Appendix 3
NIST SP 800-82 Security Measures

This appendix presents the security measures proposed in the NIST SP800-82r4 guide. More details are given in this guide (Stouffer et al. 2015), with guidance on the implementation of these measures for industrial control system (ICS). The measurements are aligned with those proposed in SP 800-53 (NIST 2014).

Table A3.1. NIST SP 800-82 security measures

ACCESS CONTROL – AC
AC-1 Access Control Policy and Procedures x x x
AC-2 Account Management x x x
AC-2 (1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT   x x
AC-2 (2) ACCOUNT MANAGEMENT | REMOVAL OF TEMPORARY/EMERGENCY ACCOUNTS   x x
AC-2 (3) ACCOUNT MANAGEMENT | DISABLE INACTIVE ACCOUNTS   x x
AC-2 (4) ACCOUNT MANAGEMENT | AUTOMATED AUDIT ACTIONS   x x
AC-2 (5) ACCOUNT MANAGEMENT | INACTIVITY LOGOUT/TYPICAL USAGE MONITORING     x
AC-2 (11) ACCOUNT MANAGEMENT | USAGE CONDITIONS     x
AC-2 (12) ACCOUNT MANAGEMENT | ACCOUNT MONITORING/ATYPICAL USAGE     x
AC-2 (13) ACCOUNT MANAGEMENT | ACCOUNT REVIEWS     x
AC-3 Access Enforcement x x x
AC-4 Information Flow Enforcement   x x
AC-5 Separation of Duties   x x
AC-6 Least Privilege   x x
AC-6 (1) LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS   x x
AC-6 (2) LEAST PRIVILEGE | NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS   x x
AC-6 (3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS     x
AC-6 (5) LEAST PRIVILEGE | PRIVILEGED ACCOUNTS   x x
AC-6 (9) LEAST PRIVILEGE | AUDITING USE OF PRIVILEGED FUNCTIONS   x x
AC-6 (10) LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS   x x
AC-7 Unsuccessful Login Attempts x x x
AC-8 System Use Notification x x x
AC-10 Concurrent Session Control     x
AC-11 Session Lock   x x
AC-11 (1) SESSION LOCK | PATTERN-HIDING DISPLAYS   x x
AC-12 Session Termination   x x
AC-14 Permitted Actions without Identification or Authentication x x x
AC-17 Remote Access x x x
AC-17 (1) REMOTE ACCESS | AUTOMATED MONITORING/CONTROL   x x
AC-17 (2) REMOTE ACCESS | PROTECTION OF CONFIDENTIALITY/INTEGRITY USING ENCRYPTION   x x
AC-17 (3) REMOTE ACCESS | MANAGED ACCESS CONTROL POINTS   x x
AC-17 (4) REMOTE ACCESS | PRIVILEGED COMMANDS/ACCESS   x x
AC-18 Wireless Access x x x
AC-18 (1) WIRELESS ACCESS | AUTHENTICATION AND ENCRYPTION   x x
AC-18 (4) WIRELESS ACCESS | RESTRICT CONFIGURATIONS BY USERS     x
AC-18 (5) WIRELESS ACCESS | CONFINE WIRELESS COMMUNICATIONS     x
AC-19 Access Control for Mobile Devices x x x
AC-19 (5) ACCESS CONTROL FOR MOBILE DEVICES | FULL DEVICE/CONTAINER-BASED ENCRYPTION   x x
AC-20 Use of External Information Systems x x x
AC-20 (1) USE OF EXTERNAL INFORMATION SYSTEMS | LIMITS ON AUTHORIZED USE   x x
AC-20 (2) USE OF EXTERNAL INFORMATION SYSTEMS | PORTABLE STORAGE MEDIA   x x
AC-21 Collaboration and Information Sharing + x x
AC-22 Publicly Accessible Content x x x
AWARENESS AND TRAINING – AT
AT-1 Security Awareness and Training Policy and Procedures x x x
AT-2 Security Awareness x x x
AT-2 (2) SECURITY AWARENESS | INSIDER THREAT   x x
AT-3 Role-Based Security Training x x x
AT-4 Security Training Records x x x
AUDITING AND ACCOUNTABILITY – AU
AU-1 Audit and Accountability Policy and Procedures x x x
AU-2 Auditable Events x x x
AU-2 (3) AUDITABLE EVENTS | REVIEWS AND UPDATES   x x
AU-3 Content of Audit Records x x x
AU-3 (1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION   x x
AU-3 (2) CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT     x
AU-4 Audit Storage Capacity x x x
AU-4 (1) AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE + + +
AU-5 Response to Audit Processing Failures x x x
AU-5 (1) RESPONSE TO AUDIT PROCESSING FAILURES | AUDIT STORAGE CAPACITY     x
AU-5 (2) RESPONSE TO AUDIT PROCESSING FAILURES | REAL-TIME ALERTS     x
AU-6 Audit Review, Analysis and Reporting x x x
AU-6 (1) AUDIT REVIEW, ANALYSIS AND REPORTING | PROCESS INTEGRATION   x x
AU-6 (3) AUDIT REVIEW, ANALYSIS AND REPORTING | CORRELATE AUDIT REPOSITORIES   x x
AU-6 (5) AUDIT REVIEW, ANALYSIS AND REPORTING | INTEGRATION/ x
SCANNING AND MONITORING CAPABILITIES
AU-6 (6) AUDIT REVIEW, ANALYSIS AND REPORTING | CORRELATION WITH PHYSICAL MONITORING     x
AU-7 Audit Reduction and Report Generation   x x
AU-7 (1) AUDIT REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSING   x x
AU-8 Time Stamps x x x
AU-8 (1) TIME STAMPS | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE   x x
AU-9 Protection of Audit Information x x x
AU-9 (2) PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS/COMPONENTS     x
AU-9 (3) PROTECTION OF AUDIT INFORMATION | CRYPTOGRAPHIC PROTECTION     x
AU-9 (4) PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS   x x
AU-10 Non-repudiation     x
AU-11 Audit Record Retention x x x
AU-12 Audit Generation x x x
AU-12 (1) AUDIT GENERATION | SYSTEM-WIDE/TIME-CORRELATED AUDIT TRAIL     x
AU-12 (3) AUDIT GENERATION | CHANGES BY AUTHORIZED INDIVIDUALS     x
SECURITY ASSESSMENT AND AUTHORIZATION – CA
CA-1 Security Assessment and Authorization Policy and Procedures x x x
CA-2 Security Assessments x x x
CA-2 (1) SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS   x x
CA-2 (2) SECURITY ASSESSMENTS | TYPES OF ASSESSMENTS     x
CA-3 Information System Connections x x x
CA-3 (5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS   x x
CA-5 Plan of Action and Milestones x x x
CA-6 Security Authorization x x x
CA-7 Continuous Monitoring x x x
CA-7 (1) CONTINUOUS MONITORING | INDEPENDENT ASSESSMENT   x x
CA-8 Penetration Testing     x
CA-9 Internal System Connections x x x
CONFIGURATION MANAGEMENT – CM
CM-1 Configuration Management Policy and Procedures x x x
CM-2 Baseline Configuration x x x
CM-2 (1) BASELINE CONFIGURATION | REVIEWS AND UPDATES   x x
CM-2 (2) BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY x
/CURRENCY
CM-2 (3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS   x x
CM-2 (7) BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS   x x
CM-3 Configuration Change Control   x x
CM-3 (1) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / x
NOTIFICATION/PROHIBITION OF CHANGES
CM-3 (2) CONFIGURATION CHANGE CONTROL | TEST/VALIDATE/DOCUMENT CHANGES   x x
CM-4 Security Impact Analysis x x x
CM-4 (1) SECURITY IMPACT ANALYSIS | SEPARATE TEST ENVIRONMENTS     x
CM-5 Access Restrictions for Change   x x
CM-5 (1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT/AUDITING     x
CM-5 (2) ACCESS RESTRICTIONS FOR CHANGE | AUDIT SYSTEM CHANGES     x
CM-5 (3) ACCESS RESTRICTIONS FOR CHANGE | SIGNED COMPONENTS     x
CM-6 Configuration Settings x x x
CM-6 (1) CONFIGURATION SETTINGS | AUTOMATED CENTRAL MANAGEMENT / x
APPLICATION/VERIFICATION
CM-6 (2) CONFIGURATION SETTINGS | RESPOND TO UNAUTHORIZED CHANGES     x
CM-7 Least Functionality x x x
CM-7 (1) LEAST FUNCTIONALITY | PERIODIC REVIEW + x x
CM-7 (2) LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION   x x
CM-7 (4) LEAST FUNCTIONALITY | UNAUTHORIZED SOFTWARE   _  
CM-7 (5) LEAST FUNCTIONALITY | AUTHORIZED SOFTWARE   + x
CM-8 Information System Component Inventory x x x
CM-8 (1) INFORMATION SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATIONS/REMOVALS   x x
CM-8 (2) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED MAINTENANCE     x
CM-8 (3) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION   x x
CM-8 (4) INFORMATION SYSTEM COMPONENT INVENTORY | PROPERTY ACCOUNTABILITY INFORMATION     x
CM-8 (5) INFORMATION SYSTEM COMPONENT INVENTORY | ALL COMPONENTS WITHIN AUTHORIZATION BOUNDARY   x x
CM-9 Configuration Management Plan   x x
CM-10 Software Usage Restrictions x x x
CM-11 User-Installed Software x x x
CONTINGENCY PLANNING – CP
CP-1 Contingency Planning Policy and Procedures x x x
CP-2 Contingency Plan x x x
CP-2 (1) CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS   x x
CP-2 (2) CONTINGENCY PLAN | CAPACITY PLANNING     x
CP-2 (3) CONTINGENCY PLAN | RESUME ESSENTIAL MISSIONS/BUSINESS FUNCTIONS   x x
CP-2 (4) CONTINGENCY PLAN | RESUME ALL MISSIONS/BUSINESS FUNCTIONS     x
CP-2 (5) CONTINGENCY PLAN | CONTINUE ESSENTIAL MISSIONS/BUSINESS FUNCTIONS     x
CP-2 (8) CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS   x x
CP-3 Contingency Training x x x
CP-3 (1) CONTINGENCY TRAINING | SIMULATED EVENTS     x
CP-4 Contingency Plan Testing x x x
CP-4 (1) CONTINGENCY PLAN TESTING | COORDINATE WITH RELATED PLANS   x x
CP-4 (2) CONTINGENCY PLAN TESTING | ALTERNATE PROCESSING SITE     x
CP-6 Alternate Storage Site   x x
CP-6 (1) ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE   x x
CP-6 (2) ALTERNATE STORAGE SITE | RECOVERY TIME/POINT OBJECTIVES     x
CP-6 (3) ALTERNATE STORAGE SITE | ACCESSIBILITY   x x
CP-7 Alternate Processing Site   x x
CP-7 (1) ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY SITE   x x
CP-7 (2) ALTERNATE PROCESSING SITE | ACCESSIBILITY   x x
CP-7 (3) ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE   x x
CP-7 (4) ALTERNATE PROCESSING SITE | CONFIGURATION FOR USE     x
CP-8 Telecommunications Services   x x
CP-8 (1) TELECOMMUNICATIONS SERVICES | PRIORITY OF SERVICE PROVISIONS   x x
CP-8 (2) TELECOMMUNICATIONS SERVICES | SINGLE POINTS OF FAILURE   x x
CP-8 (3) TELECOMMUNICATIONS SERVICES | SEPARATION OF PRIMARY / x
ALTERNATE PROVIDERS
CP-8 (4) TELECOMMUNICATIONS SERVICES | PROVIDER CONTINGENCY PLAN     x
CP-9 Information System Backup x x x
CP-9 (1) INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / x x
INTEGRITY
CP-9 (2) INFORMATION SYSTEM BACKUP | TEST RESTORATION USING SAMPLING     x
CP-9 (3) INFORMATION SYSTEM BACKUP | SEPARATE STORAGE FOR CRITICAL INFORMATION     x
CP-9 (5) INFORMATION SYSTEM BACKUP | TRANSFER TO ALTERNATE SITE     x
CP-10 Information System Recovery and Reconstitution x x x
CP-10 (2) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | x x
TRANSACTION RECOVERY
CP-10 (4) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | RESTORE WITHIN TIME PERIOD     x
CP-12 Safe Mode + + +
IDENTIFICATION AND AUTHENTICATION – IA
IA-1 Security Identification and Authentication Policy and Procedures x x x
IA-2 Identification and Authentication (Organizational Users) x x x
IA-2 (1) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVILEGED ACCOUNTS x x x
IA-2 (2) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO NON- PRIVILEGED ACCOUNTS   x x
IA-2 (3) IDENTIFICATION AND AUTHENTICATION | LOCAL ACCESS TO PRIVILEGED ACCOUNTS   x x
IA-2 (4) IDENTIFICATION AND AUTHENTICATION | LOCAL ACCESS TO NON- PRIVILEGED ACCOUNTS     x
IA-2 (8) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVILEGED ACCOUNTSREPLAY RESISTANT   x x
IA-2 (9) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO NON- PRIVILEGED ACCOUNTSREPLAY RESISTANT     x
IA-2 (11) IDENTIFICATION AND AUTHENTICATION | REMOTE ACCESS -   x x
  SEPARATE DEVICE      
IA-2 (12) IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF PIV CREDENTIALS x x x
IA-3 Device Identification and Authentication + x x
IA-3 (1) DEVICE IDENTIFICATION AND AUTHENTICATION | CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION   + +
IA-3 (4) DEVICE IDENTIFICATION AND AUTHENTICATION | DEVICE ATTESTATION   + +
IA-4 Identifier Management x x x
IA-5 Authenticator Management x x x
IA-5 (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION x x x
IA-5 (2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION   x x
IA-5 (3) AUTHENTICATOR MANAGEMENT | IN PERSON REGISTRATION   x x
IA-5 (11) AUTHENTICATOR MANAGEMENT | HARDWARE TOKEN-BASED AUTHENTICATION x x x
IA-6 Authenticator Feedback x x x
IA-7 Cryptographic Module Authentication x x x
IA-8 Identification and Authentication (Non-Organizational Users) x x x
IA-8 (1) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES x x x
IA-8 (2) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF THIRD-PARTY CREDENTIALS x x x
IA-8 (3) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF FICAM-APPROVED PRODUCTS x x x
IA-8 (4) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF FICAM-ISSUED PROFILES x x x
INCIDENT RESPONSE – IR
IR-1 Incident Response Policy and Procedures x x x
IR-2 Incident Response Training x x x
IR-2 (1) INCIDENT RESPONSE TRAINING | SIMULATED EVENTS     x
IR-2 (2) INCIDENT RESPONSE TRAINING | AUTOMATED TRAINING ENVIRONMENTS     x
IR-3 Incident Response Testing   x x
IR-3 (2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS   x x
IR-4 Incident Handling x x x
IR-4 (1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES   x x
IR-4 (4) INCIDENT HANDLING | INFORMATION CORRELATION     x
IR-5 Incident Monitoring x x x
IR-5 (1) INCIDENT MONITORING | AUTOMATED TRACKING/DATA COLLECTION/ANALYSIS     x
IR-6 Incident Reporting x x x
IR-6 (1) INCIDENT REPORTING | AUTOMATED REPORTING   x x
IR-7 Incident Response Assistance x x x
IR-7 (1) INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION/SUPPORT   x x
IR-8 Incident Response Plan x x x
MAINTENANCE – MA
MA-1 Maintenance Policy and Procedures x x x
MA-2 Controlled Maintenance x x x
MA-2 (2) CONTROLLED MAINTENANCE | AUTOMATED MAINTENANCE ACTIVITIES     x
MA-3 Maintenance Tools   x x
MA-3 (1) MAINTENANCE TOOLS | INSPECT TOOLS   x x
MA-3 (2) MAINTENANCE TOOLS | INSPECT MEDIA   x x
MA-3 (3) MAINTENANCE TOOLS | PREVENT UNAUTHORIZED REMOVAL     x
MA-4 Non-Local Maintenance x x x
MA-4 (2) NON-LOCAL MAINTENANCE | DOCUMENT NON-LOCAL MAINTENANCE   x x
MA-4 (3) NON-LOCAL MAINTENANCE | COMPARABLE SECURITY/SANITIZATION     x
MA-5 Maintenance Personnel x x x
MA-5 (1) MAINTENANCE PERSONNEL | INDIVIDUALS WITHOUT APPROPRIATE ACCESS     x
MA-6 Timely Maintenance   x x
MEDIA PROTECTION –MP
MP-1 Media Protection Policy and Procedures x x x
MP-2 Media Access x x x
MP-3 Media Marking   x x
MP-4 Media Storage   x x
MP-5 Media Transport   x x
MP-5 (4) MEDIA TRANSPORT | CRYPTOGRAPHIC PROTECTION   x x
MP-6 Media Sanitization x x x
MP-6 (1) MEDIA SANITIZATION | TRACKING/DOCUMENTING/VERIFYING     x
MP-6 (2) MEDIA SANITIZATION | EQUIPMENT TESTING     x
MP-6 (3) MEDIA SANITIZATION | NONDESTRUCTIVE TECHNIQUES     x
MP-7 Media Use x x x
MP-7 (1) MEDIA USE | ORGANIZATIONAL RESTRICTIONS   x x
PHYSICAL AND ENVIRONMENTAL PROTECTION – PE
PE-1 Physical and Environmental Protection Policy and Procedures x x x
PE-2 Physical Access Authorizations x x x
PE-3 Physical Access Control x x x
PE-3 (1) PHYSICAL ACCESS CONTROL | INFORMATION SYSTEM ACCESS     x
PE-4 Access Control for Transmission Medium   x x
PE-5 Access Control for Output Devices   x x
PE-6 Monitoring Physical Access x x x
PE-6 (1) MONITORING PHYSICAL ACCESS | INTRUSION ALARMS / x x
SURVEILLANCE EQUIPMENT
PE-6 (4) MONITORING PHYSICAL ACCESS | MONITORING PHYSICAL ACCESS TO INFORMATION SYSTEMS   + x
PE-8 Visitor Access Records x x x
PE-8 (1) VISITOR ACCESS RECORDS | AUTOMATED RECORDS MAINTENANCE / x
REVIEW
PE-9 Power Equipment and Cabling   x x
PE-9 (1) POWER EQUIPMENT AND CABLING | REDUNDANT CABLING   + +
PE-10 Emergency Shutoff   x x
PE-11 Emergency Power + x x
PE-11 (1) EMERGENCY POWER | LONG-TERM ALTERNATE POWER SUPPLY - + + x
MINIMAL OPERATIONAL CAPABILITY      
PE-11 (2) EMERGENCY POWER | LONG-TERM ALTERNATE POWER SUPPLY - +
SELF-CONTAINED
PE-12 Emergency Lighting x x x
PE-13 Fire Protection x x x
PE-13 (1) FIRE PROTECTION | DETECTION DEVICES/SYSTEMS     x
PE-13 (2) FIRE PROTECTION | SUPPRESSION DEVICES/SYSTEMS     x
PE-13 (3) FIRE PROTECTION | AUTOMATIC FIRE SUPPRESSION   x x
PE-14 Temperature and Humidity Controls x x x
PE-15 Water Damage Protection x x x
PE-15 (1) WATER DAMAGE PROTECTION | AUTOMATION SUPPORT     x
PE-16 Delivery and Removal x x x
PE-17 Alternate Work Site   x x
PE-18 Location of Information Components     x
PLANNING – PL
PL-1 Security Planning Policy and Procedures x x x
PL-2 System Security Plan x x x
PL-2 (3) SYSTEM SECURITY PLAN | PLAN/COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES + x x
PL-4 Rules of Behavior x x x
PL-4 (1) RULES OF BEHAVIOR | SOCIAL MEDIA AND NETWORKING RESTRICTIONS   x x
PL-7 Security Concept of Operations   + +
PL-8 Information Security Architecture   x x
PERSONNEL SECURITY – PS
PS-1 Personnel Security Policy and Procedures x x x
PS-2 Position Risk Designation x x x
PS-3 Personnel Screening x x x
PS-4 Personnel Termination x x x
PS-4 (2) PERSONNEL TERMINATION | AUTOMATED NOTIFICATION     x
PS-5 Personnel Transfer x x x
PS-6 Access Agreements x x x
PS-7 Third-Party Personnel Security x x x
PS-8 Personnel Sanctions x x x
RISK ASSESSMENT – RA
RA-1 Risk Assessment Policy and Procedures x x x
RA-2 Security Categorization x x x
RA-3 Risk Assessment x x x
RA-5 Vulnerability Scanning x x x
RA-5 (1) VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY   x x
RA-5 (2) VULNERABILITY SCANNING | UPDATE BY FREQUENCY/PRIOR TO NEW SCAN/WHEN IDENTIFIED   x x
RA-5 (4) VULNERABILITY SCANNING | DISCOVERABLE INFORMATION     x
RA-5 (5) VULNERABILITY SCANNING | PRIVILEGED ACCESS   x x
SYSTEM AND SERVICES ACQUISITION – SA
SA-1 System and Services Acquisition Policy and Procedures x x x
SA-2 Allocation of Resources x x x
SA-3 System Development Lifecycle x x x
SA-4 Acquisition Process x x x
SA-4 (1) ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS   x x
SA-4 (2) ACQUISITION PROCESS | DESIGN/IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS   x x
SA-4 (9) ACQUISITION PROCESS | FUNCTIONS/PORTS/PROTOCOLS / x x
SERVICES IN USE
SA-4 (10) ACQUISITION PROCESS | USE OF APPROVED PIV PRODUCTS x x x
SA-5 Information System Documentation x x x
SA-8 Security Engineering Principles   x x
SA-9 External Information System Services x x x
SA-9 (2) EXTERNAL INFORMATION SYSTEMS | IDENTIFICATION OF FUNCTIONS /   x x
  PORTS/PROTOCOLS/SERVICES      
SA-10 Developer Configuration Management   x x
SA-11 Developer Security Testing and Evaluation   x x
SA-12 Supply Chain Protection     x
SA-15 Development Process, Standards and Tools     x
SA-16 Developer-Provided Training     x
SA-17 Developer Security Architecture and Design     x
SYSTEM AND COMMUNICATIONS PROTECTION – SC
SC-1 System and Communications Protection Policy and Procedures x x x
SC-2 Application Partitioning   x x
SC-3 Security Function Isolation     x
SC-4 Information in Shared Resources   x x
SC-5 Denial of Service Protection x x x
SC-7 Boundary Protection x x x
SC-7 (3) BOUNDARY PROTECTION | ACCESS POINTS   x x
SC-7 (4) BOUNDARY PROTECTION | EXTERNAL TELECOMMUNICATIONS SERVICES   x x
SC-7 (5) BOUNDARY PROTECTION | DENY BY DEFAULT/ALLOW BY EXCEPTION   x x
SC-7 (7) BOUNDARY PROTECTION | PREVENT SPLIT TUNNELING FOR REMOTE DEVICES   x x
SC-7 (8) BOUNDARY PROTECTION | ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS     x
SC-7 (18) BOUNDARY PROTECTION | FAIL SECURE   + x
SC-7 (21) BOUNDARY PROTECTION | ISOLATION OF INFORMATION SYSTEM COMPONENTS     x
SC-8 Transmission Confidentiality and Integrity   x x
SC-8 (1) transmission confidentiality and integrity | cryptographic or alternate physical protection   x x
SC-10 Network Disconnect   x x
SC-12 Cryptographic Key Establishment and Management x x x
SC-12 (1) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | x
AVAILABILITY
SC-13 Cryptographic Protection x x x
SC-15 Collaborative Computing Devices x x x
SC-17 Public Key Infrastructure Certificates   x x
SC-18 Mobile Code   x x
SC-19 Voice Over Internet Protocol   x x
SC-20 Secure Name/Address Resolution Service (Authoritative Source) x x x
SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver) x x x
SC-22 Architecture and Provisioning for Name/Address Resolution Service x x x
SC-23 Session Authenticity   x x
SC-24 Fail in Known State   + x
SC-28 Protection of Information at Rest   x x
SC-39 Process Isolation x x x
SC-41 Port and I/O Device Access + + +
SYSTEM AND INFORMATION INTEGRITY – SI
SI-1 System and Information Integrity Policy and Procedures x x x
SI-2 Flaw Remediation x x x
SI-2 (1) FLAW REMEDIATION | CENTRAL MANAGEMENT     x
SI-2 (2) FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS   x x
SI-3 Malicious Code Protection x x x
SI-3 (1) MALICIOUS CODE PROTECTION | CENTRAL MANAGEMENT   x x
SI-3 (2) MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES   x x
SI-4 Information System Monitoring x x x
SI-4 (2) INFORMATION SYSTEM MONITORING | AUTOMATED TOOLS FOR REAL- TIME ANALYSIS   x x
SI-4 (4) INFORMATION SYSTEM MONITORING | INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC   x x
SI-4 (5) INFORMATION SYSTEM MONITORING | SYSTEM-GENERATED ALERTS   x x
SI-5 Security Alerts, Advisories and Directives x x x
SI-5 (1) SECURITY ALERTS, ADVISORIES AND DIRECTIVES | AUTOMATED ALERTS AND ADVISORIES     x
SI-6 Security Function Verification     x
SI-7 Software, Firmware and Information Integrity   x x
SI-7 (1) SOFTWARE, FIRMWARE AND INFORMATION INTEGRITY | INTEGRITY CHECKS   x x
SI-7 (2) SOFTWARE, FIRMWARE AND INFORMATION INTEGRITY | AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS     x
SI-7 (5) SOFTWARE, FIRMWARE AND INFORMATION INTEGRITY | AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS     x
SI-7 (7) SOFTWARE, FIRMWARE AND INFORMATION INTEGRITY | x x
INTEGRATION OF DETECTION AND RESPONSE
SI-7 (14) SOFTWARE, FIRMWARE AND INFORMATION INTEGRITY | BINARY OR MACHINE EXECUTABLE CODE     x
SI-8 Spam Protection   x x
SI-8 (1) SPAM PROTECTION | CENTRAL MANAGEMENT OF PROTECTION MECHANISMS   x x
SI-8 (2) SPAM PROTECTION | AUTOMATIC UPDATES   x x
SI-10 Information Input Validation   x x
SI-11 Error Handling   x x
SI-12 Information Handling and Retention x x x
SI-13 Predictable Failure Prevention     +
SI-16 Memory Protection   x x
SI-17 Fail-Safe Procedures + + +
ORGANIZATION-WIDE INFORMATION SECURITY PROGRAM MANAGEMENT CONTROLS – PM
PM-1 Information Security Program Plan Policy and Procedures      
PM-2 Senior Information Security Officer      
PM-3 Information Security Resources      
PM-4 Plan of Action and Milestones Process      
PM-5 Information System Inventory      
PM-6 Information Security Measures of Performance      
PM-7 Enterprise Architecture      
PM-8 Critical Infrastructure Plan      
PM-9 Risk Management Strategy      
PM-10 Security Authorization Process      
PM-11 Mission/Business Process Definition      
PM-12 Insider Threat Program      
PM-13 Information Security Workforce      
PM-14 Testing, Training and Monitoring      
PM-15 Contacts with Security Groups and Associations      
PM-16 Threat Awareness Program      
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.61.142