENETRATION TESTING RED TEAM EXERCISES P+T CA-9 Internal System Connections N P2 x x x CA-9 (1) INTERNAL SYSTEM CONNECTIONS SECURITY COMPLIANCE CHECKS N

19 NAME Configuration Mangement (CM) CM-1 Configuration Management Policy and Procedures P P1 X X X CM-2 Baseline Configuration P+T P1 X X X CM-2 (1) BASELINE CONFIGURATION REVIEWS AND UPDATES P P1 X X CM-2 (2) BASELINE CONFIGURATION AUTOMATION SUPPORT FOR ACCURACY / CURRENCY T P1 X CM-2 (3) BASELINE CONFIGURATION RETENTION OF PREVIOUS CONFIGURATIONS P+T P1 X X CM-2 (4) BASELINE CONFIGURATION UNAUTHORIZED SOFTWARE W CM-2 (5) BASELINE CONFIGURATION AUTHORIZED SOFTWARE W CM-2 (6) BASELINE CONFIGURATION DEVELOPMENT AND TEST ENVIRONMENTS P+T CM-2 (7) BASELINE CONFIGURATION CONFIGURE SYSTEMS, COMPONENTS,OR DEVICES FOR HIGH-RISK AREAS N P1 X X CM-3 Configuration Change Control P P1 X X CM-3 (1) CONFIGURATION CHANGE AUTOMATED DOCUMENT/NOTIFICATION / PROHIBITION OF CHANGES P+T P1 X CM-3 (2) CONFIGURATION CHANGE TEST / VALIDATE / DOCUMENT CHANGE P P1 X X CM-3 (3) CONFIGURATION CHANGE AUTOMATED CHANGE IMPLEMENTATION P+T CM-3 (4) CONFIGURATION CHANGE SECURITY REPRESENTATIVE N CM-3 (5) CONFIGURATION CHANGE AUTOMATED SECURITY RESPONSE T CM-3 (6) CONFIGURATION CHANGE CRYPTOGRAPHY MANAGEMENT T CM-4 Security Impact Analysis P+T P2 X X X CM-4 (1) SECURITY IMPACT ANALYSIS SEPARATE TEST ENVIRONMENTS P+T P2 X CM-4 (2) SECURITY IMPACT ANALYSIS VERIFICATION OF SECURITY FUNCTIONS P+T CM-5 Access Restrictions for Change P+T P1 X X CM-5 (1) ACCESS RESTRICTIONS FOR CHANGE AUTOMATED ACCESS ENFORCEMENT / AUDITING T P1 X CM-5 (2) ACCESS RESTRICTIONS FOR CHANGE REVIEW SYSTEM CHANGES P P1 X CM-5 (3) ACCESS RESTRICTIONS FOR CHANGE SIGNED COMPONENTS T P1 X CM-5 (4) ACCESS RESTRICTIONS FOR CHANGE DUAL AUTHORIZATION P+T CM-5 (5) ACCESS RESTRICTIONS FOR CHANGE LIMIT PRODUCTION / OPERATIONAL PRIVILEGES P+T CM-5 (6) ACCESS RESTRICTIONS FOR CHANGE LIMIT LIBRARY PRIVILEGES P+T CM-5 (7) ACCESS RESTRICTIONS FOR CHANGE AUTOMATIC IMPLEMENTATION OF SECURITY SAFEGUARDS W CM-6 Configuration Settings P+T P1 X X X CM-6 (1) CONFIGURATION SETTINGS AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION T P1 X CM-6 (2 CONFIGURATION SETTINGS RESPOND TO UNAUTHORIZED CHANGES P P1 X CM-6 (3) CONFIGURATION SETTINGS UNAUTHORIZED CHANGE DETECTION W CM-6 (4) CONFIGURATION SETTINGS CONFORMANCE DEMONSTRATION W CM-7 Least Functionality P+T P1 X X X CM-7 (1) LEAST FUNCTIONALITY PERIODIC REVIEW P P1 X X CM-7 (2) LEAST FUNCTIONALITY PREVENT PROGRAM EXECUTION T P1 X X CM-7 (3) LEAST FUNCTIONALITY REGISTRATION COMPLIANCE P P1 CM-7 (4) LEAST FUNCTIONALITY UNAUTHORIZED SOFTWARE / BLACKLISTING T P1 X CM-7 (5) LEAST FUNCTIONALITY AUTHORIZED SOFTWARE / WHITELISTING T P1 X CM-8 Information System Component Inventory P+T P1 X X X CM-8 (1) INFORMATION SYSTEM COMPONENT INVENTORY UPDATES DURING INSTALLATIONS / REMOVALS P P1 X X CM-8 (2) INFORMATION SYSTEM COMPONENT INVENTORY AUTOMATED MAINTENANCE T P1 X

20 NAME CM-8 (3) INFORMATION SYSTEM COMPONENT INVENTORY AUTOMATED UNAUTHORIZED COMPONENT DETECTION T P1 X X CM-8 (4) INFORMATION SYSTEM COMPONENT INVENTORY ACCOUNTABILITY INFORMATION P+T P1 X CM-8 (5) INFORMATION SYSTEM COMPONENT INVENTORY NO DUPLICATE ACCOUNTING OF COMPONENTS P+T P1 X X CM-8 (6) INFORMATION SYSTEM COMPONENT INVENTORY ASSESSED CONFIGURATIONS / APPROVED DEVIATIONS P+T CM-8 (7) INFORMATION SYSTEM COMPONENT INVENTORY CENTRALIZED REPOSITORY P+T CM-8 (8) INFORMATION SYSTEM COMPONENT INVENTORY AUTOMATED LOCATION TRACKING T CM-8 (9) INFORMATION SYSTEM COMPONENT INVENTORY ASSIGNMENT OF COMPONENTS TO SYSTEMS P CM-9 Configuration Management Plan P X X CM-9 (1) CONFIGURATION MANAGEMENT PLAN ASSIGNMENT OF RESPONSIBILITY P CM-10 Software Usage Restrictions P X X X CM-10 (1) SOFTWARE USAGE RESTRICTIONS OPEN SOURCE SOFTWARE P CM-11 User-Installed Software P+T X X X CM-11 (1) USER-INSTALLED SOFTWARE ALERTS FOR UNAUTHORIZED INSTALLATIONS T CM-11 (2) USER-INSTALLED SOFTWARE PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS T

21 NAME Contingency Planning (CP) CP-1 Contingency Planning Policy and Procedures N P1 x x x CP-2 Contingency Plan N P1 x CP-2 (1) CONTINGENCY PLAN COORDINATE WITH RELATED PLANS N x x CP-2 (2) CONTINGENCY PLAN CAPACITY PLANNING N x CP-2 (3) CONTINGENCY PLAN RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS N x x CP-2 (4) CONTINGENCY PLAN RESUME ALL MISSIONS / BUSINESS FUNCTIONS N x CP-2 (5) CONTINGENCY PLAN CONTINUE ESSENTIAL MISSIONS / BUSINESS FUNCTIONS N x CP-2 (6) CONTINGENCY PLAN ALTERNATE PROCESSING / STORAGE SITE N CP-2 (7) CONTINGENCY PLAN COORDINATE WITH EXTERNAL SERVICE PROVIDERS N CP-2 (8) CONTINGENCY PLAN IDENTIFY CRITICAL ASSETS N x x CP-3 Contingency Training N P2 x x CP-3 (1) CONTINGENCY TRAINING SIMULATED EVENTS N x CP-3 (2) CONTINGENCY TRAINING AUTOMATED TRAINING ENVIRONMENTS N CP-4 Contingency Plan Testing N P2 x CP-4 (1) CONTINGENCY PLAN TESTING COORDINATE WITH RELATED PLANS N x x CP-4 (2) CONTINGENCY PLAN TESTING ALTERNATE PROCESSING SITE N x CP-4 (3) CONTINGENCY PLAN TESTING AUTOMATED TESTING N CP-4 (4) CONTINGENCY PLAN TESTING FULL RECOVERY / RECONSTITUTION N CP-5 Contingency Plan Update W CP-6 Alternate Storage Site N P1 CP-6 (1) ALTERNATE STORAGE SITE SEPARATION FROM PRIMARY SITE N x x CP-6 (2) ALTERNATE STORAGE SITE RECOVERY TIME / POINT OBJECTIVES N x CP-6 (3) ALTERNATE STORAGE SITE ACCESSIBILITY N x x CP-7 Alternate Processing Site N P1 CP-7 (1) ALTERNATE PROCESSING SITE SEPARATION FROM PRIMARY SITE N x x CP-7 (2) ALTERNATE PROCESSING SITE ACCESSIBILITY N x x CP-7 (3) ALTERNATE PROCESSING SITE PRIORITY OF SERVICE N x x CP-7 (4) ALTERNATE PROCESSING SITE PREPARATION FOR USE N x CP-7 (5) ALTERNATE PROCESSING SITE EQUIVALENT INFORMATION SECURITY SAFEGUARDS W CP-7 (6) ALTERNATE PROCESSING SITE INABILITY TO RETURN TO PRIMARY SITE N CP-8 Telecommunications Services N P1 CP-8 (1) TELECOMMUNICATIONS SERVICES PRIORITY OF SERVICE PROVISIONS N x x CP-8 (2) TELECOMMUNICATIONS SERVICES SINGLE POINTS OF FAILURE N x x CP-8 (3) TELECOMMUNICATIONS SERVICES SEPARATION OF PRIMARY / ALTERNATE PROVIDERS N x CP-8 (4) TELECOMMUNICATIONS SERVICES PROVIDER CONTINGENCY PLAN N x CP-8 (5) TELECOMMUNICATIONS SERVICES ALTERNATE TELECOMMUNICATION SERVICE TESTING N CP-9 Information System Backup P+T P1 x CP-9 (1) INFORMATION SYSTEM BACKUP TESTING FOR RELIABILITY / INTEGRITY P x x CP-9 (2) INFORMATION SYSTEM BACKUP TEST RESTORATION USING SAMPLING P x CP-9 (3) INFORMATION SYSTEM BACKUP SEPARATE STORAGE FOR CRITICAL INFORMATION P x CP-9 (4) INFORMATION SYSTEM BACKUP PROTECTION FROM UNAUTHORIZED MODIFICATION W

22 NAME CP-9 (5) INFORMATION SYSTEM BACKUP TRANSFER TO ALTERNATE STORAGE SITE N x CP-9 (6) INFORMATION SYSTEM BACKUP REDUNDANT SECONDARY SYSTEM N CP-9 (7) INFORMATION SYSTEM BACKUP DUAL AUTHORIZATION P+T CP-10 Information System Recovery and Reconstitution P+T P1 x CP-10 (1) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION CONTINGENCY PLAN TESTING W CP-10 (2) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION TRANSACTION RECOVERY N X X CP-10 (3) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION COMPENSATING SECURITY S W CP-10 (4) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION RESTORE WITHIN TIME PERIOD N X CP-10 (5) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION FAILOVER CAPABILITY W CP-10 (6) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION COMPONENT PROTECTION N CP-11 Alternate Communications Protocols T P0 CP-12 Safe Mode N P0 CP-13 Alternative Security Mechanisms N P0

23 NAME IA-1 Identification and Authentication Policy and Procedures P P1 x x x IA-2 Identification and Authentication (Organizational Users) T IA-2 (1) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) NETWORK ACCESS TO PRIVILEGED ACCOUNTS T P1 x x x IA-2 (2) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS T P1 x x IA-2 (3) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) LOCAL ACCESS TO PRIVILEGED ACCOUNTS T P1 x x IA-2 (4) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) LOCAL ACCESS TO NON-PRIVILEGED ACCOUNTS T P1 x IA-2 (5) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) GROUP AUTHENTICATION P+T IA-2 (6) IA-2 (7) IA-2 (8) IA-2 (9) Identification and Authentication (IA) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) NETWORK ACCESS TO PRIVILEGED ACCOUNTS - SEPARATE TDEVICE IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - SEPARATE T DEVICE IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT T P1 x x IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY T RESISTANT P1 x IA-2 (10) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) SINGLE SIGN-ON T IA-2 (11) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) REMOTE ACCESS - SEPARATE DEVICE T P1 x x IA-2 (12) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) ACCEPTANCE OF PIV CREDENTIALS T P1 x x x IA-2 (13) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) OUT-OF-BAND AUTHENTICATION T IA-3 Device Identification and Authentication T P1 x x IA-3 (1) DEVICE IDENTIFICATION AND AUTHENTICATION CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION T IA-3 (2) DEVICE IDENTIFICATION AND AUTHENTICATION CRYPTOGRAPHIC BIDIRECTIONAL NETWORK AUTHENTICATION W IA-3 (3) DEVICE IDENTIFICATION AND AUTHENTICATION DYNAMIC ADDRESS ALLOCATION T IA-3 (4) DEVICE IDENTIFICATION AND AUTHENTICATION DEVICE ATTESTATION T IA-4 Identifier Management P P1 x x x IA-4 (1) IDENTIFIER MANAGEMENT PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC IDENTIFIERS P IA-4 (2) IDENTIFIER MANAGEMENT SUPERVISOR AUTHORIZATION P IA-4 (3) IDENTIFIER MANAGEMENT MULTIPLE FORMS OF CERTIFICATION P IA-4 (4) IDENTIFIER MANAGEMENT IDENTIFY USER STATUS P IA-4 (5) IDENTIFIER MANAGEMENT DYNAMIC MANAGEMENT T IA-4 (6) IDENTIFIER MANAGEMENT CROSS-ORGANIZATION MANAGEMENT P IA-4 (7) IDENTIFIER MANAGEMENT IN-PERSON REGISTRATION P IA-5 Authenticator Management P+T IA-5 (1) AUTHENTICATOR MANAGEMENT PASSWORD-BASED AUTHENTICATION T P1 x x x IA-5 (2) AUTHENTICATOR MANAGEMENT PKI-BASED AUTHENTICATION T P1 x x IA-5 (3) AUTHENTICATOR MANAGEMENT IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION P P1 x x IA-5 (4) AUTHENTICATOR MANAGEMENT AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION T IA-5 (5) AUTHENTICATOR MANAGEMENT CHANGE AUTHENTICATORS PRIOR TO DELIVERY P IA-5 (6) AUTHENTICATOR MANAGEMENT PROTECTION OF AUTHENTICATORS P+T IA-5 (7) AUTHENTICATOR MANAGEMENT NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS P+T IA-5 (8) AUTHENTICATOR MANAGEMENT MULTIPLE INFORMATION SYSTEM ACCOUNTS P+T IA-5 (9) AUTHENTICATOR MANAGEMENT CROSS-ORGANIZATION CREDENTIAL MANAGEMENT P+T IA-5 (10) AUTHENTICATOR MANAGEMENT DYNAMIC CREDENTIAL ASSOCIATION T IA-5 (11) AUTHENTICATOR MANAGEMENT HARDWARE TOKEN-BASED AUTHENTICATION T P1 x x x IA-5 (12) AUTHENTICATOR MANAGEMENT BIOMETRIC AUTHENTICATION T

24 NAME IA-5 (13) AUTHENTICATOR MANAGEMENT EXPIRATION OF CACHED AUTHENTICATORS T IA-5 (14) AUTHENTICATOR MANAGEMENT MANAGING CONTENT OF PKI TRUST STORES N IA-5 (15) AUTHENTICATOR MANAGEMENT FICAM-APPROVED PRODUCTS AND SERVICES N IA-6 Authenticator Feedback T P2 x x x IA-7 Cryptographic Module Authentication T P1 x x x IA-8 Identification and Authentication (Non-Organizational Users) T IA-8 (1) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES T P1 x x x IA-8 (2) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) ACCEPTANCE OF THIRD-PARTY CREDENTIALS T P1 x x x IA-8 (3) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) USE OF FICAM-APPROVED PRODUCTS P+T P1 x x x IA-8 (4) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) USE OF FICAM-ISSUED PROFILES T P1 x x x IA-8 (5) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) ACCEPTANCE OF PIV-I CREDENTIALS T IA-9 Service Identification and Authentication T P0 IA-9 (1) SERVICE IDENTIFICATION AND AUTHENTICATION INFORMATION EXCHANGE P+T IA-9 (2) SERVICE IDENTIFICATION AND AUTHENTICATION TRANSMISSION OF DECISIONS P+T IA-10 Adaptive Identification and Authentication P+T P0 IA-11 Re-authentication P+T P0

25 NAME Incident Response (IR) IR-1 Incident Response Policy and Procedures N P1 x x x IR-2 Incident Response Training N P2 x x IR-2 (1) INCIDENT RESPONSE TRAINING SIMULATED EVENTS N x IR-2 (2) INCIDENT RESPONSE TRAINING AUTOMATED TRAINING ENVIRONMENTS N x IR-3 Incident Response Testing N P2 x IR-3 (1) INCIDENT RESPONSE TESTING AUTOMATED TESTING N IR-3 (2) INCIDENT RESPONSE TESTING COORDINATION WITH RELATED PLANS N x x IR-4 Incident Handling N P1 x IR-4 (1) INCIDENT HANDLING AUTOMATED INCIDENT HANDLING PROCESSES N x x IR-4 (2) INCIDENT HANDLING DYNAMIC RECONFIGURATION N IR-4 (3) INCIDENT HANDLING CONTINUITY OF OPERATIONS N IR-4 (4) INCIDENT HANDLING INFORMATION CORRELATION N x IR-4 (5) INCIDENT HANDLING AUTOMATIC DISABLING OF INFORMATION SYSTEM N IR-4 (6) INCIDENT HANDLING INSIDER THREATS - SPECIFIC CAPABILITIES N IR-4 (7) INCIDENT HANDLING INSIDER THREATS - INTRA-ORGANIZATION COORDINATION N IR-4 (8) INCIDENT HANDLING CORRELATION WITH EXTERNAL ORGANIZATIONS N IR-4 (9) INCIDENT HANDLING DYNAMIC RESPONSE CAPABILITY N IR-4 (10) INCIDENT HANDLING SUPPLY CHAIN COORDINATION N IR-5 Incident Monitoring N P1 x x IR-5 (1) INCIDENT MONITORING AUTOMATED TRACKING / DATA COLLECTION / ANALYSIS N x IR-6 Incident Reporting N P1 x IR-6 (1) INCIDENT REPORTING AUTOMATED REPORTING N x x IR-6 (2) INCIDENT REPORTING VULNERABILITIES RELATED TO INCIDENTS N IR-6 (3) INCIDENT REPORTING COORDINATION WITH SUPPLY CHAIN N IR-7 Incident Response Assistance N P2 x IR-7 (1) INCIDENT RESPONSE ASSISTANCE AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT N x x IR-7 (2) INCIDENT RESPONSE ASSISTANCE COORDINATION WITH EXTERNAL PROVIDERS N IR-8 Incident Response Plan N P1 x x x IR-9 Information Spillage Response N P0 IR-9 (1) INFORMATION SPILLAGE RESPONSE RESPONSIBLE PERSONNEL N IR-9 (2) INFORMATION SPILLAGE RESPONSE TRAINING N IR-9 (3) INFORMATION SPILLAGE RESPONSE POST-SPILL OPERATIONS N IR-9 (4) INFORMATION SPILLAGE RESPONSE EXPOSURE TO UNAUTHORIZED PERSONNEL N IR-10 Integrated Information Security Analysis Team N P0

26 NAME Maintenance (MA) MA-1 System Maintenance Policy and Procedures P P1 x x x MA-2 Controlled Maintenance P P2 x x MA-2 (1) LED MAINTENANCE RECORD CONTENT P MA-2 (2) LED MAINTENANCE AUTOMATED MAINTENANCE ACTIVITIES P P2 x MA-3 Maintenance Tools P+T P3 MA-3 (1) MAINTENANCE TOOLS INSPECT TOOLS P P3 x x MA-3 (2) MAINTENANCE TOOLS INSPECT MEDIA P P3 x x MA-3 (3) MAINTENANCE TOOLS PREVENT UNAUTHORIZED REMOVAL P P3 x MA-3 (4) MAINTENANCE TOOLS RESTRICTED TOOL USE P MA-4 Nonlocal Maintenance P+T P2 x MA-4 (1) NONLOCAL MAINTENANCE AUDITING AND REVIEW P MA-4 (2) NONLOCAL MAINTENANCE DOCUMENT NONLOCAL MAINTENANCE P P2 x x MA-4 (3) NONLOCAL MAINTENANCE COMPARABLE SECURITY / SANITIZATION P P2 x MA-4 (4) NONLOCAL MAINTENANCE AUTHENTICATION / SEPARATION OF MAINTENANCE SESSIONS P+T MA-4 (5) NONLOCAL MAINTENANCE APPROVALS AND NOTIFICATIONS P MA-4 (6) NONLOCAL MAINTENANCE CRYPTOGRAPHIC PROTECTION T MA-4 (7) NONLOCAL MAINTENANCE REMOTE DISCONNECT VERIFICATION P+T MA-5 Maintenance Personnel P P2 x x MA-5 (1) MAINTENANCE PERSONNEL INDIVIDUALS WITHOUT APPROPRIATE ACCESS P P2 x MA-5 (2) MAINTENANCE PERSONNEL SECURITY CLEARANCES FOR CLASSIFIED SYSTEMS P MA-5 (3) MAINTENANCE PERSONNEL CITIZENSHIP REQUIREMENTS FOR CLASSIFIED SYSTEMS P MA-5 (4) MAINTENANCE PERSONNEL FOREIGN NATIONALS P MA-5 (5) MAINTENANCE PERSONNEL NONSYSTEM-RELATED MAINTENANCE P MA-6 Timely Maintenance P P2 x x MA-6 (1) TIMELY MAINTENANCE PREVENTIVE MAINTENANCE P MA-6 (2) TIMELY MAINTENANCE PREDICTIVE MAINTENANCE P MA-6 (3) TIMELY MAINTENANCE AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCE T