Key Aspects of NIST 800-53 Control

Management With complete Checklist:

With – Detailed Risk Assessment Template

Mohammad Alkhudari
www.linkedin.com/in/alkhudary

Feb-2025

1|Page
1. Security Control Management Framework

The document outlines a systematic approach to managing security controls across an

organization’s IT environment. It emphasizes the importance of:

• Identifying security needs and objectives.

• Establishing security policies and procedures.

• Implementing, monitoring, and improving security measures.

2. Security Services Lifecycle

NIST 800-35 categorizes security service management into six phases:

1. Initiation Phase – Identifying security needs, defining service requirements, and

developing an acquisition strategy.

2. Assessment Phase – Evaluating potential security service providers based on

expertise, experience, and compliance with security standards.

3. Selection Phase – Choosing the right service provider through a structured decision-
making process.

4. Implementation Phase – Deploying security controls, integrating them with existing

infrastructure, and ensuring alignment with organizational policies.

5. Operations & Monitoring Phase – Continuously monitoring security services,

ensuring compliance with SLAs, and addressing emerging threats.

6. Closeout & Transition Phase – Properly concluding security service contracts,

transferring knowledge, and ensuring continuity of security controls.

3. Categories of Security Services

NIST 800-35 defines various IT security services, which include but are not limited to:

• Risk Management Services – Identifying and mitigating cybersecurity risks.

• Incident Response Services – Preparing for, detecting, and responding to security

incidents.

• Vulnerability Assessment & Penetration Testing – Evaluating system weaknesses.

• Security Architecture Design & Implementation – Developing robust security

infrastructures.

• Security Training & Awareness – Educating employees and stakeholders about

security risks and best practices.

2|Page
 • Compliance & Regulatory Support – Ensuring adherence to legal and industry-
specific security requirements.

4. Control Implementation & Effectiveness

Security controls should be:

• Aligned with Business Objectives – Ensuring security strategies support the

organization's mission.

• Risk-Based – Prioritizing controls based on potential risks.

• Auditable and Measurable – Implementing metrics to track security performance.

• Continuously Improved – Adapting controls to evolving threats and technologies.

5. Governance & Compliance Considerations

NIST 800-35 highlights the importance of:

• Aligning security controls with federal regulations (e.g., FISMA, HIPAA).

• Regular audits and assessments to measure security effectiveness.

• Establishing accountability through well-defined roles and responsibilities.

Who Should Be Interested in NIST 800-35?

NIST 800-35 is relevant for a wide range of stakeholders in cybersecurity, IT management,

and compliance. The following groups should be particularly interested in this standard:

1. Government Agencies & Public Sector Organizations

• Federal, state, and local government agencies that must comply with FISMA (Federal
Information Security Management Act).

• Organizations handling sensitive government data and requiring strict IT security

management.

2. IT & Cybersecurity Professionals

• CISOs (Chief Information Security Officers): Overseeing security strategy and aligning
it with business goals.

• SOC Analysts & Incident Responders: Implementing security monitoring, response,

and mitigation strategies.

3|Page
 • Penetration Testers & Ethical Hackers: Evaluating vulnerabilities in IT systems and
networks.

• Security Architects & Engineers: Designing and deploying robust security

infrastructure.

3. Private Sector Companies Handling Sensitive Data

• Financial Institutions (Banks, FinTech, Insurance): To secure transactions, customer

data, and comply with regulations.

• Healthcare Providers & Medical Organizations: To align with HIPAA and protect
patient records.

• Critical Infrastructure Providers: Including energy, utilities, and telecom sectors that
must maintain operational security.

• Technology & Cloud Service Providers: To ensure compliance with industry security
best practices and regulations.

4. Organizations Outsourcing Security Services

• Companies considering third-party security providers must ensure they align with
best practices.

• Managed Security Service Providers (MSSPs) looking to improve service offerings.

• Organizations outsourcing risk management, SOC services, penetration testing, or

incident response.

5. Compliance & Risk Management Teams

• GRC (Governance, Risk & Compliance) Experts: Ensuring compliance with NIST, ISO
27001, and other frameworks.

• Legal & Audit Teams: Managing regulatory requirements and conducting audits of
security service providers.

• Consultants & Advisory Firms: Providing guidance on selecting, implementing, and

improving security services.

6. Academia & Research Institutions

4|Page
 • Universities and research centers working on cybersecurity best practices.

• Researchers studying security management frameworks.

7. Executives & Business Leaders

• CEOs & COOs: Understanding the importance of investing in security services.

• CTOs & CIOs: Aligning IT security with business strategy and innovation.

• Board Members & Investors: Managing cybersecurity risks as part of corporate

governance.

Why It Matters?

NIST 800-35 provides a structured approach to managing security services, making it

essential for any organization handling sensitive data, outsourcing security functions, or
looking to strengthen its cybersecurity posture.

5|Page
AC - Access
Control
Baseline - Low

AC-1 Policy and

Procedures Implemented? Comments
Define who is responsible for
the access control policy No
Establish a scope for the Policy
and Procedures policy No
Define Policy and Procedures
policy statements that adhere
requirements from law and
organization No

AC-2 Account
Management Implemented? Comments
Define and document the types
of accounts allowed and
specifically prohibited for use
within the system No
Assign account managers who
manage accounts and roles No
Require organization-defined
prerequisites and criteria for
group and role membership No
Specify authorized users of the
system, group and role
membership, and access
authorizations (i.e., privileges)
and organization-defined No

6|Page
attributes (as required) for each
account

Require approvals by
organization-defined personnel
or roles for requests to create
accounts No
Create, enable, modify, disable,
and remove accounts in
accordance with organization-
defined policy, procedures,
prerequisites, and criteria No
Setup up monitoring processes
and tools for the use of
accounts No
Notify account managers and
organization-defined personnel
or roles within organization-
defined time period when
accounts are no longer
required, when users are
terminated or transferred, and
when system usage or need-to-
know changes for an individual No
Authorize access to the system
based on a valid access
authorization, intended system
usage, and organization-defined
attributes (as required) No
Review accounts for compliance
with account management
requirements organization-
defined frequency No
Establish and implement a
process for changing shared or
group account authenticators
(if deployed) when individuals
are removed from the group No
Align account management
processes with personnel No
7|Page
termination and transfer
processes

AC-3 Access
Enforcement Implemented? Comments
Establish access control policies
that define the rules and
regulations for access to
information and system
resources. No
Identify and document the roles
and responsibilities of users
who require access to
information and system
resources. No
Assign appropriate access rights
and privileges to users based on
their roles and responsibilities. No
Setup up monitoring processes
and tools for user access to
information and system
resources to ensure compliance
with access control policies. No
Implement authentication
mechanisms to verify user
identity and authorization. No
Implement access control
mechanisms to restrict access
to authorized users. No
Implement logging and auditing
mechanisms to track user
access to information and
system resources. No
Implement security measures
to protect against unauthorized
access. No
Periodically review user access
rights and privileges to ensure
they are up to date. No
8|Page
Regularly review access control
policies and update them as
needed. No

AC-7 Unsuccessful Logon

Attempts Implemented? Comments
Establish an organization-
defined number of consecutive
invalid logon attempts. No
Establish an organization-
defined time period for the
limit of consecutive invalid
logon attempts. No
Select one or more of the
following actions when the
maximum number of
unsuccessful attempts is
exceeded: lock the account or
node for an organization-
defined time period; lock the
account or node until released
by an administrator; delay next
logon prompt per organization-
defined delay algorithm; notify
system administrator; take
other organization-defined
action. No
Implement the selected action
when the maximum number of
unsuccessful attempts is
exceeded. No
Setup up monitoring processes
and tools for the system for any
unauthorized access attempts. No

AC-8 System Use

Notification Implemented? Comments

9|Page
 Develop an organization-
defined system use notification
message or banner No
Ensure the notification message
or banner remains on the
screen until users acknowledge
the usage conditions and take
explicit actions to log on to or
further access the system. No
For publicly accessible systems,
develop organization-defined
conditions for displaying system
use information before granting
further access to the publicly
accessible system. No
Include references to
monitoring, recording, or
auditing that are consistent
with privacy accommodations
for such systems that generally
prohibit those activities. No
Include a description of the
authorized uses of the system. No

AC-14 Permitted Actions

Without Identification or
Authentication Implemented? Comments
Analyze organizational mission
and business functions to
determine user actions that can
be performed without
identification or authentication. No
Create a list of user actions that
do not require identification or
authentication. No
Document the list of user
actions and the rationale for
not requiring identification or No

10 | P a g e
 authentication in the security
plan for the system.

AC-17 Remote Access Implemented? Comments

Identify the types of remote
access allowed. No
Establish usage restrictions for
each type of remote access. No
Document
configuration/connection
requirements for each type of
remote access. No
Develop implementation
guidance for each type of
remote access. No
Authorize each type of remote
access to the system. No
Test the remote access to
ensure it meets the established
requirements. No
Setup up monitoring processes
and tools for remote access
activity to ensure compliance
with usage restrictions. No

AC-18 Wireless Access Implemented? Comments

Analyze the system
requirements for wireless
access. No
Identify the types of wireless
access that will be allowed. No
Establish configuration
requirements, connection
requirements, and
implementation guidance for
each type of wireless access. No

11 | P a g e
 Develop a security policy to
authorize each type of wireless
access to the system. No
Test the wireless access to
ensure that it meets the
security requirements. No
Setup up monitoring processes
and tools for and audit the
wireless access to ensure
compliance with the security
policy. No
Update the security policy as
needed to reflect any changes
in the wireless access. No

AC-19 Access Control for

Mobile Devices Implemented? Comments
Identify the configuration
requirements for organization-
controlled mobile devices. No
Determine the connection
requirements for mobile
devices. No
Develop implementation
guidance for mobile devices. No
Establish a policy for when
mobile devices are outside of
controlled areas. No
Create a procedure to authorize
the connection of mobile
devices to organizational
systems. No
Test the configuration
requirements and connection
requirements for mobile
devices. No
Train personnel on the
implementation guidance for
mobile devices. No

12 | P a g e
 Setup up monitoring processes
and tools for the connection of
mobile devices to
organizational systems. No

AC-20 Use of External

Systems Implemented? Comments
Establish organization-defined
terms and conditions for
accessing and using external
systems. No
Identify organization-defined
controls to be implemented on
external systems. No
Prohibit the use of
organizationally-defined types
of external systems. No

AC-22 Publicly
Accessible Content Implemented? Comments
Identify the individuals
authorized to make information
publicly accessible. No
Provide training to authorized
individuals on how to ensure
that publicly accessible
information does not contain
nonpublic information. No
Establish a review process for
proposed content prior to
posting onto the publicly
accessible system. No
Establish a review frequency for
the content on the publicly
accessible system for nonpublic
information. No

13 | P a g e
 Develop a process for removing
nonpublic information, if
discovered. No

Baseline - Moderate

AC-2(1) Account
Management |
Automated System
Account Management Implemented? Comments
Identify the organization-
defined automated
mechanisms for managing
system accounts. No
Develop a policy outlining the
requirements for managing
system accounts using the
identified automated
mechanisms. No
Configure the system to use the
identified automated
mechanisms for managing
system accounts. No
Test the system to ensure the
automated mechanisms for
managing system accounts are
functioning properly. No
Train personnel on the use of
the automated mechanisms for
managing system accounts. No
Setup up monitoring processes
and tools for the system to
ensure the automated
mechanisms for managing
system accounts are
functioning properly. No

14 | P a g e
 Update the policy as needed to
ensure the automated
mechanisms for managing
system accounts remain
effective. No

AC-2(2) Account
Management |
Automated Temporary
and Emergency Account
Management Implemented? Comments
Identify the types of temporary
and emergency accounts in the
organization. No
Establish an organization-
defined time period for each
type of account. No
Develop a process to monitor
the temporary and emergency
accounts. No
Create a script to automate the
process of disabling the
temporary and emergency
accounts after the organization-
defined time period. No
Test the script to ensure it is
functioning correctly. No
Deploy the script to the
production environment. No
Setup up monitoring processes
and tools for the process to
ensure the accounts are being
disabled in a timely manner. No

AC-2(3) Account
Management | Disable
Accounts Implemented? Comments

15 | P a g e
 Identify accounts that have
expired. No
Identify accounts that are no
longer associated with a user or
individual. No
Identify accounts that are in
violation of organizational
policy. No
Identify accounts that have
been inactive for the
organization-defined time
period. No
Disable the identified accounts. No
Setup up monitoring processes
and tools for accounts for
expiration, association, policy
violations, and inactivity within
the organization-defined time
period. No

AC-2(4) Account
Management |
Automated Audit
Actions Implemented? Comments
Create a system to log account
creation, modification,
enabling, disabling, and
removal actions. No
Set up a process to regularly
review the logs. No
Establish a procedure to
investigate any suspicious
activity. No
Develop a system to alert
administrators of any
unauthorized activity. No
Implement a system to
automatically audit account No

16 | P a g e
 creation, modification,
enabling, disabling, and
removal actions.
Create a policy to regularly
review the audit logs. No
Establish a process to
investigate any suspicious
activity. No
Develop a system to alert
administrators of any
unauthorized activity. No

AC-2(5) Account
Management | Inactivity
Logout Implemented? Comments
Establish an organization-
defined time period of expected
inactivity or description of
when to log out. No
Create a policy requiring users
to log out after the specified
period of inactivity or when the
description of when to log out
is met. No
Communicate the policy to all
users. No
Setup up monitoring processes
and tools for user activity to
ensure compliance with the
policy. No
Take appropriate action when
users fail to log out when
required. No

AC-2(13) Account
Management | Disable Implemented? Comments

17 | P a g e
 Accounts for High-risk
Individuals
Identify individuals whose
accounts need to be disabled. No
Establish an organization-
defined time period for
disabling accounts. No
Setup up monitoring processes
and tools for for significant risks
that may require disabling
accounts. No
Notify the individuals whose
accounts need to be disabled. No
Disable the accounts within the
organization-defined time
period. No
Setup up monitoring processes
and tools for the accounts to
ensure they remain disabled. No

AC-4 Information Flow

Enforcement Implemented? Comments
Identify the organization-
defined information flow
control policies. No
Develop a system for enforcing
approved authorizations for
controlling the flow of
information within the system
and between connected
systems. No
Establish a process for regularly
reviewing and updating the
information flow control
policies. No
Investigate and address any
unauthorized information
flows. No

18 | P a g e
 Document the process and
results of enforcing the
approved authorizations. No

AC-5 Separation of
Duties Implemented? Comments
Gather information about the
organization-defined duties of
individuals requiring separation. No
Document the duties of
individuals requiring separation. No
Identify the system access
authorizations needed to
support the separation of
duties. No
Define the system access
authorizations. No
Test the system access
authorizations to ensure they
are working as intended. No
Setup up monitoring processes
and tools for the system access
authorizations to ensure they
are being used correctly. No

AC-6 Least Privilege Implemented? Comments

Identify all users and processes
that require access to
organizational resources. No
Assign each user and process a
unique identifier and
authentication credentials. No
Establish access control
procedures for granting,
modifying, and revoking access
privileges. No
Create user groups and assign
access privileges to each group. No

19 | P a g e
 Configure system settings to
enforce least privilege access
requirements. No
Setup up monitoring processes
and tools for user access
activities and audit logs to
detect unauthorized access
attempts. No
Update access control policies
and procedures as needed. No
Educate users on the
importance of least privilege
access and security best
practices. No

AC-6(1) Least Privilege |

Authorize Access to
Security Functions Implemented? Comments
Identify the organization-
defined individuals or roles who
require access. No
Identify the organization-
defined security functions that
need to be deployed in
hardware, software, and
firmware. No
Identify the organization-
defined security-relevant
information that needs to be
accessed. No
Develop a policy to authorize
access for the identified
individuals or roles to the
security functions and security-
relevant information. No
Implement the policy by setting
up the necessary access
controls. No

20 | P a g e
 Setup up monitoring processes
and tools for access to the
security functions and security-
relevant information to ensure
compliance with the policy. No

AC-6(2) Least Privilege |

Non-privileged Access
for Nonsecurity
Functions Implemented? Comments
Identify organization-defined
security functions or security-
relevant information. No
Create system accounts or roles
with access to the identified
security functions or security-
relevant information. No
Create non-privileged accounts
or roles for users to access
nonsecurity functions. No
Require users to use the non-
privileged accounts or roles
when accessing nonsecurity
functions. No
Setup up monitoring processes
and tools for user access to
ensure compliance with the
requirement. No

AC-6(5) Least Privilege |

Privileged Accounts Implemented? Comments
Identify the personnel or roles
that should have privileged
access to the system. No
Create user accounts for each
personnel or role that needs
privileged access. No

21 | P a g e
 Assign appropriate privileges to
each user account. No
Setup up monitoring processes
and tools for user activities to
ensure that each user is only
accessing the system with their
assigned privileges. No
Periodically review the list of
personnel or roles with
privileged access to the system
and update as needed. No
Establish a process for revoking
access when personnel or roles
no longer need privileged
access. No

AC-6(7) Least Privilege |

Review of User Privileges Implemented? Comments
Identify the roles or classes of
users that need to be reviewed. No
Determine the frequency of the
review. No
Analyze the privileges assigned
to each role or class of user. No
Evaluate the need for such
privileges. No
Reassign or remove privileges, if
necessary. No
Document the changes made. No

AC-6(9) Least Privilege |

Log Use of Privileged
Functions Implemented? Comments
Identify the privileged functions
that need to be logged. No
Establish a logging system that
can capture the required
information. No
22 | P a g e
 Configure the logging system to
capture the required
information. No
Implement the logging system
in the privileged functions. No
Setup up monitoring processes
and tools for the logging system
to ensure that the privileged
functions are being logged
correctly. No
Create a process to review the
logs and identify any suspicious
activity. No
Implement a system to alert
administrators of any suspicious
activity. No

AC-6(10) Least Privilege

| Prohibit Non-privileged
Users from Executing
Privileged Functions Implemented? Comments
Identify the privileged functions
that need to be restricted. No
Create a list of users who
should be granted access to the
privileged functions. No
Assign appropriate roles and
permissions to the privileged
functions. No
Implement access control
measures to restrict access to
the privileged functions. No
Setup up monitoring processes
and tools for user activity to
detect any unauthorized access
attempts. No

23 | P a g e
 Implement logging and auditing
mechanisms to track user
activity. No
Regularly review access control
policies and update them as
needed. No
Educate users on the
importance of following
security protocols. No

AC-11 Device Lock Implemented? Comments

Establish a time period for
device lock after inactivity. No
Require the user to initiate a
device lock before leaving the
system unattended. No
Implement a device lock after
the specified time period of
inactivity. No
Retain the device lock until the
user reestablishes access using
established identification and
authentication procedures. No

AC-11(1) Device Lock |

Pattern-hiding Displays Implemented? Comments
Set up a device lock with a
password or PIN. No
Select a publicly viewable image
to display on the device lock. No
Configure the device lock to
display the selected image
when activated. No
Activate the device lock to
conceal the information
previously visible on the
display. No

24 | P a g e
 AC-12 Session
Termination Implemented? Comments
Set up an organization-defined
trigger event or condition that
requires session disconnect. No
Create a script to detect when
the trigger event or condition is
met. No
Automatically terminate the
user session when the trigger
event or condition is detected. No
Deploy the script across the
organization's systems. No
Setup up monitoring processes
and tools for the script to
ensure it is working properly. No
Test the script to ensure it is
functioning as expected. No

AC-17(1) Remote Access

| Monitoring and
Control Implemented? Comments
Identify the remote access
methods to be monitored and
controlled. No
Establish a system for logging
and tracking remote access
activities. No
Implement automated
mechanisms to detect and alert
on suspicious activity. No
Establish rules and procedures
for granting and revoking
remote access privileges. No
Implement automated
mechanisms to enforce access
control policies. No

25 | P a g e
 Implement automated
mechanisms to detect and
respond to unauthorized access
attempts. No
Establish a system for regularly
reviewing and updating access
control policies. No
Establish a system for regularly
auditing and reporting on
remote access activities. No

AC-17(2) Remote Access

| Protection of
Confidentiality and
Integrity Using
Encryption Implemented? Comments
Identify and evaluate
cryptographic mechanisms for
remote access sessions. No
Select an appropriate
cryptographic mechanism for
remote access sessions. No
Implement the cryptographic
mechanism for remote access
sessions. No
Test the cryptographic
mechanism for remote access
sessions. No
Setup up monitoring processes
and tools for the cryptographic
mechanism for remote access
sessions. No
Update the cryptographic
mechanism for remote access
sessions as needed. No

26 | P a g e
 AC-17(3) Remote Access
| Managed Access
Control Points Implemented? Comments
Define the network access
control points. No
Establish authentication and
authorization protocols for
remote access. No
Configure the network access
control points to enforce the
authentication and
authorization protocols. No
Setup up monitoring processes
and tools for remote access
attempts and log any
unauthorized attempts. No
Implement a system for alerting
administrators of unauthorized
access attempts. No
Develop a policy for responding
to unauthorized access
attempts. No
Train users on the remote
access protocols and policies. No
Periodically review and update
the authentication and
authorization protocols as
needed. No

AC-17(4) Remote Access

| Privileged Commands
and Access Implemented? Comments
Identify the organization-
defined needs for remote
access. No
Establish a secure remote
access protocol to authorize the
execution of privileged No

27 | P a g e
 commands and access to
security-relevant information.
Document the rationale for
remote access in the security
plan for the system. No
Implement the secure remote
access protocol. No
Setup up monitoring processes
and tools for the remote access
activity and ensure that it is
compliant with the security
plan. No
Regularly review the security
plan and update it as needed. No

AC-18(1) Wireless Access

| Authentication and
Encryption Implemented? Comments
Configure authentication for
users and/or devices. No
Enable encryption on the
wireless network. No
Test the authentication and
encryption settings. No
Setup up monitoring processes
and tools for the wireless
network for unauthorized
access. No

AC-18(3) Wireless Access

| Disable Wireless
Networking Implemented? Comments
Identify all system components
that have embedded wireless
networking capabilities. No

28 | P a g e
 Determine if the wireless
networking capabilities are
intended for use. No
If not intended for use, disable
the wireless networking
capabilities. No
Issue and deploy the system
components with disabled
wireless networking
capabilities. No

AC-19(5) Access Control

for Mobile Devices | Full
Device or Container-
based Encryption Implemented? Comments
Identify the type of encryption
to be used (full-device
encryption or container-based
encryption). No
Determine which mobile
devices need to be encrypted. No
Research and select an
encryption solution that meets
the organization’s needs. No
Deploy the encryption solution
to the mobile devices. No
Test the encryption solution to
ensure it is working properly. No
Setup up monitoring processes
and tools for the encryption
solution to ensure it is providing
the desired level of protection. No

AC-20(1) Use of External

Systems | Limits on
Authorized Use Implemented? Comments

29 | P a g e
 Identify authorized individuals
who will use the external
system. No
Establish security and privacy
policies and plans. No
Verify the implementation of
controls on the external system. No
Retain approved system
connection or processing
agreements with the
organizational entity hosting
the external system. No
Setup up monitoring processes
and tools for the external
system for any changes or
updates. No
Ensure that all users are aware
of the security and privacy
policies and plans. No
Ensure that all users comply
with the security and privacy
policies and plans. No
Regularly review and update
the security and privacy policies
and plans. No

AC-20(2) Use of External

Systems | Portable
Storage Devices —
Restricted Use Implemented? Comments
Define the organization-defined
restrictions for the use of
organization-controlled
portable storage devices. No
Establish a process for
authorizing individuals to use
organization-controlled
portable storage devices. No

30 | P a g e
 Develop a policy that outlines
the acceptable use of
organization-controlled
portable storage devices. No
Implement a technical solution
to enforce the organization-
defined restrictions on external
systems. No
Setup up monitoring processes
and tools for and audit the use
of organization-controlled
portable storage devices to
ensure compliance with the
organization-defined
restrictions. No
Provide training and awareness
to users on the acceptable use
of organization-controlled
portable storage devices. No

AC-21 Information
Sharing Implemented? Comments
Identify the organization-
defined information sharing
circumstances where user
discretion is required. No
Assign access authorizations to
a sharing partner that match
the information’s access and
use restrictions. No
Establish organization-defined
automated mechanisms or
manual processes to assist
users in making information
sharing and collaboration
decisions. No
Train authorized users on how
to use the automated No

31 | P a g e
 mechanisms or manual
processes.
Setup up monitoring processes
and tools for and review the
access authorizations assigned
to a sharing partner to ensure
they match the information’s
access and use restrictions. No

Baseline - High

AC-2(11) Account
Management | Usage
Conditions Implemented? Comments
Identify the organization-
defined circumstances and/or
usage conditions that need to
be enforced. No
Establish a policy that outlines
the circumstances and/or usage
conditions that need to be
enforced. No
Identify the organization-
defined system accounts that
need to be monitored. No
Establish a process to monitor
the system accounts and ensure
that the circumstances and/or
usage conditions are being
enforced. No
Implement the policy and
process. No
Setup up monitoring processes
and tools for the system
accounts to ensure that the
circumstances and/or usage
conditions are being enforced. No

32 | P a g e
 Take corrective action if
necessary. No

AC-2(12) Account
Management | Account
Monitoring for Atypical
Usage Implemented? Comments
Define the atypical usage of
system accounts. No
Establish a process to monitor
system accounts for atypical
usage. No
Develop a report to document
atypical usage of system
accounts. No
Identify the personnel or roles
to receive the reports. No
Implement the process to
monitor system accounts for
atypical usage. No
Generate and send the reports
to the designated personnel or
roles. No
Setup up monitoring processes
and tools for the reports for any
atypical usage of system
accounts. No
Take appropriate action based
on the reports. No

AC-4(4) Information
Flow Enforcement |
Flow Control of
Encrypted Information Implemented? Comments
Identify the organization-
defined information flow
control mechanisms. No

33 | P a g e
 Decide which procedure or
method to use for preventing
the encrypted information from
bypassing the mechanisms. No
Implement the chosen
procedure or method. No
Decrypt the information, if
necessary. No
Block the flow of the encrypted
information, if necessary. No
Terminate communications
sessions attempting to pass
encrypted information, if
necessary. No
Setup up monitoring processes
and tools for the system to
ensure the procedure or
method is effective. No

AC-6(3) Least Privilege |

Network Access to
Privileged Commands Implemented? Comments
Identify the privileged
commands that require
network access. No
Determine the compelling
operational needs for network
access to the privileged
commands. No
Develop a security plan for the
system that includes the
rationale for granting network
access to the privileged
commands. No
Implement the security plan for
the system and authorize
network access to the
privileged commands. No

34 | P a g e
 Document the rationale for
granting network access to the
privileged commands in the
security plan for the system. No

AC-10 Concurrent
Session Control Implemented? Comments
Identify the accounts and/or
account types that need to be
limited. No
Determine the organization-
defined number of concurrent
sessions for each account
and/or account type. No
Develop a system to track and
monitor the number of
concurrent sessions for each
account and/or account type. No
Implement a system to limit the
number of concurrent sessions
for each account and/or
account type to the
organization-defined number. No
Test the system to ensure that
it is functioning correctly. No
Setup up monitoring processes
and tools for the system to
ensure that the limits are being
enforced. No

AC-18(4) Wireless Access

| Restrict Configurations
by Users Implemented? Comments
Gather requirements for user
access and authorization. No
Establish a policy for user
access and authorization. No

35 | P a g e
 Create a list of users who are
allowed to configure wireless
networking capabilities. No
Assign roles and privileges to
each user. No
Create a process for user
authentication and
authorization. No
Implement the authentication
and authorization process. No
Setup up monitoring processes
and tools for user access and
authorization. No
Test the authentication and
authorization process. No
Document the authentication
and authorization process. No
Train users on the
authentication and
authorization process. No

AC-18(5) Wireless Access

| Antennas and
Transmission Power
Levels Implemented? Comments
Research and select
appropriate radio antennas. No
Calculate the transmission
power levels required to reduce
the probability of signals being
received outside of
organization-controlled
boundaries. No
Install the selected radio
antennas. No
Configure the transmission
power levels to the calculated
levels. No

36 | P a g e
 Test the transmission power
levels to ensure that they are
within the desired range. No
Setup up monitoring processes
and tools for the transmission
power levels to ensure that
they remain within the desired
range. No

AT Awareness and
Training
Baseline - Low

AT-1 Policy and

Procedures Implemented? Comments
Define who is responsible for
the awareness and training
policy No
Establish a scope for the Policy
and Procedures policy No
Define Policy and Procedures
policy statements that adhere
requirements from law and
organization No

AT-2 Literacy Training

and Awareness Implemented? Comments
Develop a security and privacy
literacy training program. No
Identify system users (including
managers, senior executives,
and contractors) who need to
receive the training. No
Schedule initial training for new
users and [Assignment: No

37 | P a g e
 organization-defined
frequency] thereafter.
Schedule training when
required by system changes or
following [Assignment:
organization-defined events]. No
Identify [Assignment:
organization-defined awareness
techniques] to increase the
security and privacy awareness
of system users. No
Update literacy training and
awareness content
[Assignment: organization-
defined frequency] and
following [Assignment:
organization-defined events]. No
Incorporate lessons learned
from internal or external
security incidents or breaches
into literacy training and
awareness techniques. No
Deliver the security and privacy
literacy training program. No
Setup up monitoring processes
and tools for and evaluate the
effectiveness of the training
program. No

AT-2(2) Literacy Training

and Awareness | Insider
Threat Implemented? Comments
Develop a curriculum for
literacy training on recognizing
and reporting potential
indicators of insider threat. No
Identify potential trainers and
resources to deliver the
training. No
38 | P a g e
 Schedule training sessions and
invite participants. No
Prepare materials and
resources for the training
sessions. No
Deliver the training sessions. No
Setup up monitoring processes
and tools for and assess the
effectiveness of the training. No
Follow up with participants to
ensure they understand the
material. No
Provide additional support and
resources as needed. No

AT-3 Role-based Training Implemented? Comments

Identify the personnel with the
specified roles and
responsibilities. No
Develop role-based security and
privacy training content. No
Deliver training to personnel
with the specified roles and
responsibilities. No
Setup up monitoring processes
and tools for personnel
understanding of the training
and assess their knowledge. No
Update role-based training
content at the specified
frequency. No
Incorporate lessons learned
from internal or external
security incidents or breaches
into role-based training. No
Setup up monitoring processes
and tools for personnel
understanding of the updated No

39 | P a g e
 training and assess their
knowledge.

AT-4 Training Records Implemented? Comments

Develop a training program that
covers security and privacy
awareness and role-based
security and privacy training. No
Develop a system to document
and monitor the training
activities. No
Train employees on security
and privacy awareness and
role-based security and privacy
training. No
Setup up monitoring processes
and tools for the training
activities to ensure that all
employees have completed the
training. No
Retain individual training
records for the organization-
defined time period. No

Baseline - Moderate

AT-2(3) Literacy Training

and Awareness | Social
Engineering and Mining Implemented? Comments
Identify the target audience for
the literacy training. No
Develop a curriculum for the
literacy training. No
Identify the resources needed
to deliver the literacy training. No
Create materials and resources
to support the literacy training. No
40 | P a g e
 Schedule and deliver the
literacy training. No
Evaluate the effectiveness of
the literacy training. No

AU Audit and
Accountability
Baseline - Low

AU-1 Policy and

Procedures Implemented? Comments
Define who is responsible for
the audit and accountability
policy No
Establish a scope for the Policy
and Procedures policy No
Define Policy and Procedures
policy statements that adhere
requirements from law and
organization No

AU-2 Event Logging Implemented? Comments

Research and identify the types
of events that the system is
capable of logging in support of
the audit function. No
Coordinate with other
organizational entities requiring
audit-related information to
guide and inform the selection
criteria for events to be logged. No
Specify the event types for
logging within the system and
the frequency of (or situation
requiring) logging for each
identified event type. No
41 | P a g e
 Provide a rationale for why the
event types selected for logging
are deemed to be adequate to
support after-the-fact
investigations of incidents. No
Review and update the event
types selected for logging at an
organization-defined frequency. No

AU-3 Content of Audit

Records Implemented? Comments
Establish a system to track audit
records. No
Create a database to store the
audit records. No
Define the fields in the
database to capture the
required information. No
Develop a process to capture
the required information for
each event. No
Develop a process to store the
audit records in the database. No
Develop a process to review the
audit records to ensure the
required information is
captured. No
Develop a process to monitor
the audit records to ensure
accuracy. No
Develop a process to generate
reports from the audit records. No

AU-4 Audit Log Storage

Capacity Implemented? Comments
Identify organization-defined
audit log retention
requirements. No

42 | P a g e
 Estimate the storage capacity
needed to accommodate the
audit log retention
requirements. No
Acquire the necessary storage
capacity. No
Configure the storage capacity
to store audit logs. No
Setup up monitoring processes
and tools for the storage
capacity to ensure it is sufficient
to accommodate the audit log
retention requirements. No

AU-5 Response to Audit

Logging Process Failures Implemented? Comments
Identify the personnel or roles
to be alerted in the event of an
audit logging process failure. No
Establish a time period for
when the personnel or roles
should be alerted. No
Develop additional actions to
be taken in the event of an
audit logging process failure. No
Create a process to alert the
personnel or roles within the
established time period. No
Implement the additional
actions in the event of an audit
logging process failure. No
Setup up monitoring processes
and tools for the audit logging
process to ensure it is
functioning correctly. No
Test the alert process to ensure
it is working correctly. No

43 | P a g e
 AU-6 Audit Record
Review, Analysis, and
Reporting Implemented? Comments
Establish an organization-
defined frequency for reviewing
and analyzing system audit
records. No
Establish organization-defined
criteria for identifying
inappropriate or unusual
activity. No
Review and analyze system
audit records according to the
established frequency. No
Identify any indications of
inappropriate or unusual
activity. No
Assess the potential impact of
the inappropriate or unusual
activity. No
Report findings to the
organization-defined personnel
or roles. No
Setup up monitoring processes
and tools for law enforcement
information, intelligence
information, and other credible
sources of information for
changes in risk. No
Adjust the level of audit record
review, analysis, and reporting
within the system accordingly. No

AU-8 Time Stamps Implemented? Comments

Identify the organization-
defined granularity of time
measurement. No

44 | P a g e
 Establish internal system clocks
to generate time stamps for
audit records. No
Set the internal system clocks
to use Coordinated Universal
Time. No
Set the internal system clocks
to have a fixed local time offset
from Coordinated Universal
Time. No
Include the local time offset as
part of the time stamp. No
Record the time stamps for
audit records that meet the
organization-defined
granularity of time
measurement. No

AU-9 Protection of Audit

Information Implemented? Comments
Establish access control
measures to protect audit
information and audit logging
tools from unauthorized access,
modification, and deletion. No
Implement an audit logging
system that records all access
attempts to audit information
and audit logging tools. No
Setup up monitoring processes
and tools for access attempts to
audit information and audit
logging tools. No
Establish an alert system that
notifies designated personnel
or roles upon detection of
unauthorized access,
modification, or deletion of
audit information. No

45 | P a g e
 Test the alert system to ensure
it is functioning properly. No
Setup up monitoring processes
and tools for the alert system
regularly to ensure it is working
as intended. No

AU-11 Audit Record

Retention Implemented? Comments
Define the organization-defined
time period for retaining audit
records. No
Develop a records retention
policy. No
Implement procedures to
ensure that audit records are
retained for the specified time
period. No
Establish a secure storage
system for audit records. No
Setup up monitoring processes
and tools for the storage
system to ensure audit records
are retained for the specified
time period. No
Develop procedures for after-
the-fact investigations of
incidents. No
Ensure that audit records are
available for investigations. No
Setup up monitoring processes
and tools for the storage
system to ensure audit records
are available for investigations. No
Develop procedures to meet
regulatory and organizational
information retention
requirements. No

46 | P a g e
 Ensure that audit records are
available to meet regulatory
and organizational information
retention requirements. No

AU-12 Audit Record

Generation Implemented? Comments
Define the event types the
system is capable of auditing as
defined in AU-2a. No
Allow [Assignment:
organization-defined personnel
or roles] to select the event
types that are to be logged by
specific components of the
system. No
Develop a system to generate
audit records for the event
types defined in AU-2c. No
Include the audit record
content defined in AU-3 in the
generated audit records. No
Test the audit record
generation capability for
accuracy and completeness. No
Deploy the audit record
generation capability. No

Baseline - Moderate

AU-3(1) Content of Audit

Records | Additional
Audit Information Implemented? Comments
Define the organization-defined
additional information that
needs to be included in the
audit records. No
47 | P a g e
 Establish a system for
generating audit records that
includes the additional
information. No
Configure the system to include
the additional information in
the audit records. No
Test the system to ensure that
the additional information is
included in the audit records. No
Setup up monitoring processes
and tools for the system to
ensure that the additional
information is included in the
audit records. No

AU-6(1) Audit Record

Review, Analysis, and
Reporting | Automated
Process Integration Implemented? Comments
Identify the organization-
defined automated
mechanisms to be used for
audit record review, analysis,
and reporting. No
Develop a plan to integrate the
automated mechanisms into
existing audit record review,
analysis, and reporting
processes. No
Test the automated
mechanisms to ensure they are
functioning correctly. No
Train staff on the use of the
automated mechanisms. No
Implement the automated
mechanisms into the existing
audit record review, analysis,
and reporting processes. No
48 | P a g e
 Setup up monitoring processes
and tools for the automated
mechanisms to ensure they are
functioning correctly. No
Evaluate the effectiveness of
the automated mechanisms
and make necessary
adjustments. No

AU-6(3) Audit Record

Review, Analysis, and
Reporting | Correlate
Audit Record
Repositories Implemented? Comments
Collect audit records from
different repositories. No
Analyze the audit records to
identify patterns and trends. No
Correlate the audit records to
gain insights into the
organization’s activities. No
Create a dashboard to visualize
the data and gain an
organization-wide situational
awareness. No
Setup up monitoring processes
and tools for the dashboard for
changes and trends over time. No
Generate reports to document
the findings. No

AU-7 Audit Record

Reduction and Report
Generation Implemented? Comments
Gather requirements for audit
record reduction and report
generation capability. No

49 | P a g e
 Design the audit record
reduction and report
generation capability. No
Develop the audit record
reduction and report
generation capability. No
Test the audit record reduction
and report generation
capability. No
Deploy the audit record
reduction and report
generation capability. No
Setup up monitoring processes
and tools for the audit record
reduction and report
generation capability. No
Provide user training on the
audit record reduction and
report generation capability. No
Provide support for the audit
record reduction and report
generation capability. No

AU-7(1) Audit Record

Reduction and Report
Generation | Automatic
Processing Implemented? Comments
Define the organization-defined
fields within audit records. No
Develop a process to capture
and store audit records. No
Design a sorting algorithm to
sort the audit records based on
the organization-defined fields. No
Implement the sorting
algorithm. No

50 | P a g e
 Design a search algorithm to
search the audit records for
events of interest. No
Implement the search
algorithm. No
Test the sorting and search
algorithms. No
Deploy the sorting and search
algorithms. No
Setup up monitoring processes
and tools for and maintain the
sorting and search algorithms. No

AU-9(4) Protection of
Audit Information |
Access by Subset of
Privileged Users Implemented? Comments
Identify the organization-
defined subset of privileged
users or roles that will have
access to management of audit
logging functionality. No
Develop a policy for access
control to audit logging
functionality. No
Implement access control
mechanisms to restrict access
to audit logging functionality to
the identified privileged users
or roles. No
Setup up monitoring processes
and tools for access to audit
logging functionality to ensure
that only the identified
privileged users or roles have
access. No
Document the access control
policy and any changes to it. No

51 | P a g e
 Periodically review the access
control policy and make
necessary changes. No

Baseline - High

AU-5(1) Response to
Audit Logging Process
Failures | Storage
Capacity Warning Implemented? Comments
Define the personnel, roles,
and/or locations that should
receive the warning. No
Define the time period within
which the warning should be
provided. No
Define the percentage of the
repository maximum audit log
storage capacity that should
trigger the warning. No
Develop a process to monitor
the allocated audit log storage
volume. No
Develop a process to generate
the warning when the allocated
audit log storage volume
reaches the defined percentage
of the repository maximum
audit log storage capacity. No
Test the warning process to
ensure it is functioning
correctly. No
Deploy the warning process. No
Setup up monitoring processes
and tools for the warning
process to ensure it is
functioning correctly. No

52 | P a g e
 AU-5(2) Response to
Audit Logging Process
Failures | Real-time
Alerts Implemented? Comments
Identify the organization-
defined real-time period for the
alert. No
Identify the organization-
defined personnel, roles,
and/or locations to receive the
alert. No
Identify the organization-
defined audit logging failure
events requiring real-time
alerts. No
Develop a system to generate
the alert within the specified
real-time period. No
Configure the system to send
the alert to the specified
personnel, roles, and/or
locations. No
Test the alert system to ensure
it is functioning properly. No
Setup up monitoring processes
and tools for the system to
ensure it is generating the alert
within the specified real-time
period. No

AU-6(5) Audit Record

Review, Analysis, and
Reporting | Integrated
Analysis of Audit
Records Implemented? Comments

53 | P a g e
 Collect organization-defined
data/information from other
sources. No
Analyze audit records. No
Analyze vulnerability scanning
information. No
Analyze performance data. No
Analyze system monitoring
information. No
Identify inappropriate or
unusual activity. No
Enhance the ability to identify
inappropriate or unusual
activity. No

AU-6(6) Audit Record

Review, Analysis, and
Reporting | Correlation
with Physical Monitoring Implemented? Comments
Gather audit records from all
relevant sources. No
Setup up monitoring processes
and tools for physical access to
the premises. No
Analyze audit records and
physical access data to identify
any suspicious, inappropriate,
unusual, or malevolent activity. No
Correlate audit records and
physical access data to further
enhance the ability to identify
suspicious, inappropriate,
unusual, or malevolent activity. No
Take appropriate action based
on the results of the
correlation. No
Document all findings and
actions taken. No

54 | P a g e
 AU-9(2) Protection of
Audit Information |
Store on Separate
Physical Systems or
Components Implemented? Comments
Define the frequency of audit
records to be stored. No
Create a repository for storing
the audit records. No
Ensure that the repository is
part of a physically different
system or system component
than the system or component
being audited. No
Configure the system or
component to store the audit
records in the repository at the
defined frequency. No
Setup up monitoring processes
and tools for the repository to
ensure audit records are being
stored as defined. No

AU-9(3) Protection of
Audit Information |
Cryptographic
Protection Implemented? Comments
Research cryptographic
algorithms and protocols that
can be used to protect audit
information and audit tools. No
Select an appropriate
cryptographic algorithm and
protocol that meets the
security requirements. No

55 | P a g e
 Implement the cryptographic
algorithm and protocol in the
audit tools. No
Test the cryptographic
algorithm and protocol to
ensure it meets the security
requirements. No
Deploy the cryptographic
algorithm and protocol in the
audit tools. No
Setup up monitoring processes
and tools for the performance
of the cryptographic algorithm
and protocol to ensure it is
working as expected. No
Update the cryptographic
algorithm and protocol as
needed to maintain security. No

AU-10 Non-repudiation Implemented? Comments

Identify the individual or
process that is responsible for
performing the action. No
Collect evidence of the action
taken, such as digital
signatures, time stamps, or
audit logs. No
Securely store the evidence in a
tamper-proof format. No
Ensure the evidence is
accessible for review and
analysis. No
Verify the evidence is authentic
and unaltered. No
Provide the evidence to the
requesting party. No

56 | P a g e
 AU-12(1) Audit Record
Generation | System-
wide and Time-
correlated Audit Trail Implemented? Comments
Identify the system
components from which audit
records must be compiled. No
Establish an organization-
defined level of tolerance for
the relationship between time
stamps of individual records in
the audit trail. No
Collect audit records from the
identified system components. No
Correlate the audit records to
within the organization-defined
level of tolerance for the
relationship between time
stamps of individual records in
the audit trail. No
Compile the correlated audit
records into a system-wide
(logical or physical) audit trail. No

AU-12(3) Audit Record

Generation | Changes by
Authorized Individuals Implemented? Comments
Identify the organization-
defined individuals or roles who
will be responsible for changing
the logging. No
Determine the organization-
defined system components
that will be subject to the
logging changes. No
Establish the organization-
defined selectable event criteria No

57 | P a g e
 that will be used to determine
the logging changes.
Set the organization-defined
time thresholds for when the
logging changes will take effect. No
Develop the capability for the
identified individuals or roles to
change the logging based on
the established criteria and
time thresholds. No
Test the capability to ensure
that it is functioning properly. No
Deploy the capability to the
organization-defined system
components. No
Setup up monitoring processes
and tools for the logging
changes to ensure they are
being implemented correctly. No

CA Assessment,
Authorization, and
Monitoring
Baseline - Low

CA-1 Policy and

Procedures Implemented? Comments
Define who is responsible for
the assessment, authorization,
and monitoring policy No
Establish a scope for the Policy
and Procedures policy No
Define Policy and Procedures
policy statements that adhere No

58 | P a g e
 requirements from law and
organization

CA-2 Control
Assessments Implemented? Comments
Identify the type of assessment
to be conducted. No
Identify the controls and
control enhancements to be
assessed. No
Develop a control assessment
plan that describes the scope of
the assessment. No
Review and approve the control
assessment plan. No
Assess the controls in the
system and its environment of
operation. No
Produce a control assessment
report that documents the
results of the assessment. No
Provide the results of the
control assessment to the
designated individuals or roles. No

CA-3 Information
Exchange Implemented? Comments
Identify the type of agreement
needed for the exchange of
information. No
Draft the agreement and
document the interface
characteristics, security and
privacy requirements, controls,
and responsibilities for each
system, and the impact level of
the information communicated. No

59 | P a g e
 Obtain approval for the
agreement. No
Implement the agreement. No
Setup up monitoring processes
and tools for and review the
agreement on an organization-
defined frequency. No
Update the agreement as
needed. No

CA-5 Plan of Action and

Milestones Implemented? Comments
Identify weaknesses or
deficiencies noted during the
assessment of the controls. No
Identify known vulnerabilities in
the system. No
Develop a plan of action and
milestones to remediate the
identified weaknesses and
vulnerabilities. No
Implement the plan of action
and milestones. No
Setup up monitoring processes
and tools for the progress of
the plan. No
Update the plan of action and
milestones based on findings
from control assessments,
independent audits or reviews,
and continuous monitoring
activities. No
Re-evaluate the plan of action
and milestones at the
organization-defined frequency. No

CA-6 Authorization Implemented? Comments

60 | P a g e
 Identify a senior official to serve
as the authorizing official for
the system. No
Identify a senior official to serve
as the authorizing official for
common controls available for
inheritance by organizational
systems. No
Have the authorizing official for
the system accept the use of
common controls inherited by
the system. No
Have the authorizing official for
the system authorize the
system to operate. No
Have the authorizing official for
common controls authorize the
use of those controls for
inheritance by organizational
systems. No
Establish a schedule for
updating the authorizations. No

CA-7 Continuous
Monitoring Implemented? Comments
Identify the organization-
defined system-level metrics to
be monitored. No
Establish organization-defined
frequencies for monitoring and
assessment of control
effectiveness. No
Perform ongoing control
assessments in accordance with
the continuous monitoring
strategy. No
Setup up monitoring processes
and tools for system and
organization-defined metrics in No

61 | P a g e
 accordance with the continuous
monitoring strategy.
Correlate and analyze
information generated by
control assessments and
monitoring. No
Take response actions to
address results of the analysis
of control assessment and
monitoring information. No
Report the security and privacy
status of the system to
organization-defined personnel
or roles at organization-defined
frequency. No

CA-7(4) Continuous
Monitoring | Risk
Monitoring Implemented? Comments
Develop a risk monitoring plan
that outlines the objectives,
scope, and timeline of the risk
monitoring process. No
Establish risk monitoring
metrics and thresholds to
measure the effectiveness of
the risk management program. No
Develop a process to collect
data and information necessary
to monitor risk. No
Implement a system to track
and monitor changes to the
organization’s risk profile. No
Establish a process to review
and analyze the data and
information collected to
identify potential risks. No

62 | P a g e
 Develop a process to identify
and address any potential risks
identified. No
Develop a process to review
and report on the effectiveness
of the risk management
program. No
Establish a process to ensure
compliance with applicable
laws, regulations, and policies. No
Develop a process to review
and report on the compliance
of the risk management
program. No
Establish a process to review
and report on the effectiveness
of the change management
program. No

CA-9 Internal System

Connections Implemented? Comments
Identify the internal
connections of the
organization-defined system
components or classes of
components. No
Establish the interface
characteristics, security and
privacy requirements, and the
nature of the information
communicated for each internal
connection. No
Define the organization-defined
conditions for terminating the
internal system connections. No
Establish the organization-
defined frequency for reviewing
the continued need for each
internal connection. No

63 | P a g e
 Authorize the internal
connections of the system
components or classes of
components. No
Document the interface
characteristics, security and
privacy requirements, and the
nature of the information
communicated for each internal
connection. No
Terminate the internal system
connections after the
organization-defined
conditions. No
Review the continued need for
each internal connection at the
organization-defined frequency. No

Baseline - Moderate

CA-2(1) Control
Assessments |
Independent Assessors Implemented? Comments
Identify the type of control
assessment to be conducted. No
Develop a plan for the control
assessment. No
Identify and select independent
assessors or assessment teams. No
Provide assessors or
assessment teams with
necessary training and
resources. No
Establish a timeline for the
control assessment. No
Conduct the control
assessment. No

64 | P a g e
 Document the results of the
control assessment. No
Review the results of the
control assessment. No
Implement corrective actions as
needed. No
Setup up monitoring processes
and tools for the effectiveness
of corrective actions. No

CA-7(1) Continuous
Monitoring |
Independent
Assessment Implemented? Comments
Identify the objectives of the
assessment. No
Select the independent
assessors or assessment teams. No
Define the scope of the
assessment. No
Develop a plan for the
assessment. No
Train the assessors or
assessment teams. No
Execute the assessment. No
Analyze the results of the
assessment. No
Report the findings of the
assessment. No
Setup up monitoring processes
and tools for the controls in the
system on an ongoing basis. No

Baseline - High

65 | P a g e
 CA-2(2) Control
Assessments |
Specialized Assessments Implemented? Comments
Define the frequency of control
assessments. No
Select whether the assessments
will be announced or
unannounced. No
Select one or more of the
following assessment types: in-
depth monitoring, security
instrumentation, automated
security test cases, vulnerability
scanning, malicious user
testing, insider threat
assessment, performance and
load testing, data leakage or
data loss assessment. No
Define any other forms of
assessment. No
Implement the assessments. No

CA-3(6) Information
Exchange | Transfer
Authorizations Implemented? Comments
Identify the individuals or
systems that are transferring
data between interconnecting
systems. No
Confirm that the individuals or
systems have the necessary
authorizations to transfer the
data. No
Establish a process to verify the
authorizations prior to
accepting the data. No
Setup up monitoring processes
and tools for the data transfer No
66 | P a g e
 process to ensure that the
authorizations are verified.
Document the verification
process and any changes to the
authorization requirements. No
Implement a system to track
and audit the verification
process. No
Create a system to alert
administrators if the
authorization requirements are
not met. No
Develop a procedure to revoke
access if the authorization
requirements are not met. No

CA-8 Penetration Testing Implemented? Comments

Identify the systems or system
components to be tested. No
Establish the frequency of the
tests. No
Develop a penetration testing
plan. No
Identify and acquire the
necessary tools and resources. No
Execute the tests. No
Analyze the results. No
Document the results. No
Implement any necessary
corrective actions. No
Setup up monitoring processes
and tools for the systems or
system components for any
changes. No

CA-8(1) Penetration
Testing | Independent Implemented? Comments

67 | P a g e
 Penetration Testing
Agent or Team
Research and select an
independent penetration
testing agent or team. No
Develop a scope of work and
timeline for the penetration
testing. No
Negotiate terms and conditions
with the penetration testing
agent or team. No
Sign a contract with the
penetration testing agent or
team. No
Provide the penetration testing
agent or team with access to
the system or system
components. No
Setup up monitoring processes
and tools for the progress of
the penetration testing. No
Review the results of the
penetration testing. No
Implement any necessary
changes or updates to the
system or system components. No
Document the results of the
penetration testing. No
Follow up with the penetration
testing agent or team to ensure
all issues have been addressed. No

CM Configuration
Management
Baseline - Low

68 | P a g e
 CM-1 Policy and
Procedures Implemented? Comments
Define who is responsible for
the configuration management
policy No
Establish a scope for the Policy
and Procedures policy No
Define Policy and Procedures
policy statements that adhere
requirements from law and
organization No

CM-2 Baseline
Configuration Implemented? Comments
Establish a baseline
configuration of the system. No
Document the baseline
configuration and maintain it
under configuration control. No
Review the baseline
configuration of the system at
the specified frequency. No
Update the baseline
configuration of the system
when required due to
organization-defined
circumstances. No
Update the baseline
configuration of the system
when system components are
installed or upgraded. No

CM-4 Impact Analyses Implemented? Comments

Identify the changes to the
system. No
Assess the potential security
and privacy risks associated
with the changes. No
69 | P a g e
 Develop a plan to mitigate any
identified risks. No
Implement the changes. No
Setup up monitoring processes
and tools for the system for any
changes in security or privacy. No
Document the changes and the
associated security and privacy
impacts. No

CM-5 Access Restrictions

for Change Implemented? Comments
Define physical and logical
access restrictions associated
with changes to the system. No
Document the physical and
logical access restrictions. No
Obtain approval for the physical
and logical access restrictions
from relevant stakeholders. No
Enforce the physical and logical
access restrictions. No
Setup up monitoring processes
and tools for and audit
compliance with the physical
and logical access restrictions. No
Update the physical and logical
access restrictions as needed. No

CM-6 Configuration
Settings Implemented? Comments
Establish configuration settings
for components employed
within the system that reflect
the most restrictive mode
consistent with operational
requirements. No

70 | P a g e
 Document the configuration
settings. No
Implement the configuration
settings. No
Identify and document any
deviations from established
configuration settings for
organization-defined system
components. No
Approve any deviations from
established configuration
settings based on organization-
defined operational
requirements. No
Setup up monitoring processes
and tools for changes to the
configuration settings. No
Control changes to the
configuration settings in
accordance with organizational
policies and procedures. No

CM-7 Least Functionality Implemented? Comments

Identify the organization-
defined mission essential
capabilities. No
Identify the organization-
defined prohibited or restricted
functions, system ports,
protocols, software, and/or
services. No
Configure the system to provide
only the identified mission
essential capabilities. No
Prohibit or restrict the use of
the identified prohibited or
restricted functions, system
ports, protocols, software,
and/or services. No

71 | P a g e
 Test the system to ensure that
the mission essential
capabilities are functioning
properly and the prohibited or
restricted functions, system
ports, protocols, software,
and/or services are not
accessible. No
Document the system
configuration. No

CM-8 System
Component Inventory Implemented? Comments
Identify all components within
the system. No
Record the components in an
inventory. No
Ensure that the inventory
accurately reflects the system
and does not include duplicate
accounting of components or
components assigned to any
other system. No
Set the level of granularity for
the inventory. No
Record the organization-
defined information deemed
necessary to achieve effective
system component
accountability. No
Review and update the system
component inventory at the
organization-defined frequency. No

SA-6 Software Usage

Restrictions Implemented? Comments
Read and understand contract
agreements and copyright laws No

72 | P a g e
 related to software and
associated documentation.
Establish a system to track the
use of software and associated
documentation protected by
quantity licenses. No
Setup up monitoring processes
and tools for the use of peer-to-
peer file sharing technology to
ensure that it is not used for
unauthorized distribution,
display, performance, or
reproduction of copyrighted
work. No
Document the use of peer-to-
peer file sharing technology. No
Develop policies and
procedures to ensure
compliance with contract
agreements and copyright laws. No
Implement appropriate security
measures to prevent
unauthorized access to
software and associated
documentation. No
Educate users on the
importance of adhering to
contract agreements and
copyright laws. No
Setup up monitoring processes
and tools for compliance with
contract agreements and
copyright laws. No
Take appropriate action in the
event of non-compliance. No

SA-7 User-installed
Software Implemented? Comments

73 | P a g e
 Define organization-defined
policies governing the
installation of software by
users. No
Establish methods for enforcing
software installation policies. No
Set up a system to monitor
policy compliance. No
Determine the frequency of
policy compliance monitoring. No
Implement the policies,
methods, and monitoring
system. No
Train users on the software
installation policies. No
Setup up monitoring processes
and tools for and enforce policy
compliance on the determined
frequency. No

Baseline - Moderate

CM-2(2) Baseline
Configuration |
Automation Support for
Accuracy and Currency Implemented? Comments
Establish an organization-
defined automated mechanism
to monitor the baseline
configuration of the system. No
Establish an organization-
defined automated mechanism
to detect changes to the
baseline configuration of the
system. No
Establish an organization-
defined automated mechanism No

74 | P a g e
 to alert personnel when
changes to the baseline
configuration of the system are
detected.
Establish an organization-
defined automated mechanism
to compare the baseline
configuration of the system to
the current configuration of the
system. No
Establish an organization-
defined automated mechanism
to identify discrepancies
between the baseline
configuration of the system and
the current configuration of the
system. No
Establish an organization-
defined automated mechanism
to correct discrepancies
between the baseline
configuration of the system and
the current configuration of the
system. No
Establish an organization-
defined automated mechanism
to log changes to the baseline
configuration of the system. No
Establish an organization-
defined automated mechanism
to store the baseline
configuration of the system. No
Establish an organization-
defined automated mechanism
to ensure the currency,
completeness, accuracy, and
availability of the baseline
configuration of the system. No

75 | P a g e
 CM-2(3) Baseline
Configuration |
Retention of Previous
Configurations Implemented? Comments
Determine the organization-
defined number of previous
versions of baseline
configurations to retain. No
Create a backup schedule to
regularly capture and store the
baseline configurations. No
Establish a secure storage
location for the baseline
configurations. No
Implement a process to ensure
that the backups are regularly
tested and verified. No
Develop a procedure to rollback
to a previous version of the
baseline configuration if
needed. No
Setup up monitoring processes
and tools for the system to
ensure that the baseline
configurations are being
retained and updated as
needed. No

CM-2(7) Baseline
Configuration |
Configure Systems and
Components for High-
risk Areas Implemented? Comments
Identify systems or system
components that need to be
issued to individuals traveling
to locations of significant risk. No

76 | P a g e
 Develop organization-defined
configurations for the identified
systems or components. No
Issue the identified systems or
components with the
organization-defined
configurations to individuals
traveling to locations of
significant risk. No
Identify organization-defined
controls to be applied to the
systems or components when
the individuals return from
travel. No
Apply the organization-defined
controls to the systems or
components when the
individuals return from travel. No

CM-3 Configuration
Change Control Implemented? Comments
Identify and document the
types of changes that require
configuration control. No
Review proposed configuration-
controlled changes to the
system and assess their security
and privacy impact. No
Document configuration change
decisions. No
Implement approved
configuration-controlled
changes to the system. No
Retain records of configuration-
controlled changes to the
system for the specified time
period. No
Setup up monitoring processes
and tools for and review No

77 | P a g e
 activities associated with
configuration-controlled
changes to the system.
Establish a configuration
change control element and
define its frequency and
conditions. No
Coordinate and provide
oversight for configuration
change control activities. No

CM-3(2) Configuration
Change Control |
Testing, Validation, and
Documentation of
Changes Implemented? Comments
Analyze the system
requirements and develop a
plan for the changes. No
Design the changes to the
system. No
Implement the changes to the
system. No
Test the changes to the system. No
Validate the changes to the
system. No
Document the changes to the
system. No
Finalize the implementation of
the changes. No

CM-3(4) Configuration
Change Control |
Security and Privacy
Representatives Implemented? Comments

78 | P a g e
 Identify the security and privacy
representatives in the
organization. No
Identify the configuration
change control element in the
organization. No
Add the security and privacy
representatives to the
configuration change control
element. No
Setup up monitoring processes
and tools for the configuration
change control element to
ensure the security and privacy
representatives are actively
participating. No

CM-4(2) Impact Analyses

| Verification of Controls Implemented? Comments
Identify the system changes. No
Identify the impacted controls. No
Analyze the security and privacy
requirements for the system. No
Develop test cases to verify the
impacted controls. No
Execute the test cases. No
Analyze the results of the test
cases. No
Document the results of the
test cases. No
Make any necessary
adjustments to the impacted
controls. No
Re-test the impacted controls. No
Document the results of the re-
test. No
Confirm that the impacted
controls are operating as No

79 | P a g e
 intended and producing the
desired outcome.

CM-7(1) Least
Functionality | Periodic
Review Implemented? Comments
Establish an organization-
defined frequency for reviewing
the system. No
Identify unnecessary and/or
nonsecure functions, ports,
protocols, software, and
services. No
Determine which functions,
ports, protocols, software, and
services within the system are
unnecessary and/or nonsecure. No
Disable or remove the
unnecessary and/or nonsecure
functions, ports, protocols,
software, and services. No

CM-7(2) Least
Functionality | Prevent
Program Execution Implemented? Comments
Develop organization-defined
policies, rules of behavior,
and/or access agreements
regarding software program
usage and restrictions. No
Create rules authorizing the
terms and conditions of
software program usage. No
Implement a system to monitor
and enforce the policies, rules,
and agreements. No

80 | P a g e
 Train staff on the policies, rules,
and agreements. No
Establish a process for
responding to violations of the
policies, rules, and agreements. No
Setup up monitoring processes
and tools for software program
usage to ensure compliance
with the policies, rules, and
agreements. No
Take appropriate action when
violations are detected. No

CM-7(5) Least
Functionality |
Authorized Software —
Allow-by-exception Implemented? Comments
Gather a list of organization-
defined software programs
authorized to execute on the
system. No
Create a deny-all, permit-by-
exception policy to allow the
execution of authorized
software programs on the
system. No
Setup up monitoring processes
and tools for the system for
unauthorized software
programs. No
Review and update the list of
authorized software programs
at organization-defined
frequency. No
Implement the updated policy
and ensure that only authorized
software programs are allowed
to execute on the system. No

81 | P a g e
 CM-8(1) System
Component Inventory |
Updates During
Installation and Removal Implemented? Comments
Identify the components to be
installed, removed, or updated. No
Record the details of the
components in the inventory
system. No
Ensure the inventory system is
up-to-date with the latest
information. No
Setup up monitoring processes
and tools for the inventory
system for any changes or
discrepancies. No
Update the inventory system
with the new components,
removals, or updates. No
Notify relevant personnel of
any changes to the inventory
system. No
Test the system to ensure all
components are functioning
properly. No
Document any changes to the
inventory system. No

CM-8(3) System
Component Inventory |
Automated
Unauthorized
Component Detection Implemented? Comments

82 | P a g e
 Identify the organization-
defined automated
mechanisms to detect the
presence of unauthorized
hardware, software, and
firmware components within
the system. No
Determine the organization-
defined frequency for the
automated mechanisms. No
Establish the organization-
defined personnel or roles to be
notified when unauthorized
components are detected. No
Implement the automated
mechanisms to detect the
presence of unauthorized
components. No
Setup up monitoring processes
and tools for the system using
the automated mechanisms at
the specified frequency. No
If unauthorized components are
detected, take the appropriate
action (e.g. disable network
access, isolate the components,
or notify the organization-
defined personnel or roles). No

CM-9 Configuration
Management Plan Implemented? Comments
Identify the roles,
responsibilities, and
configuration management
processes and procedures. No
Establish a process for
identifying configuration items
throughout the system
development life cycle and for No

83 | P a g e
 managing the configuration of
the configuration items.

Define the configuration items

for the system and place the
configuration items under
configuration management. No
Review and approve the
configuration management plan
by organization-defined
personnel or roles. No
Protect the configuration
management plan from
unauthorized disclosure and
modification. No
Document the configuration
management plan. No
Implement the configuration
management plan. No

CM-12 Information
Location Implemented? Comments
Identify the organization-
defined information. No
Document the location of the
information and the specific
system components on which it
is processed and stored. No
Identify the users who have
access to the system and
system components. No
Document changes to the
location of the information. No
Setup up monitoring processes
and tools for and review access
to the system and system
components. No
Update the documentation as
needed. No
84 | P a g e
 CM-12(1) Information
Location | Automated
Tools to Support
Information Location Implemented? Comments
Identify the organization-
defined information by
information type. No
Identify the organization-
defined system components. No
Research and select automated
tools to identify the
organization-defined
information by information
type. No
Install and configure the
automated tools on the
organization-defined system
components. No
Test the automated tools to
ensure they are functioning
correctly. No
Setup up monitoring processes
and tools for the automated
tools to ensure they are
detecting the organization-
defined information by
information type. No
Implement controls to protect
organizational information and
individual privacy. No

Baseline - High

CM-3(1) Configuration
Change Control | Implemented? Comments

85 | P a g e
 Automated
Documentation,
Notification, and
Prohibition of Changes
Create an automated
mechanism to document
proposed changes to the
system. No
Use the automated mechanism
to notify the organization-
defined approval authorities of
proposed changes to the
system and request change
approval. No
Use the automated mechanism
to highlight proposed changes
to the system that have not
been approved or disapproved
within the organization-defined
time period. No
Use the automated mechanism
to prohibit changes to the
system until designated
approvals are received. No
Use the automated mechanism
to document all changes to the
system. No
Use the automated mechanism
to notify the organization-
defined personnel when
approved changes to the
system are completed. No

CM-3(6) Configuration
Change Control |
Cryptography
Management Implemented? Comments

86 | P a g e
 Identify the cryptographic
mechanisms used to provide
the organization-defined
controls. No
Establish a configuration
management process for the
identified cryptographic
mechanisms. No
Develop and document
configuration management
policies and procedures for the
cryptographic mechanisms. No
Implement the configuration
management policies and
procedures. No
Setup up monitoring processes
and tools for the cryptographic
mechanisms for compliance
with the configuration
management policies and
procedures. No
Update the configuration
management policies and
procedures as needed. No
Test the cryptographic
mechanisms for compliance
with the configuration
management policies and
procedures. No
Document any changes to the
cryptographic mechanisms. No
Audit the cryptographic
mechanisms for compliance
with the configuration
management policies and
procedures. No
Report any non-compliance to
the appropriate personnel. No

87 | P a g e
 CM-4(1) Impact Analyses
| Separate Test
Environments Implemented? Comments
Create a separate test
environment. No
Identify changes to the system. No
Analyze the changes for
security and privacy impacts. No
Identify any flaws, weaknesses,
incompatibility, or intentional
malice. No
Implement the changes in the
test environment. No
Test the changes to ensure they
are secure and private. No
Implement the changes in the
operational environment. No
Setup up monitoring processes
and tools for the system for any
changes or issues. No

CM-5(1) Access
Restrictions for Change |
Automated Access
Enforcement and Audit
Records Implemented? Comments
Identify the access restrictions
that need to be enforced. No
Establish an automated
mechanism to enforce the
access restrictions. No
Configure the automated
mechanism to generate audit
records of the enforcement
actions. No
Setup up monitoring processes
and tools for the automated No

88 | P a g e
 mechanism to ensure that it is
functioning correctly.
Test the automated mechanism
to ensure that it is correctly
enforcing the access
restrictions. No
Regularly review the audit
records to verify that the
enforcement actions are being
taken as expected. No

CM-6(1) Configuration
Settings | Automated
Management,
Application, and
Verification Implemented? Comments
Define system components to
be configured. No
Develop automated
mechanisms to manage, apply,
and verify configuration
settings. No
Test the automated
mechanisms to ensure they are
functioning properly. No
Implement the automated
mechanisms. No
Setup up monitoring processes
and tools for the system
components to ensure the
configuration settings are
applied and verified. No
Update the automated
mechanisms as needed to
ensure the configuration
settings remain accurate and
up-to-date. No

89 | P a g e
 CM-6(2) Configuration
Settings | Respond to
Unauthorized Changes Implemented? Comments
Setup up monitoring processes
and tools for the organization-
defined configuration settings
for unauthorized changes. No
Implement an alert system to
notify personnel of any
unauthorized changes. No
Investigate the unauthorized
changes to determine the
source and scope of the
incident. No
Take the organization-defined
actions in response to the
unauthorized changes. No
Document the incident and any
actions taken in response. No
Update the organization-
defined configuration settings
to prevent similar incidents in
the future. No
Report the incident to the
appropriate personnel. No

CM-8(2) System
Component Inventory |
Automated
Maintenance Implemented? Comments
Establish an inventory of system
components. No
Setup up monitoring processes
and tools for the inventory for
changes. No
Update the inventory with any
changes. No

90 | P a g e
 Ensure the currency,
completeness, accuracy, and
availability of the inventory. No
Utilize organization-defined
automated mechanisms to
maintain the inventory. No
Setup up monitoring processes
and tools for the automated
mechanisms for any errors or
issues. No
Resolve any errors or issues
with the automated
mechanisms. No
Document any changes to the
inventory. No

CM-8(4) System
Component Inventory |
Accountability
Information Implemented? Comments
Create a database to store the
component inventory
information. No
Create a form to capture the
information required for the
component inventory. No
Design a user interface to allow
users to input the information. No
Develop a query to search the
component inventory by name,
position, or role. No
Develop a report to display the
component inventory
information. No
Develop a process to identify
individuals responsible and
accountable for administering
the components. No

91 | P a g e
 Test the system to ensure
accuracy and reliability. No
Deploy the system. No
Setup up monitoring processes
and tools for the system for any
issues or errors. No

CP Contingency
Planning
Baseline - Low

CP-1 Policy and

Procedures Implemented? Comments
Define who is responsible for
the contingency planning policy No
Establish a scope for the Policy
and Procedures policy No
Define Policy and Procedures
policy statements that adhere
requirements from law and
organization No

CP-2 Contingency Plan Implemented? Comments

Identify essential mission and
business functions and
associated contingency
requirements. No
Develop recovery objectives,
restoration priorities, and
metrics. No
Assign roles, responsibilities,
and contact information for
individuals. No
Develop strategies to maintain
essential mission and business No

92 | P a g e
 functions despite system
disruption, compromise, or
failure.
Develop strategies for eventual,
full system restoration without
deterioration of the controls
originally planned and
implemented. No
Develop strategies for sharing
of contingency information. No
Review and approve the
contingency plan. No
Distribute copies of the
contingency plan to key
personnel and organizational
elements. No
Coordinate contingency
planning activities with incident
handling activities. No
Review the contingency plan at
the organization-defined
frequency. No
Update the contingency plan to
address changes to the
organization, system, or
environment of operation and
problems encountered during
contingency plan
implementation, execution, or
testing. No
Communicate contingency plan
changes to key personnel and
organizational elements. No
Incorporate lessons learned
from contingency plan testing,
training, or actual contingency
activities into contingency
testing and training. No

93 | P a g e
 Protect the contingency plan
from unauthorized disclosure
and modification. No

CP-3 Contingency
Training Implemented? Comments
Identify the roles and
responsibilities of system users. No
Develop a training program to
ensure system users
understand their roles and
responsibilities. No
Establish a timeline for
providing the training within a
specified period of assuming a
contingency role or
responsibility. No
Establish a timeline for
providing the training when
required by system changes. No
Establish a timeline for
providing the training at a
specified frequency thereafter. No
Develop a review and update
process for the training content
at a specified frequency. No
Establish a timeline for
reviewing and updating the
training content following
specified events. No
Deliver the training to system
users. No
Setup up monitoring processes
and tools for and evaluate the
effectiveness of the training. No

CP-4 Contingency Plan

Testing Implemented? Comments

94 | P a g e
 Define the organization-defined
frequency for testing the
contingency plan. No
Define the organization-defined
tests for determining the
effectiveness of the plan and
the readiness to execute the
plan. No
Execute the tests on the
contingency plan. No
Review the test results. No
Identify any corrective actions
needed. No
Implement the corrective
actions. No

CP-9 System Backup Implemented? Comments

Identify the system
components that contain user-
level information. No
Define the frequency for
conducting backups of user-
level information. No
Create a backup plan for
system-level information. No
Define the frequency for
conducting backups of system-
level information. No
Create a backup plan for system
documentation, including
security- and privacy-related
documentation. No
Define the frequency for
conducting backups of system
documentation. No
Implement measures to protect
the confidentiality, integrity,
and availability of backup
information. No

95 | P a g e
 Execute the backup plans for
user-level, system-level, and
system documentation
information. No
Setup up monitoring processes
and tools for the backup
processes to ensure they are
running as expected. No
Test the backups to ensure the
data is recoverable. No

CP-10 System Recovery

and Reconstitution Implemented? Comments
Establish recovery time and
recovery point objectives. No
Develop and document a
recovery plan that outlines the
steps to be taken to recover the
system. No
Test the recovery plan to
ensure it is effective and meets
the recovery time and recovery
point objectives. No
Implement the recovery plan
and ensure the system is
reconstituted to a known state. No
Setup up monitoring processes
and tools for the system to
ensure it is functioning
correctly. No
Document the results of the
recovery process. No

Baseline - Moderate

96 | P a g e
 CP-2(1) Contingency
Plan | Coordinate with
Related Plans Implemented? Comments
Identify organizational
elements responsible for
related plans. No
Establish communication
channels with the identified
organizational elements. No
Develop a timeline for the
development of the
contingency plan. No
Develop a plan to coordinate
the development of the
contingency plan with the
identified organizational
elements. No
Develop a plan to monitor the
progress of the contingency
plan development. No
Develop a plan to review the
contingency plan with the
identified organizational
elements. No
Develop a plan to implement
the contingency plan. No
Develop a plan to evaluate the
effectiveness of the
contingency plan. No

CP-2(3) Contingency
Plan | Resume Mission
and Business Functions Implemented? Comments
Identify all mission and business
functions that need to be
resumed. No

97 | P a g e
 Establish a timeline for
resuming each mission and
business function. No
Assign personnel to each task
related to resuming mission and
business functions. No
Develop and document
procedures for resuming
mission and business functions. No
Test and validate procedures
for resuming mission and
business functions. No
Train personnel on procedures
for resuming mission and
business functions. No
Setup up monitoring processes
and tools for progress of
resuming mission and business
functions. No
Adjust timeline and personnel
assignments as needed. No
Update contingency plan with
new procedures and timeline. No
Report progress of resuming
mission and business functions
to stakeholders. No

CP-2(8) Contingency
Plan | Identify Critical
Assets Implemented? Comments
Identify mission and business
functions that are essential to
the organization. No
Identify the critical system
assets that support the mission
and business functions. No
Analyze the system assets to
determine their importance to
the organization. No
98 | P a g e
 Assess the risks associated with
each system asset. No
Develop a plan to protect the
system assets from potential
threats. No
Implement the plan to protect
the system assets. No
Setup up monitoring processes
and tools for the system assets
for any changes or threats. No
Update the plan as needed to
ensure the system assets
remain secure. No

CP-4(1) Contingency
Plan Testing |
Coordinate with Related
Plans Implemented? Comments
Identify organizational
elements responsible for
related plans. No
Develop a timeline for testing
the contingency plan. No
Establish a communication plan
to coordinate the testing of the
contingency plan. No
Assign roles and responsibilities
for the testing of the
contingency plan. No
Schedule meetings with
organizational elements
responsible for related plans to
discuss the testing of the
contingency plan. No
Setup up monitoring processes
and tools for progress of the
testing of the contingency plan. No

99 | P a g e
 Document the results of the
testing of the contingency plan. No
Make necessary adjustments to
the contingency plan based on
the results of the testing. No

CP-6 Alternate Storage

Site Implemented? Comments
Research potential alternate
storage sites and associated
agreements. No
Negotiate and secure
agreements for the alternate
storage site. No
Set up the alternate storage site
with the necessary
infrastructure. No
Implement security controls at
the alternate storage site
equivalent to those at the
primary site. No
Test the security controls at the
alternate storage site. No
Back up the system data to the
alternate storage site. No
Setup up monitoring processes
and tools for the security
controls at the alternate
storage site on an ongoing
basis. No

CP-6(1) Alternate
Storage Site | Separation
from Primary Site Implemented? Comments
Research potential alternate
storage sites that meet the
requirements for separation
from the primary storage site. No
100 | P a g e
 Analyze the security risks
associated with the potential
alternate storage sites. No
Compare the security risks
associated with the potential
alternate storage sites to the
security risks associated with
the primary storage site. No
Select an alternate storage site
that is sufficiently separated
from the primary storage site to
reduce susceptibility to the
same threats. No
Implement security measures
to protect the alternate storage
site. No
Setup up monitoring processes
and tools for the security of the
alternate storage site on an
ongoing basis. No

CP-6(3) Alternate
Storage Site |
Accessibility Implemented? Comments
Analyze the current storage site
for potential accessibility issues
in the event of a disruption or
disaster. No
Identify potential alternate
storage sites and evaluate their
accessibility in the event of a
disruption or disaster. No
Develop a plan to mitigate any
potential accessibility issues at
the alternate storage site. No
Implement the plan to mitigate
any potential accessibility issues
at the alternate storage site. No

101 | P a g e
 Setup up monitoring processes
and tools for the alternate
storage site for any changes in
accessibility in the event of a
disruption or disaster. No
Update the plan to mitigate any
potential accessibility issues at
the alternate storage site as
needed. No

CP-7 Alternate
Processing Site Implemented? Comments
Identify the essential mission
and business functions that
need to be transferred and
resumed. No
Establish an alternate
processing site that meets the
organization's requirements. No
Negotiate and enter into
agreements with the alternate
processing site to permit the
transfer and resumption of
system operations. No
Determine the time period
consistent with the recovery
time and recovery point
objectives. No
Make available the necessary
equipment and supplies at the
alternate processing site. No
Put contracts in place to
support delivery of the
equipment and supplies to the
alternate processing site within
the organization-defined time
period. No
Implement controls at the
alternate processing site that No

102 | P a g e
 are equivalent to those at the
primary site.

CP-7(1) Alternate
Processing Site |
Separation from Primary
Site Implemented? Comments
Analyze the current primary
processing site to identify
potential threats. No
Research alternate processing
sites to determine their
geographic separation from the
primary processing site. No
Assess the alternate processing
sites to determine their
susceptibility to the same
threats as the primary
processing site. No
Compare the alternate
processing sites to determine
which is best suited to reduce
susceptibility to the same
threats. No
Select the alternate processing
site that is sufficiently
separated from the primary
processing site to reduce
susceptibility to the same
threats. No
Develop a plan for transitioning
operations to the alternate
processing site. No
Implement the plan for
transitioning operations to the
alternate processing site. No

103 | P a g e
 Test the alternate processing
site to ensure it is functioning
properly. No
Setup up monitoring processes
and tools for the alternate
processing site for any changes
in susceptibility to the same
threats. No

CP-7(2) Alternate
Processing Site |
Accessibility Implemented? Comments
Identify potential areas of
disruption or disaster. No
Analyze the impact of the
disruption or disaster on
alternate processing sites. No
Identify potential accessibility
problems related to alternate
processing sites. No
Develop mitigation strategies to
address the identified
accessibility problems. No
Implement the mitigation
strategies. No
Setup up monitoring processes
and tools for the effectiveness
of the mitigation strategies. No
Adjust the mitigation strategies
as needed. No

CP-7(3) Alternate
Processing Site | Priority
of Service Implemented? Comments
Identify the availability
requirements, including
recovery time objectives. No

104 | P a g e
 Research and evaluate
alternate processing sites. No
Draft alternate processing site
agreements that contain
priority-of-service provisions. No
Review and revise the
agreements as needed. No
Finalize the agreements and
obtain sign-off from all parties. No
Implement the agreements and
monitor compliance. No

CP-8
Telecommunications
Services Implemented? Comments
Identify the essential mission
and business functions that
require alternate
telecommunications services. No
Research and identify potential
alternate telecommunications
service providers. No
Negotiate agreements with the
selected alternate
telecommunications service
providers. No
Establish the necessary
technical and operational
requirements for the alternate
telecommunications services. No
Test the alternate
telecommunications services to
ensure they meet the
organization's requirements. No
Implement the alternate
telecommunications services. No
Setup up monitoring processes
and tools for the alternate No

105 | P a g e
 telecommunications services
for any issues or changes.
Document the alternate
telecommunications services
and agreements. No

CP-8(1)
Telecommunications
Services | Priority of
Service Provisions Implemented? Comments
Research availability
requirements and recovery
time objectives. No
Draft primary and alternate
telecommunications service
agreements that contain
priority-of-service provisions. No
Submit agreements to
appropriate parties for review
and approval. No
Request Telecommunications
Service Priority for all
telecommunications services
used for national security
emergency preparedness. No
Submit request to common
carrier. No
Setup up monitoring processes
and tools for progress of
request. No
Follow up with common carrier
as needed. No

CP-8(2)
Telecommunications
Services | Single Points
of Failure Implemented? Comments
106 | P a g e
 Research and evaluate
alternate telecommunications
services. No
Compare the cost and features
of the alternate services. No
Select the most suitable service. No
Establish a contract with the
service provider. No
Implement the new service. No
Test the service to ensure it is
working properly. No
Train staff on how to use the
new service. No
Setup up monitoring processes
and tools for the service for any
issues. No
Update any existing
documentation to reflect the
new service. No

CP-9(1) System Backup |

Testing for Reliability
and Integrity Implemented? Comments
Establish an organization-
defined frequency for testing
backup information. No
Create a test plan to verify
media reliability and
information integrity. No
Execute the test plan. No
Analyze the results of the test
plan. No
Document the results of the
test plan. No
Take corrective action if
necessary. No

107 | P a g e
 CP-9(8) System Backup |
Cryptographic
Protection Implemented? Comments
Identify the type of
cryptographic mechanisms that
are suitable for protecting the
organization-defined backup
information. No
Establish a secure key
management system to store
and manage the cryptographic
keys. No
Implement the cryptographic
mechanisms using the
established key management
system. No
Test the cryptographic
mechanisms to ensure they are
functioning as expected. No
Setup up monitoring processes
and tools for the cryptographic
mechanisms to ensure they
remain secure and effective. No
Update the cryptographic
mechanisms as needed to
address any security
vulnerabilities or changes in the
organization-defined backup
information. No

CP-10(2) System
Recovery and
Reconstitution |
Transaction Recovery Implemented? Comments
Analyze the system architecture
and identify the components
that are transaction-based. No

108 | P a g e
 Identify the transaction types
and the data that are involved
in each transaction. No
Design a recovery strategy that
will enable the system to
recover from any transaction
failure. No
Implement the recovery
strategy in the system code. No
Test the recovery strategy to
ensure that it works correctly in
all scenarios. No
Setup up monitoring processes
and tools for the system for any
transaction failures and take
corrective action if necessary. No
Document the recovery
strategy for future reference. No

Baseline - High

CP-2(2) Contingency
Plan | Capacity Planning Implemented? Comments
Identify the capacity
requirements for information
processing,
telecommunications, and
environmental support. No
Analyze the current capacity of
the system and compare it to
the identified requirements. No
Develop a capacity plan that
outlines the necessary steps to
reach the required capacity. No
Implement the capacity plan. No
Setup up monitoring processes
and tools for the system to No

109 | P a g e
 ensure the capacity is adequate
during contingency operations.
Adjust the capacity plan as
needed to ensure the system is
able to meet the requirements. No

CP-2(5) Contingency
Plan | Continue Mission
and Business Functions Implemented? Comments
Identify mission and business
functions that need to be
continued with minimal or no
loss of operational continuity. No
Develop a plan to sustain the
continuity of the identified
functions. No
Implement the plan to ensure
the continuity of the identified
functions. No
Setup up monitoring processes
and tools for the plan to ensure
that the continuity of the
identified functions is
maintained. No
Restore the primary processing
and/or storage sites to full
system functionality. No

CP-3(1) Contingency
Training | Simulated
Events Implemented? Comments
Identify the crisis situations that
need to be addressed in the
training. No
Develop a plan for
incorporating simulated events
into the training. No

110 | P a g e
 Identify the personnel who will
participate in the training. No
Create a simulated
environment that replicates the
crisis situations. No
Develop a curriculum that
outlines the objectives of the
training and the expected
outcomes. No
Train personnel on how to
respond to the simulated
events. No
Evaluate the effectiveness of
the training and make
adjustments as needed. No
Setup up monitoring processes
and tools for the personnel’s
performance and provide
feedback. No
Document the results of the
training and the personnel’s
responses. No
Provide additional training and
support as needed. No

CP-4(2) Contingency
Plan Testing | Alternate
Processing Site Implemented? Comments
Identify personnel to be
assigned to the alternate
processing site. No
Train personnel on the facility
and available resources. No
Develop test scenarios to
evaluate the capabilities of the
alternate processing site. No
Execute the test scenarios and
document the results. No

111 | P a g e
 Analyze the results and identify
any areas of improvement. No
Make necessary changes to the
contingency plan based on the
results of the test. No
Re-test the contingency plan at
the alternate processing site. No

CP-6(2) Alternate
Storage Site | Recovery
Time and Recovery Point
Objectives Implemented? Comments
Identify the alternate storage
site that meets the recovery
time and recovery point
objectives. No
Establish a secure connection
between the primary and
alternate storage sites. No
Configure the storage system at
the alternate site to replicate
data from the primary site. No
Setup up monitoring processes
and tools for the replication
process to ensure data is being
transferred correctly. No
Test the recovery operations to
ensure the data can be
recovered from the alternate
site. No
Document the recovery process
and procedures. No
Train personnel on the recovery
process and procedures. No

112 | P a g e
 CP-7(4) Alternate
Processing Site |
Preparation for Use Implemented? Comments
Identify essential mission and
business functions. No
Develop a plan to replicate the
necessary systems and
applications to the alternate
processing site. No
Install and configure the
necessary hardware and
software at the alternate
processing site. No
Test the systems and
applications to ensure they are
functioning properly. No
Establish secure communication
links between the primary and
alternate processing sites. No
Train personnel on the use of
the systems and applications at
the alternate processing site. No
Perform periodic tests of the
alternate processing site to
ensure it remains operational. No
Maintain the alternate
processing site with regular
updates and patches. No

CP-8(3)
Telecommunications
Services | Separation of
Primary and Alternate
Providers Implemented? Comments
Research and identify alternate
telecommunications service
providers. No

113 | P a g e
 Contact and negotiate with
alternate service providers. No
Establish service contracts with
alternate service providers. No
Implement the alternate
telecommunications services. No
Test the alternate
telecommunications services to
ensure they are working
properly. No
Setup up monitoring processes
and tools for the alternate
telecommunications services
for any potential threats. No
Update the alternate
telecommunications services as
needed. No

CP-8(4)
Telecommunications
Services | Provider
Contingency Plan Implemented? Comments
Develop a set of organizational
contingency requirements. No
Identify primary and alternate
telecommunications service
providers. No
Request that each provider
submit a contingency plan. No
Review each contingency plan
to ensure it meets
organizational requirements. No
Request evidence of
contingency testing and training
from each provider. No
Establish an organization-
defined frequency for reviewing No

114 | P a g e
 evidence of contingency testing
and training.
Setup up monitoring processes
and tools for providers to
ensure they are meeting the
organization-defined frequency
for evidence review. No
Update organizational
contingency requirements as
needed. No

CP-9(2) System Backup |

Test Restoration Using
Sampling Implemented? Comments
Identify the system functions
that need to be tested. No
Create a backup of the system
functions to be tested. No
Restore the backup information
to the system. No
Test the restored system
functions. No
Document the results of the
testing. No
Make any necessary changes to
the system functions. No
Re-test the system functions. No
Document the results of the re-
testing. No
Implement the changes to the
system functions. No

CP-9(3) System Backup |

Separate Storage for
Critical Information Implemented? Comments
Identify the organization-
defined critical system software No

115 | P a g e
 and other security-related
information that needs to be
backed up.
Select a separate facility or fire
rated container to store the
backup copies. No
Transfer the backup copies to
the selected facility or
container. No
Ensure the facility or container
is not collocated with the
operational system. No
Setup up monitoring processes
and tools for the storage facility
or container for any
unauthorized access. No

CP-9(5) System Backup |

Transfer to Alternate
Storage Site Implemented? Comments
Identify the alternate storage
site. No
Establish a secure connection
between the system and the
alternate storage site. No
Set up the backup software to
transfer the system backup
information to the alternate
storage site. No
Configure the backup software
to transfer the system backup
information at the specified
time period and transfer rate. No
Setup up monitoring processes
and tools for the transfer
process to ensure that the
system backup information is
transferred successfully. No

116 | P a g e
 Verify that the system backup
information is stored correctly
in the alternate storage site. No
Document the transfer process. No

CP-10(4) System
Recovery and
Reconstitution | Restore
Within Time Period Implemented? Comments
Establish organization-defined
restoration time periods. No
Create configuration-controlled
and integrity-protected
information representing a
known, operational state for
the system components. No
Develop a system to restore
system components from the
configuration-controlled and
integrity-protected information. No
Test the system to ensure that
it meets the organization-
defined restoration time
periods. No
Deploy the system and monitor
its performance. No
Update the system as needed
to ensure it continues to meet
the organization-defined
restoration time periods. No

IA Identification
and
Authentication
Baseline - Low
117 | P a g e
 IA-1 Policy and
Procedures Implemented? Comments
Define who is responsible for
the identification and
authentication policy No
Establish a scope for the Policy
and Procedures policy No
Define Policy and Procedures
policy statements that adhere
requirements from law and
organization No

IA-2 Identification and

Authentication
(organizational Users) Implemented? Comments
Establish a system for uniquely
identifying and authenticating
organizational users. No
Create a database to store user
authentication information. No
Implement a secure
authentication process, such as
two-factor authentication. No
Develop a process to associate
the unique user identification
with processes acting on behalf
of those users. No
Establish a system for logging
and monitoring user
authentication attempts. No
Develop a policy for regularly
reviewing and updating user
authentication information. No
Train users on the
authentication process and best
practices for secure
authentication. No
118 | P a g e
 IA-2(1) Identification and
Authentication
(organizational Users) |
Multi-factor
Authentication to
Privileged Accounts Implemented? Comments
Research and select a multi-
factor authentication solution. No
Install and configure the multi-
factor authentication solution. No
Identify privileged accounts
that require multi-factor
authentication. No
Create and configure user
accounts for multi-factor
authentication. No
Test the multi-factor
authentication solution. No
Train users on how to use the
multi-factor authentication
solution. No
Setup up monitoring processes
and tools for and maintain the
multi-factor authentication
solution. No

IA-2(2) Identification and

Authentication
(organizational Users) |
Multi-factor
Authentication to Non-
privileged Accounts Implemented? Comments
Identify the non-privileged
accounts that need multi-factor
authentication. No

119 | P a g e
 Research and select a multi-
factor authentication solution
that meets the needs of the
organization. No
Configure the multi-factor
authentication solution for the
non-privileged accounts. No
Test the multi-factor
authentication solution to
ensure it is working properly. No
Train users on how to use the
multi-factor authentication
solution. No
Setup up monitoring processes
and tools for the multi-factor
authentication solution to
ensure it is working properly. No
Update the multi-factor
authentication solution as
needed. No

IA-2(8) Identification and

Authentication
(organizational Users) |
Access to Accounts —
Replay Resistant Implemented? Comments
Identify and document the
authentication requirements
for privileged and non-
privileged accounts. No
Research and select an
appropriate replay-resistant
authentication mechanism. No
Design and develop the
authentication system. No
Test the authentication system
for accuracy and security. No

120 | P a g e
 Implement the authentication
system. No
Setup up monitoring processes
and tools for the authentication
system for any security issues. No
Update the authentication
system as needed. No

IA-2(12) Identification
and Authentication
(organizational Users) |
Acceptance of PIV
Credentials Implemented? Comments
Establish requirements for the
credentials to be accepted. No
Establish an electronic
verification system for the
credentials. No
Develop a process to accept
and verify the credentials. No
Test the process to ensure it
meets the requirements. No
Train personnel on the process. No
Implement the process. No
Setup up monitoring processes
and tools for the process to
ensure it is working correctly. No

IA-4 Identifier
Management Implemented? Comments
Receive authorization from
organization-defined personnel
or roles to assign an individual,
group, role, service, or device
identifier. No

121 | P a g e
 Select an identifier that
identifies an individual, group,
role, service, or device. No
Assign the identifier to the
intended individual, group, role,
service, or device. No
Prevent reuse of identifiers for
organization-defined time
period. No
Setup up monitoring processes
and tools for and audit the use
of identifiers. No
Update system records to
reflect changes in identifiers. No
Document the process for
managing system identifiers. No
Train personnel on the process
for managing system identifiers. No

IA-5 Authenticator
Management Implemented? Comments
Verify identity of individual,
group, role, service, or device
receiving authenticator No
Establish initial authenticator
content No
Ensure authenticators have
sufficient strength of
mechanism for intended use No
Establish and implement
administrative procedures for
initial authenticator
distribution,
lost/compromised/damaged
authenticators, and revoking
authenticators No
Change default authenticators
prior to first use No

122 | P a g e
 Change or refresh
authenticators at organization-
defined time period by
authenticator type or when
organization-defined events
occur No
Protect authenticator content
from unauthorized disclosure
and modification No
Require individuals to take
specific controls to protect
authenticators No
Change authenticators for
group or role accounts when
membership to those accounts
changes No

IA-5(1) Authenticator
Management |
Password-based
Authentication Implemented? Comments
Create a list of commonly-used,
expected, or compromised
passwords and update the list
at an organization-defined
frequency. No
Verify that passwords created
or updated by users are not
found on the list of commonly-
used, expected, or
compromised passwords. No
Ensure that passwords are
transmitted only over
cryptographically-protected
channels. No
Store passwords using an
approved salted key derivation
function, preferably using a
keyed hash. No
123 | P a g e
 Require users to select a new
password upon account
recovery. No
Allow users to select long
passwords and passphrases,
including spaces and all
printable characters. No
Employ automated tools to
assist users in selecting strong
password authenticators. No
Enforce organization-defined
composition and complexity
rules. No

IA-6 Authentication
Feedback Implemented? Comments
Identify the authentication
information that needs to be
obscured. No
Implement a secure encryption
algorithm to obscure the
authentication information. No
Ensure that the encryption
algorithm is regularly updated
to prevent exploitation. No
Implement a secure
authentication process to
ensure that the authentication
information is not visible to
unauthorized individuals. No
Test the authentication process
to ensure that the
authentication information is
properly obscured. No
Setup up monitoring processes
and tools for the authentication
process for any possible
exploitation or unauthorized No

124 | P a g e
 use of the authentication
information.
Update the authentication
process as needed to prevent
exploitation or unauthorized
use of the authentication
information. No

IA-7 Cryptographic
Module Authentication Implemented? Comments
Identify applicable laws,
executive orders, directives,
policies, regulations, standards,
and guidelines for
authentication. No
Research and evaluate available
authentication mechanisms to
determine which meet the
requirements. No
Design and develop a secure
authentication system for the
cryptographic module. No
Test the authentication system
for security and compliance
with the identified
requirements. No
Implement the authentication
system in the cryptographic
module. No
Setup up monitoring processes
and tools for and maintain the
authentication system to
ensure ongoing compliance. No

IA-8 Identification and

Authentication (non-
organizational Users) Implemented? Comments

125 | P a g e
 Establish a system for uniquely
identifying non-organizational
users or processes. No
Establish a method of
authenticating non-
organizational users or
processes. No
Implement a secure
authentication system to verify
the identity of non-
organizational users or
processes. No
Implement a system to track
and monitor authentication
attempts by non-organizational
users or processes. No
Establish a process for revoking
access to non-organizational
users or processes. No
Establish a process for regularly
reviewing authentication
attempts and access granted to
non-organizational users or
processes. No
Implement a system for logging
and monitoring access attempts
by non-organizational users or
processes. No
Establish a process for
responding to authentication
attempts by non-organizational
users or processes. No
Implement a system for alerting
administrators of suspicious
authentication attempts by
non-organizational users or
processes. No
Establish a process for regularly
reviewing authentication
attempts and access granted to No

126 | P a g e
 non-organizational users or
processes.

IA-8(1) Identification and

Authentication (non-
organizational Users) |
Acceptance of PIV
Credentials from Other
Agencies Implemented? Comments
Establish a system for
electronically verifying Personal
Identity Verification-compliant
credentials from other federal
agencies. No
Develop a process for accepting
credentials from other federal
agencies. No
Create a secure database to
store the credentials. No
Develop a system for securely
transmitting credentials
between agencies. No
Establish a verification process
for the credentials. No
Develop a system for securely
storing and managing the
credentials. No
Develop a system for securely
sharing the credentials with
other agencies. No
Develop a system for
monitoring and auditing the use
of the credentials. No

IA-8(2) Identification and

Authentication (non-
organizational Users) | Implemented? Comments
127 | P a g e
 Acceptance of External
Authenticators
Research NIST-compliant
external authenticators. No
Create a list of accepted
external authenticators. No
Develop a policy for accepting
external authenticators. No
Document the policy for
accepting external
authenticators. No
Implement the policy for
accepting external
authenticators. No
Setup up monitoring processes
and tools for and review the list
of accepted external
authenticators regularly. No
Update the list of accepted
external authenticators as
needed. No

IA-8(4) Identification and

Authentication (non-
organizational Users) |
Use of Defined Profiles Implemented? Comments
Identify the organization-
defined identity management
profiles. No
Analyze the current identity
management system to
determine if it meets the
organization-defined identity
management profiles. No
Develop a plan to implement
changes to the identity
management system to
conform to the organization- No
128 | P a g e
 defined identity management
profiles.
Implement the changes to the
identity management system to
conform to the organization-
defined identity management
profiles. No
Test the identity management
system to ensure that it
conforms to the organization-
defined identity management
profiles. No
Setup up monitoring processes
and tools for the identity
management system to ensure
that it continues to conform to
the organization-defined
identity management profiles. No

IA-11 Re-authentication Implemented? Comments

Define the circumstances or
situations requiring re-
authentication. No
Develop a system to detect
when the circumstances or
situations requiring re-
authentication have been met. No
Create a process to prompt
users to re-authenticate when
the system detects the required
circumstances or situations. No
Implement a secure
authentication system to verify
the user’s identity. No
Setup up monitoring processes
and tools for the system to
ensure that users are re-
authenticating when required. No

129 | P a g e
 Baseline - Moderate

IA-3 Device
Identification and
Authentication Implemented? Comments
Identify the devices and/or
types of devices to be
authenticated. No
Establish the type of connection
(local, remote, or network). No
Develop a unique
authentication process for the
identified devices. No
Implement the authentication
process. No
Test the authentication process
to ensure it is working properly. No
Setup up monitoring processes
and tools for the authentication
process to ensure it is secure. No

IA-4(4) Identifier
Management | Identify
User Status Implemented? Comments
Define the organization-defined
characteristic that will be used
to identify individual status. No
Establish a system to track and
store the individual identifiers. No
Create a process to assign each
individual a unique identifier
based on the organization-
defined characteristic. No
Develop a system to store and
manage the individual
identifiers. No

130 | P a g e
 Develop a process to update
the individual identifiers when
changes occur. No
Develop a process to securely
store and access the individual
identifiers. No
Develop a process to securely
delete the individual identifiers
when no longer needed. No

IA-5(2) Authenticator
Management | Public
Key-based
Authentication Implemented? Comments
For public key-based
authentication: No
Generate public and private key
pairs; No
Store the private key securely; No
Exchange public keys between
the two parties; No
Authenticate the identity of the
other party using the public
key; No
Map the authenticated identity
to the account of the individual
or group; No
When public key infrastructure
(PKI) is used: No
Establish a trust anchor; No
Issue certificates to the entities
involved; No
Validate certificates by
constructing and verifying a
certification path to an
accepted trust anchor, including
checking certificate status
information; No

131 | P a g e
 Implement a local cache of
revocation data to support path
discovery and validation; No
Revoke certificates when
needed. No

IA-5(6) Authenticator
Management |
Protection of
Authenticators Implemented? Comments
Identify the security category of
the information to which use of
the authenticator permits
access. No
Select an appropriate
authentication method for the
security category. No
Implement the authentication
method using appropriate
security measures. No
Setup up monitoring processes
and tools for the authentication
system for any suspicious
activity. No
Ensure that the authentication
system is regularly updated
with the latest security patches. No
Educate users on the
importance of using strong
passwords and other security
measures. No
Implement additional security
measures such as two-factor
authentication or biometric
authentication. No
Regularly review and update
authentication policies and
procedures. No

132 | P a g e
 IA-12 Identity Proofing Implemented? Comments
Establish identity assurance
level requirements based on
applicable standards and
guidelines. No
Identify users who require
accounts for logical access to
systems. No
Resolve user identities to a
unique individual. No
Collect identity evidence. No
Validate identity evidence. No
Verify identity evidence. No

IA-12(2) Identity
Proofing | Identity
Evidence Implemented? Comments
Identify the registration
authority. No
Establish a system to record
evidence of individual
identification. No
Create a process to verify the
evidence of individual
identification. No
Develop a policy to ensure the
evidence of individual
identification is securely stored. No
Train staff on the process to
verify the evidence of individual
identification. No
Implement a system to remind
staff to request evidence of
individual identification. No
Setup up monitoring processes
and tools for compliance with
the policy. No
133 | P a g e
 IA-12(3) Identity
Proofing | Identity
Evidence Validation and
Verification Implemented? Comments
Establish organizational defined
methods of validation and
verification. No
Develop a process to ensure
that the identity evidence is
validated and verified using the
established methods. No
Train personnel on the process
and methods of validation and
verification. No
Setup up monitoring processes
and tools for the process to
ensure that identity evidence is
validated and verified according
to the established methods. No
Document the process and
results of the validation and
verification. No

IA-12(5) Identity
Proofing | Address
Confirmation Implemented? Comments
Create a registration code. No
Generate a notice of proofing. No
Send the registration code and
notice of proofing through an
out-of-band channel. No
Verify the user's address of
record. No

Baseline - High
134 | P a g e
 IA-2(5) Identification and
Authentication
(organizational Users) |
Individual
Authentication with
Group Authentication Implemented? Comments
Establish a policy that requires
individual authentication for
access to shared accounts or
resources. No
Implement a system to track
user authentication attempts. No
Set up a system to monitor user
access to shared accounts or
resources. No
Implement a system to revoke
access to shared accounts or
resources when necessary. No
Establish procedures for users
to securely store and manage
passwords. No
Educate users on the
importance of individual
authentication and the risks
associated with shared
accounts or resources. No
Create a system to alert
administrators when suspicious
activity is detected. No
Setup up monitoring processes
and tools for user activity on
shared accounts or resources. No
Establish a system to audit user
access to shared accounts or
resources. No

135 | P a g e
 Implement a system to log user
activity on shared accounts or
resources. No

IA-12(4) Identity
Proofing | In-person
Validation and
Verification Implemented? Comments
Designate registration
authorities to conduct in-
person identity validation and
verification. No
Establish a process for verifying
the identity evidence presented
by applicants. No
Develop a system for recording
and storing the identity
evidence collected. No
Train registration authorities on
the process for validating and
verifying identity evidence. No
Create a system for tracking the
progress of applicants through
the identity validation and
verification process. No
Establish a system for issuing
credentials to applicants upon
successful completion of the
identity validation and
verification process. No
Develop a process for
monitoring and auditing the
identity validation and
verification process. No
Implement a system for
reporting any discrepancies or
violations of the identity
validation and verification
process. No
136 | P a g e
 IR Incident
Response
Baseline - Low

IR-1 Policy and

Procedures Implemented? Comments
Define who is responsible for
the incident response policy No
Establish a scope for the Policy
and Procedures policy No
Define Policy and Procedures
policy statements that adhere
requirements from law and
organization No

IR-2 Incident Response

Training Implemented? Comments
Identify incident response roles
and responsibilities. No
Develop incident response
training content. No
Establish a time period for users
to receive incident response
training. No
Establish a frequency for users
to receive incident response
training. No
Establish a frequency for
reviewing and updating incident
response training content. No
Establish organization-defined
events for reviewing and
updating incident response
training content. No

137 | P a g e
 Deliver incident response
training to system users. No
Setup up monitoring processes
and tools for and evaluate user
understanding of incident
response training. No

IR-4 Incident Handling Implemented? Comments

Develop an incident response
plan that outlines the steps to
be taken in the event of an
incident. No
Establish an incident handling
team with the appropriate skills
and expertise to respond to
incidents. No
Train the incident handling
team on the incident response
plan and procedures. No
Setup up monitoring processes
and tools for the organization’s
systems and networks for signs
of an incident. No
Analyze the incident to
determine the cause and extent
of the breach. No
Contain the incident to prevent
further damage. No
Eradicate the incident by
removing the malicious code or
actor. No
Recover from the incident by
restoring systems and data. No
Document the incident and the
steps taken to address it. No
Coordinate incident handling
activities with contingency
planning activities. No

138 | P a g e
 Incorporate lessons learned
from ongoing incident handling
activities into incident response
procedures, training, and
testing. No
Implement the changes
resulting from the lessons
learned. No
Ensure the rigor, intensity,
scope, and results of incident
handling activities are
comparable and predictable
across the organization. No

IR-5 Incident Monitoring Implemented? Comments

Establish a system for tracking
and documenting incidents. No
Develop a process for logging
and recording incidents. No
Train staff on how to properly
document incidents. No
Establish a system for
categorizing and tracking
incidents. No
Establish a system for reporting
incidents to the appropriate
authorities. No
Establish a system for
monitoring and analyzing
incidents. No
Set up a system for regularly
reviewing and updating incident
documentation. No
Develop a system for
responding to incidents in a
timely manner. No
Develop a system for tracking
and reporting incident trends. No

139 | P a g e
 Develop a system for evaluating
the effectiveness of incident
response and prevention
measures. No

IR-6 Incident Reporting Implemented? Comments

Establish an organizational
incident response capability. No
Develop a policy requiring
personnel to report suspected
incidents to the incident
response capability within the
specified time period. No
Train personnel on the policy
and incident response
capability. No
Establish procedures for
personnel to report incident
information to the appropriate
authorities. No
Setup up monitoring processes
and tools for compliance with
the policy and procedures. No

IR-7 Incident Response

Assistance Implemented? Comments
Create a dedicated incident
response support resource. No
Develop a process for users to
report incidents. No
Train the incident response
support resource on incident
response procedures. No
Establish communication
channels between the incident
response support resource and
users of the system. No

140 | P a g e
 Develop a system for tracking
and responding to reported
incidents. No
Setup up monitoring processes
and tools for the system for
incidents and respond
accordingly. No
Provide regular updates to
users on the status of reported
incidents. No
Establish a feedback loop for
users to provide feedback on
the incident response process. No
Evaluate the effectiveness of
the incident response process
and make adjustments as
needed. No

IR-8 Incident Response

Plan Implemented? Comments
Identify the organization's
unique requirements related to
mission, size, structure, and
functions. No
Define reportable incidents. No
Develop an incident response
plan that meets the
organization's unique
requirements. No
Establish metrics for measuring
the incident response capability
within the organization. No
Define the resources and
management support needed
to effectively maintain and
mature an incident response
capability. No
Address the sharing of incident
information. No

141 | P a g e
 Designate responsibility for
incident response to
organization-defined entities,
personnel, or roles. No
Obtain approval from
organization-defined personnel
or roles. No
Distribute copies of the incident
response plan to organization-
defined incident response
personnel (identified by name
and/or by role) and
organizational elements. No
Update the incident response
plan to address system and
organizational changes or
problems encountered during
plan implementation,
execution, or testing. No
Communicate incident
response plan changes to
organization-defined incident
response personnel (identified
by name and/or by role) and
organizational elements. No
Protect the incident response
plan from unauthorized
disclosure and modification. No

Baseline - Moderate

IR-3 Incident Response

Testing Implemented? Comments
Define the frequency of the
incident response capability
test. No

142 | P a g e
 Define the tests to be used for
the incident response capability
test. No
Create a plan to execute the
tests. No
Execute the tests according to
the plan. No
Analyze the results of the tests. No
Document the results of the
tests. No
Make any necessary changes to
the incident response capability
based on the results of the
tests. No

IR-3(2) Incident
Response Testing |
Coordination with
Related Plans Implemented? Comments
Identify the organizational
elements responsible for
incident response plans. No
Establish a timeline for the
incident response testing. No
Develop a plan outlining the
scope and objectives of the
incident response testing. No
Identify the resources required
to conduct the testing. No
Schedule meetings with the
organizational elements to
discuss the incident response
testing. No
Create a test environment to
simulate the incident response
testing. No
Execute the incident response
testing. No

143 | P a g e
 Analyze the results of the
incident response testing. No
Document the findings of the
incident response testing. No
Implement any necessary
changes based on the results of
the incident response testing. No

IR-4(1) Incident Handling

| Automated Incident
Handling Processes Implemented? Comments
Identify and document the
incident handling process. No
Design and develop automated
mechanisms to support the
incident handling process. No
Test the automated
mechanisms to ensure they are
functioning correctly. No
Deploy the automated
mechanisms to the
organization's systems. No
Train personnel on the use of
the automated mechanisms. No
Setup up monitoring processes
and tools for the automated
mechanisms to ensure they are
working properly. No
Update the automated
mechanisms as needed. No

IR-6(1) Incident
Reporting | Automated
Reporting Implemented? Comments
Define organization-specific
automated mechanisms for
reporting incidents. No

144 | P a g e
 Establish a process for
submitting incident reports
using the automated
mechanisms. No
Train personnel on the process
for submitting incident reports. No
Setup up monitoring processes
and tools for the automated
mechanisms for incident
reports. No
Investigate and respond to
incident reports as appropriate. No
Document incident reports and
responses. No
Review incident reports and
responses regularly. No

IR-6(3) Incident
Reporting | Supply Chain
Coordination Implemented? Comments
Identify the provider of the
product or service and other
organizations involved in the
supply chain or supply chain
governance for systems or
system components related to
the incident. No
Collect and document incident
information, such as date and
time of the incident, affected
systems or system components,
and any other relevant details. No
Contact the provider of the
product or service and other
organizations involved in the
supply chain or supply chain
governance for systems or
system components related to
the incident. No

145 | P a g e
 Provide the collected incident
information to the provider and
other organizations involved in
the supply chain or supply chain
governance for systems or
system components related to
the incident. No
Setup up monitoring processes
and tools for the response of
the provider and other
organizations involved in the
supply chain or supply chain
governance for systems or
system components related to
the incident. No
Follow up with the provider and
other organizations involved in
the supply chain or supply chain
governance for systems or
system components related to
the incident to ensure that the
incident is addressed. No

IR-7(1) Incident
Response Assistance |
Automation Support for
Availability of
Information and Support Implemented? Comments
Identify the organization-
defined automated
mechanisms that can be used
to increase the availability of
incident response information
and support. No
Develop a plan to implement
the identified automated
mechanisms. No

146 | P a g e
 Test the automated
mechanisms to ensure they are
functioning properly. No
Train personnel on how to use
the automated mechanisms. No
Deploy the automated
mechanisms. No
Setup up monitoring processes
and tools for the automated
mechanisms to ensure they are
working properly. No
Update the automated
mechanisms as needed. No

Baseline - High

IR-2(1) Incident
Response Training |
Simulated Events Implemented? Comments
Identify the types of simulated
events that should be
incorporated into the training. No
Develop a plan for how the
simulated events will be
incorporated into the training. No
Create the simulated events. No
Create training materials to
explain the simulated events
and the expected response. No
Conduct the training with the
simulated events. No
Evaluate the effectiveness of
the training and the simulated
events. No
Make any necessary
adjustments to the simulated
events or the training materials. No

147 | P a g e
 Repeat the training with the
adjusted simulated events. No

IR-2(2) Incident
Response Training |
Automated Training
Environments Implemented? Comments
Identify the organization’s
incident response
requirements. No
Design a training environment
to meet the organization’s
incident response
requirements. No
Develop automated
mechanisms to support the
training environment. No
Test the automated
mechanisms to ensure they are
functioning properly. No
Train personnel on the incident
response processes and
procedures. No
Setup up monitoring processes
and tools for the training
environment to ensure it is
functioning properly. No
Update the training
environment as needed to
ensure it is up to date. No
Evaluate the effectiveness of
the training environment. No

IR-4(4) Incident Handling

| Information
Correlation Implemented? Comments

148 | P a g e
 Collect incident information
from various sources. No
Analyze the incident
information to identify patterns
and trends. No
Establish an incident response
plan based on the analysis. No
Implement the incident
response plan across the
organization. No
Setup up monitoring processes
and tools for the incident
response plan to ensure it is
effective. No
Regularly review the incident
response plan and adjust as
needed. No
Provide training and education
to personnel on the incident
response plan. No
Track and document incident
responses to identify areas for
improvement. No
Correlate incident information
and individual incident
responses to achieve an
organization-wide perspective
on incident awareness and
response. No

IR-4(11) Incident
Handling | Integrated
Incident Response Team Implemented? Comments
Identify the members of the
incident response team. No
Establish roles and
responsibilities for each team
member. No

149 | P a g e
 Develop a plan for deploying
the team to any location
identified by the organization. No
Establish a communication
protocol for the team. No
Develop a training program for
the team members. No
Establish a system for tracking
and reporting incidents. No
Establish a system for
monitoring and evaluating the
team's performance. No
Establish a system for tracking
and responding to incidents. No
Develop a process for escalating
incidents to the appropriate
personnel. No
Develop a process for
documenting and sharing
incident response activities. No

IR-5(1) Incident
Monitoring | Automated
Tracking, Data
Collection, and Analysis Implemented? Comments
Establish an automated
mechanism to track incidents. No
Collect incident information
using the automated
mechanism. No
Analyze the incident
information using the
automated mechanism. No
Document the incident
information in a centralized
repository. No
Setup up monitoring processes
and tools for the automated No

150 | P a g e
 mechanism for any changes or
updates.
Regularly review the incident
information and update the
centralized repository. No
Ensure that the incident
information is kept up-to-date. No
Develop a process to ensure
that the incident information is
securely stored. No
Develop a process to ensure
that the incident information is
regularly reviewed and
updated. No
Develop a process to ensure
that the incident information is
securely shared with authorized
personnel. No

MA Maintenance
Baseline - Low

MA-1 Policy and

Procedures Implemented? Comments
Define who is responsible for
the maintenance policy No
Establish a scope for the Policy
and Procedures policy No
Define Policy and Procedures
policy statements that adhere
requirements from law and
organization No

MA-2 Controlled
Maintenance Implemented? Comments

151 | P a g e
 Develop a schedule for
maintenance, repair, and
replacement of system
components. No
Document all maintenance
activities, including on-site and
off-site services. No
Require approval from
designated personnel or roles
for removal of system or system
components from
organizational facilities for off-
site maintenance, repair, or
replacement. No
Sanitize equipment to remove
organization-defined
information prior to removal
from organizational facilities for
off-site maintenance, repair, or
replacement. No
Check all potentially impacted
controls to verify that the
controls are still functioning
properly following
maintenance, repair, or
replacement actions. No
Include organization-defined
information in organizational
maintenance records. No
Review records of maintenance,
repair, and replacement on
system components in
accordance with manufacturer
or vendor specifications and/or
organizational requirements. No
Approve and monitor all
maintenance activities, whether
performed on site or remotely
and whether the system or
system components are No

152 | P a g e
 serviced on site or removed to
another location.

MA-4 Nonlocal
Maintenance Implemented? Comments
Establish organizational policy
regarding nonlocal
maintenance and diagnostic
activities. No
Document security plan for the
system. No
Approve nonlocal maintenance
and diagnostic activities. No
Setup up monitoring processes
and tools for nonlocal
maintenance and diagnostic
activities. No
Allow use of nonlocal
maintenance and diagnostic
tools only as consistent with
organizational policy and
documented in the security
plan for the system. No
Employ strong authentication in
the establishment of nonlocal
maintenance and diagnostic
sessions. No
Maintain records for nonlocal
maintenance and diagnostic
activities. No
Terminate session and network
connections when nonlocal
maintenance is completed. No

MA-5 Maintenance
Personnel Implemented? Comments

153 | P a g e
 Develop a policy outlining the
requirements for maintenance
personnel authorization. No
Create a list of authorized
maintenance organizations or
personnel. No
Establish a process to verify
that non-escorted personnel
performing maintenance on the
system possess the required
access authorizations. No
Designate organizational
personnel with required access
authorizations and technical
competence to supervise the
maintenance activities of
personnel who do not possess
the required access
authorizations. No
Setup up monitoring processes
and tools for and audit the
maintenance activities to
ensure compliance with the
policy. No
Update the list of authorized
maintenance organizations or
personnel as needed. No

Baseline - Moderate

MA-3 Maintenance
Tools Implemented? Comments
Develop a system maintenance
tool approval process. No
Establish a system maintenance
tool control and monitoring
process. No

154 | P a g e
 Establish a review process for
previously approved system
maintenance tools. No
Define the frequency of review
for previously approved system
maintenance tools. No
Setup up monitoring processes
and tools for the use of system
maintenance tools. No
Approve system maintenance
tools. No
Review previously approved
system maintenance tools at
the organization-defined
frequency. No
Update system maintenance
tool control and monitoring
process as needed. No

MA-3(1) Maintenance
Tools | Inspect Tools Implemented? Comments
Gather information about the
maintenance tools used by
maintenance personnel. No
Create a checklist of the
maintenance tools used by
maintenance personnel. No
Inspect the maintenance tools
for any improper or
unauthorized modifications. No
Document any improper or
unauthorized modifications
found. No
Report any improper or
unauthorized modifications to
the appropriate personnel. No
Take corrective action to
address any improper or
unauthorized modifications. No

155 | P a g e
 Setup up monitoring processes
and tools for the maintenance
tools for any future improper or
unauthorized modifications. No

MA-3(2) Maintenance
Tools | Inspect Media Implemented? Comments
Scan the media for any
malicious code. No
Check the media for any
suspicious files or programs. No
Run anti-virus software to
detect any malicious code. No
Update the anti-virus software
regularly. No
Setup up monitoring processes
and tools for the system for any
suspicious activity. No
Implement a firewall to protect
the system from malicious
code. No
Regularly check the system for
any unauthorized changes. No
Implement a system of user
authentication and
authorization. No
Train users on the importance
of security and the risks of
malicious code. No
Implement a backup system to
restore the system in case of
malicious code attack. No

MA-3(3) Maintenance
Tools | Prevent
Unauthorized Removal Implemented? Comments

156 | P a g e
 Identify the maintenance
equipment containing
organizational information. No
Verify that there is no
organizational information
contained on the equipment. No
Sanitize or destroy the
equipment. No
Retain the equipment within
the facility. No
Obtain an exemption from
organization-defined personnel
or roles explicitly authorizing
removal of the equipment from
the facility. No
Setup up monitoring processes
and tools for the equipment to
ensure it is not removed
without authorization. No

MA-6 Timely
Maintenance Implemented? Comments
Identify the system
components that require
maintenance support and/or
spare parts. No
Establish an organization-
defined time period for
obtaining the maintenance
support and/or spare parts. No
Contact the appropriate
vendors and/or suppliers to
obtain the maintenance
support and/or spare parts. No
Negotiate the best possible
price for the maintenance
support and/or spare parts. No

157 | P a g e
 Place the order for the
maintenance support and/or
spare parts. No
Track the delivery of the
maintenance support and/or
spare parts. No
Receive the maintenance
support and/or spare parts. No
Install the maintenance support
and/or spare parts. No
Test the system components to
ensure they are functioning
properly. No
Document the process of
obtaining the maintenance
support and/or spare parts. No

Baseline - High

MA-2(2) Controlled
Maintenance |
Automated
Maintenance Activities Implemented? Comments
Identify automated
mechanisms for scheduling,
conducting, and documenting
maintenance, repair, and
replacement actions. No
Develop a system for producing
up-to date, accurate, and
complete records of all
maintenance, repair, and
replacement actions. No
Schedule maintenance, repair,
and replacement actions using
the automated mechanisms. No

158 | P a g e
 Conduct maintenance, repair,
and replacement actions as
scheduled. No
Document maintenance, repair,
and replacement actions using
the automated mechanisms. No
Update records of all
maintenance, repair, and
replacement actions requested,
scheduled, in process, and
completed. No

MA-4(3) Nonlocal
Maintenance |
Comparable Security
and Sanitization Implemented? Comments
Establish a security capability
on the system being serviced. No
Set up a system that
implements a security capability
comparable to the one on the
system being serviced. No
Remove the component to be
serviced from the system. No
Sanitize the component for
organizational information. No
Perform the nonlocal
maintenance or diagnostic
services. No
Inspect and sanitize the
component for potentially
malicious software. No
Reconnect the component to
the system. No

MA-5(1) Maintenance
Personnel | Individuals Implemented? Comments

159 | P a g e
 Without Appropriate
Access
Identify maintenance personnel
who lack appropriate security
clearances or are not U.S.
citizens. No
Develop procedures for the use
of maintenance personnel that
include the requirements listed
in (a). No
Train maintenance personnel
on the procedures. No
Designate approved
organizational personnel who
are fully cleared, have
appropriate access
authorizations, and are
technically qualified to escort
and supervise maintenance
personnel. No
Sanitize all volatile information
storage components within the
system prior to initiating
maintenance or diagnostic
activities. No
Remove or physically
disconnect all nonvolatile
storage media from the system
and secure them. No
Develop and implement
organization-defined alternate
controls in the event a system
component cannot be sanitized,
removed, or disconnected from
the system. No

160 | P a g e
 MP Media
Protection
Baseline - Low

MP-1 Policy and

Procedures Implemented? Comments
Define who is responsible for
the media protection policy No
Establish a scope for the Policy
and Procedures policy No
Define Policy and Procedures
policy statements that adhere
requirements from law and
organization No

MP-2 Media Access Implemented? Comments

Identify the types of digital
and/or non-digital media that
need to be restricted. No
Identify the personnel or roles
that need access to the media. No
Develop a policy outlining the
access restrictions. No
Implement technical controls to
enforce the access restrictions. No
Setup up monitoring processes
and tools for access to the
media to ensure the restrictions
are being enforced. No
Periodically review access
restrictions to ensure they are
still appropriate. No

MP-6 Media Sanitization Implemented? Comments

Identify the system media that
needs to be sanitized. No
161 | P a g e
 Determine the security
category or classification of the
information. No
Select the organization-defined
sanitization techniques and
procedures. No
Implement the sanitization
techniques and procedures. No
Ensure that the sanitization
mechanisms used have the
strength and integrity
commensurate with the
security category or
classification of the
information. No
Dispose, release out of
organizational control, or
release for reuse the sanitized
system media. No

MP-7 Media Use Implemented? Comments

Identify the types of system
media to restrict or prohibit. No
Identify the systems or system
components to which the
restrictions or prohibitions will
apply. No
Identify the controls to be used
for restricting or prohibiting the
use of the system media. No
Prohibit the use of portable
storage devices in
organizational systems when
such devices have no
identifiable owner. No
Implement the controls to
restrict or prohibit the use of
the system media on the No

162 | P a g e
 identified systems or system
components.
Setup up monitoring processes
and tools for the systems or
system components to ensure
the controls are enforced. No

Baseline - Moderate

MP-3 Media Marking Implemented? Comments

Identify the types of system
media that require marking. No
Determine the distribution
limitations, handling caveats,
and applicable security
markings for the system media. No
Mark the system media with
the distribution limitations,
handling caveats, and
applicable security markings. No
Identify the types of system
media that will be exempt from
marking. No
Define the controlled areas that
the exempt system media must
remain within. No
Setup up monitoring processes
and tools for the system media
to ensure that the exempt
system media remain within
the controlled areas. No

MP-4 Media Storage Implemented? Comments

Identify the types of digital
and/or non-digital media that
need to be physically controlled
and securely stored. No

163 | P a g e
 Define the controlled areas
where the media should be
stored. No
Establish procedures to protect
the system media types defined
in MP-4a. No
Implement approved
equipment, techniques, and
procedures to sanitize or
destroy the media. No
Setup up monitoring processes
and tools for the controlled
areas to ensure the media are
properly stored and protected. No
Periodically audit the controlled
areas to ensure the media are
properly stored and protected. No
Regularly review and update
the procedures for protecting
and sanitizing or destroying the
media. No

MP-5 Media Transport Implemented? Comments

Identify the types of system
media that need to be
protected and controlled. No
Establish organization-defined
controls to protect and control
the system media during
transport outside of controlled
areas. No
Develop a system to maintain
accountability for system media
during transport outside of
controlled areas. No
Create procedures to document
activities associated with the
transport of system media. No

164 | P a g e
 Establish a policy to restrict the
activities associated with the
transport of system media to
authorized personnel. No
Train personnel on the
organization-defined controls,
accountability system, and
policy. No
Setup up monitoring processes
and tools for and audit the
transport of system media to
ensure compliance. No

Baseline - High

MP-6(1) Media
Sanitization | Review,
Approve, Track,
Document, and Verify Implemented? Comments
Review media sanitization and
disposal actions. No
Approve media sanitization and
disposal actions. No
Track media sanitization and
disposal actions. No
Document media sanitization
and disposal actions. No
Verify media sanitization and
disposal actions. No

MP-6(2) Media
Sanitization | Equipment
Testing Implemented? Comments
Define the frequency of testing. No

165 | P a g e
 Identify the sanitization
equipment and procedures to
be tested. No
Establish a testing protocol. No
Carry out the testing. No
Analyze the results of the
testing. No
Take corrective action if
necessary. No
Document the results of the
testing. No

MP-6(3) Media
Sanitization |
Nondestructive
Techniques Implemented? Comments
Identify the organization-
defined circumstances requiring
sanitization of portable storage
devices. No
Establish a process for sanitizing
portable storage devices prior
to connecting them to the
system. No
Train personnel on the process
for sanitizing portable storage
devices. No
Implement a policy requiring
personnel to sanitize portable
storage devices prior to
connecting them to the system. No
Setup up monitoring processes
and tools for compliance with
the policy. No
Perform periodic audits to
ensure the policy is being
followed. No

166 | P a g e
 PE Physical and
Environmental
Protection
Baseline - Low

PE-1 Policy and

Procedures Implemented? Comments
Define who is responsible for
the physical and environmental
protection policy No
Establish a scope for the Policy
and Procedures policy No
Define Policy and Procedures
policy statements that adhere
requirements from law and
organization No

PE-2 Physical Access

Authorizations Implemented? Comments
Develop a list of individuals
with authorized access to the
facility. No
Approve the list of individuals
with authorized access to the
facility. No
Maintain the list of individuals
with authorized access to the
facility. No
Issue authorization credentials
for facility access. No
Review the access list detailing
authorized facility access by
individuals at an organization-
defined frequency. No
167 | P a g e
 Remove individuals from the
facility access list when access is
no longer required. No

PE-3 Physical Access

Control Implemented? Comments
Verify individual access
authorizations before granting
access to the facility. No
Control ingress and egress to
the facility using organization-
defined physical access control
systems or devices, guards, etc. No
Maintain physical access audit
logs for organization-defined
entry or exit points. No
Implement organization-
defined physical access controls
for areas within the facility
designated as publicly
accessible. No
Escort visitors and control
visitor activity under
organization-defined
circumstances. No
Secure keys, combinations, and
other physical access devices. No
Inventory organization-defined
physical access devices at
organization-defined frequency. No
Change combinations and keys
at organization-defined
frequency and/or when keys
are lost, combinations are
compromised, or when
individuals possessing the keys
or combinations are transferred
or terminated. No

168 | P a g e
 PE-6 Monitoring Physical
Access Implemented? Comments
Establish a policy to monitor
physical access to the facility. No
Set up a system to log physical
access to the facility. No
Establish a frequency for
reviewing physical access logs. No
Define events or potential
indications of events to trigger
a review of physical access logs. No
Investigate any suspicious
activity detected in the physical
access logs. No
Coordinate results of reviews
and investigations with the
organizational incident
response capability. No

PE-8 Visitor Access

Records Implemented? Comments
Establish an organization-
defined time period for
maintaining visitor access
records. No
Establish an organization-
defined frequency for reviewing
visitor access records. No
Establish an organization-
defined personnel to report
anomalies in visitor access
records to. No
Collect visitor access records. No
Store visitor access records for
the organization-defined time
period. No

169 | P a g e
 Review visitor access records at
the organization-defined
frequency. No
Identify any anomalies in visitor
access records. No
Report any anomalies in visitor
access records to the
organization-defined personnel. No

PE-12 Emergency
Lighting Implemented? Comments
Research and select an
appropriate emergency lighting
system for the facility. No
Install the emergency lighting
system in the facility. No
Test the emergency lighting
system to ensure it is
functioning properly. No
Train staff on the proper use
and maintenance of the
emergency lighting system. No
Develop a maintenance
schedule for the emergency
lighting system. No
Setup up monitoring processes
and tools for the emergency
lighting system regularly to
ensure it is functioning
properly. No
Replace any faulty components
of the emergency lighting
system as needed. No
Update the emergency lighting
system as needed to meet
changing safety requirements. No

PE-13 Fire Protection Implemented? Comments

170 | P a g e
 Research and select fire
detection and suppression
systems that are supported by
an independent energy source. No
Purchase the fire detection and
suppression systems. No
Install the fire detection and
suppression systems. No
Test the fire detection and
suppression systems to ensure
they are working properly. No
Train staff on the proper use
and maintenance of the fire
detection and suppression
systems. No
Regularly inspect and maintain
the fire detection and
suppression systems. No
Setup up monitoring processes
and tools for the fire detection
and suppression systems to
ensure they are functioning
properly. No
Respond to any alarms or alerts
from the fire detection and
suppression systems. No

PE-14 Environmental
Controls Implemented? Comments
Establish organization-defined
acceptable levels for
temperature, humidity,
pressure, and radiation. No
Install environmental control
systems in the facility. No
Set up the environmental
control systems to maintain the
temperature, humidity,
pressure, and radiation levels No

171 | P a g e
 within the organization-defined
acceptable levels.

Setup up monitoring processes

and tools for the environmental
control levels at the
organization-defined frequency. No
Take corrective action if the
environmental control levels
are outside the organization-
defined acceptable levels. No

PE-15 Water Damage

Protection Implemented? Comments
Identify areas of the system
that are vulnerable to water
damage. No
Install master shutoff or
isolation valves in these areas. No
Ensure that the valves are
accessible and working
properly. No
Make sure that key personnel
are aware of the location and
operation of the valves. No
Test the valves regularly to
ensure that they are
functioning properly. No
Setup up monitoring processes
and tools for the system for any
signs of water damage. No
Take prompt action if any water
damage is detected. No

PE-16 Delivery and

Removal Implemented? Comments

172 | P a g e
 Establish an authorization
process for system components
entering and exiting the facility. No
Establish a control process for
the organization-defined types
of system components entering
and exiting the facility. No
Setup up monitoring processes
and tools for the system
components entering and
exiting the facility. No
Create records of the system
components entering and
exiting the facility. No
Store the records of the system
components in a secure
location. No
Periodically review the records
of the system components to
ensure accuracy. No

Baseline - Moderate

PE-4 Access Control for

Transmission Implemented? Comments
Identify the system distribution
and transmission lines that
need to be secured. No
Determine the security controls
that need to be implemented to
protect the system distribution
and transmission lines. No
Establish a process to monitor
physical access to the system
distribution and transmission
lines. No
Implement the security controls
to protect the system No
173 | P a g e
 distribution and transmission
lines.
Train personnel on the security
controls and procedures for
physical access to the system
distribution and transmission
lines. No
Setup up monitoring processes
and tools for and audit physical
access to the system
distribution and transmission
lines. No
Update security controls and
procedures as needed. No

PE-5 Access Control for

Output Devices Implemented? Comments
Identify the output devices
used in the organization. No
Establish access control
measures for the output
devices. No
Implement authentication
measures for users to access
the output devices. No
Establish procedures to monitor
and audit access to the output
devices. No
Implement procedures to
securely dispose of output from
the output devices. No
Establish procedures to report
unauthorized access attempts
to the output devices. No
Train users on the procedures
for accessing and disposing of
output from the output devices. No

174 | P a g e
 PE-6(1) Monitoring
Physical Access |
Intrusion Alarms and
Surveillance Equipment Implemented? Comments
Purchase physical intrusion
alarms and surveillance
equipment. No
Install physical intrusion alarms
and surveillance equipment. No
Configure physical intrusion
alarms and surveillance
equipment. No
Setup up monitoring processes
and tools for physical access to
the facility using physical
intrusion alarms and
surveillance equipment. No
Respond to any alarms or
suspicious activity detected by
physical intrusion alarms and
surveillance equipment. No

PE-9 Power Equipment

and Cabling Implemented? Comments
Identify the power equipment
and power cabling that needs
to be protected. No
Install protective guards around
the power equipment and
power cabling. No
Secure the protective guards
with appropriate fasteners. No
Inspect the protective guards
regularly to ensure they are in
good condition. No
Replace any damaged or worn
protective guards. No

175 | P a g e
 Label the power equipment and
power cabling to clearly identify
the purpose of each. No
Install surge protection devices
on the power equipment and
power cabling. No
Regularly inspect the surge
protection devices to ensure
they are functioning correctly. No
Replace any damaged or worn
surge protection devices. No
Install fire suppression systems
near the power equipment and
power cabling. No
Regularly inspect the fire
suppression systems to ensure
they are functioning correctly. No
Replace any damaged or worn
fire suppression systems. No

PE-10 Emergency
Shutoff Implemented? Comments
Identify the system or individual
system components that need
to have the capability of being
shut off in emergency
situations. No
Determine the locations by
system or system component
where emergency shutoff
switches or devices should be
placed. No
Install the emergency shutoff
switches or devices in the
designated locations. No
Establish procedures for
authorized personnel to access
the emergency shutoff switches
or devices. No

176 | P a g e
 Implement security measures
to protect the emergency
power shutoff capability from
unauthorized activation. No
Test the emergency shutoff
capability to ensure it is
functioning properly. No

PE-11 Emergency Power Implemented? Comments

Research and select an
appropriate uninterruptible
power supply (UPS) for the
system. No
Install the UPS in the system. No
Configure the UPS to facilitate
an orderly shutdown of the
system or transition of the
system to long-term alternate
power in the event of a primary
power source loss. No
Test the UPS to ensure it is
functioning correctly. No
Setup up monitoring processes
and tools for the UPS to ensure
it is working properly. No

PE-13(1) Fire Protection

| Detection Systems —
Automatic Activation
and Notification Implemented? Comments
Research and select
appropriate fire detection
systems. No
Install fire detection systems in
the appropriate locations. No

177 | P a g e
 Configure fire detection
systems to automatically
activate and notify
organization-defined personnel
or roles and emergency
responders in the event of a
fire. No
Test fire detection systems to
ensure they are operating
correctly. No
Train personnel on the use and
maintenance of the fire
detection systems. No
Develop and document
procedures for responding to
fire alarms. No
Develop and document
procedures for testing and
maintaining the fire detection
systems. No
Setup up monitoring processes
and tools for fire detection
systems to ensure they are
operating correctly. No

PE-17 Alternate Work

Site Implemented? Comments
Identify and document the
organization-defined alternate
work sites. No
Establish organization-defined
controls at the alternate work
sites. No
Setup up monitoring processes
and tools for the effectiveness
of the controls at the alternate
work sites. No
Develop a communication
system for employees to No

178 | P a g e
 contact information security
and privacy personnel in case of
incidents.
Train employees on the use of
the communication system. No
Test the communication system
to ensure it is functioning
properly. No
Implement the communication
system. No
Setup up monitoring processes
and tools for the
communication system to
ensure it is being used
correctly. No

Baseline - High

PE-3(1) Physical Access

Control | System Access Implemented? Comments
Identify the physical spaces
containing components of the
system. No
Establish physical access
authorization requirements for
each physical space. No
Develop a process for granting
physical access authorization. No
Implement physical access
controls for the facility. No
Setup up monitoring processes
and tools for physical access
authorization requests and
grant access accordingly. No
Setup up monitoring processes
and tools for physical access to
the system and take
appropriate action when No
179 | P a g e
 unauthorized access is
detected.
Periodically review physical
access authorizations and
update as needed. No

PE-6(4) Monitoring
Physical Access |
Monitoring Physical
Access to Systems Implemented? Comments
Establish a policy outlining the
physical access monitoring
requirements for the system. No
Determine the physical spaces
containing one or more
components of the system. No
Establish a procedure for
monitoring physical access to
the system. No
Implement a system for logging
physical access to the system. No
Train personnel on the physical
access monitoring
requirements. No
Setup up monitoring processes
and tools for physical access to
the system on an ongoing basis. No
Investigate any unauthorized
physical access to the system. No
Take corrective action as
needed to address any
unauthorized physical access. No

PE-8(1) Visitor Access

Records | Automated
Records Maintenance
and Review Implemented? Comments
180 | P a g e
 Develop an automated
mechanism to record visitor
access records. No
Establish a process to review
visitor access records on a
regular basis. No
Create a system to store visitor
access records securely. No
Implement a system to alert
designated personnel when
visitor access records need to
be reviewed. No
Set up a procedure to ensure
that visitor access records are
reviewed in a timely manner. No
Create a system to track
changes to visitor access
records. No
Establish a process to ensure
that visitor access records are
kept up-to-date. No
Develop a system to generate
reports on visitor access
records. No
Develop a system to archive
visitor access records. No

PE-11(1) Emergency
Power | Alternate Power
Supply — Minimal
Operational Capability Implemented? Comments
Identify the primary power
source. No
Determine the minimally
required operational capability. No
Select an alternate power
supply that can maintain the No

181 | P a g e
 minimally required operational
capability.
Install the alternate power
supply. No
Configure the alternate power
supply to activate [Selection:
manually; automatically]. No
Test the alternate power supply
to ensure it can maintain the
minimally required operational
capability. No
Setup up monitoring processes
and tools for the alternate
power supply to ensure it is
functioning properly. No

PE-13(2) Fire Protection

| Suppression Systems
— Automatic Activation
and Notification Implemented? Comments
Research and identify fire
suppression systems that
activate automatically and
notify organization-defined
personnel or roles and
emergency responders. No
Develop a plan to install the fire
suppression systems. No
Purchase and install the fire
suppression systems. No
Test the fire suppression
systems to ensure they are
working properly. No
Train personnel or roles and
emergency responders on how
to use the fire suppression
systems. No

182 | P a g e
 Develop a plan to employ an
automatic fire suppression
capability when the facility is
not staffed on a continuous
basis. No
Implement the plan to employ
an automatic fire suppression
capability when the facility is
not staffed on a continuous
basis. No
Test the automatic fire
suppression capability to
ensure it is working properly. No
Train personnel or roles and
emergency responders on how
to use the automatic fire
suppression capability. No

PE-15(1) Water Damage

Protection | Automation
Support Implemented? Comments
Establish a sensor system to
detect the presence of water
near the system. No
Set up an automated alert
mechanism to notify
organization-defined personnel
or roles when water is
detected. No
Test the sensor system and
alert mechanism to ensure they
are working properly. No
Implement the sensor system
and alert mechanism in the
system. No
Setup up monitoring processes
and tools for the system for
water detection and alert
activation. No

183 | P a g e
 Document the implementation
process and results. No

PE-18 Location of
System Components Implemented? Comments
Identify potential physical and
environmental hazards that
could damage system
components. No
Determine the best location
within the facility to minimize
potential damage from these
hazards. No
Consider the opportunity for
unauthorized access when
selecting a location. No
Install system components in
the selected location. No
Secure the system components
with locks or other physical
security measures. No
Test the system to ensure it is
functioning properly. No
Document the location of the
system components. No

PL Planning
Baseline - Low

PL-1 Policy and

Procedures Implemented? Comments
Define who is responsible for
the planning policy No
Establish a scope for the Policy
and Procedures policy No

184 | P a g e
 Define Policy and Procedures
policy statements that adhere
requirements from law and
organization No

PL-2 System Security and

Privacy Plans Implemented? Comments
Gather information about the
organization’s enterprise
architecture, mission and
business processes, system
components, individuals
fulfilling system roles and
responsibilities, information
types processed, stored, and
transmitted by the system, and
any specific threats to the
system. No
Conduct a privacy risk
assessment for systems
processing personally
identifiable information. No
Develop a security and privacy
plan that is consistent with the
organization’s enterprise
architecture. No
Review and approve the plan by
the authorizing official or
designated representative prior
to plan implementation. No
Distribute copies of the plan
and communicate subsequent
changes to the plan to
organization-defined personnel
or roles. No
Review the plan at
organization-defined frequency. No

185 | P a g e
 Update the plan to address
changes to the system and
environment of operation or
problems identified during plan
implementation or control
assessments. No
Protect the plan from
unauthorized disclosure and
modification. No

PL-4 Rules of Behavior Implemented? Comments

Draft rules of behavior for
system usage, security, and
privacy. No
Provide rules of behavior to
individuals requiring access to
the system. No
Receive documented
acknowledgment from
individuals indicating they have
read, understand, and agree to
abide by the rules of behavior. No
Authorize access to information
and the system. No
Review and update the rules of
behavior at an organization-
defined frequency. No
Require individuals who have
acknowledged a previous
version of the rules of behavior
to read and re-acknowledge at
an organization-defined
frequency when the rules are
revised or updated. No

PL-4(1) Rules of Behavior

| Social Media and Implemented? Comments

186 | P a g e
 External Site/application
Usage Restrictions
Draft a policy outlining the rules
of behavior for the use of social
media, social networking sites,
and external sites/applications. No
Include restrictions on posting
organizational information on
public websites. No
Specify the use of organization-
provided identifiers (e.g., email
addresses) and authentication
secrets (e.g., passwords) for
creating accounts on external
sites/applications. No
Communicate the policy to all
employees. No
Setup up monitoring processes
and tools for and enforce the
policy. No
Provide training and education
on the policy to ensure
employees are aware of the
restrictions. No

PL-10 Baseline Selection Implemented? Comments

Identify the system
components and their
associated security
requirements. No
Identify the security controls
that are applicable to the
system. No
Analyze the security
requirements and determine
the appropriate security
controls to meet the
requirements. No

187 | P a g e
 Develop a control baseline for
the system based on the
identified security controls. No
Evaluate the control baseline to
ensure it meets the security
requirements. No
Document the control baseline
and obtain approval from the
appropriate stakeholders. No
Implement the control baseline
and monitor its effectiveness. No

PL-11 Baseline Tailoring Implemented? Comments

Identify the control baseline
that is applicable to the
organization. No
Assess the existing security
controls and determine the
necessary tailoring actions. No
Develop a tailoring plan to
document the tailoring actions. No
Implement the tailoring plan to
tailor the selected control
baseline. No
Test the tailored control
baseline to ensure
effectiveness. No
Document the tailored control
baseline and associated
tailoring actions. No
Setup up monitoring processes
and tools for the tailored
control baseline to ensure
continued effectiveness. No

Baseline - Moderate

188 | P a g e
 PL-8 Security and Privacy
Architectures Implemented? Comments
Analyze existing security and
privacy architectures and
identify areas for improvement. No
Develop a plan for
implementing the security and
privacy architectures. No
Design the security and privacy
architectures to meet the
requirements outlined in the
plan. No
Implement the security and
privacy architectures. No
Test the security and privacy
architectures to ensure they
meet the requirements. No
Setup up monitoring processes
and tools for the security and
privacy architectures to identify
any changes or updates that
need to be made. No
Review and update the
architectures at the
organization-defined frequency. No
Reflect planned architecture
changes in security and privacy
plans, Concept of Operations
(CONOPS), criticality analysis,
organizational procedures, and
procurements and acquisitions. No
Document the security and
privacy architectures. No
Train personnel on the security
and privacy architectures. No

189 | P a g e
 PM Program
Management
Not part of the security baselines, should be
intergrated into the whole organization.

PS Personnel
Security
Baseline - Low

PS-1 Policy and

Procedures Implemented? Comments
Define who is responsible for
the personnel security policy No
Establish a scope for the Policy
and Procedures policy No
Define Policy and Procedures
policy statements that adhere
requirements from law and
organization No

PS-2 Position Risk

Designation Implemented? Comments
Analyze the organization’s
positions and assign a risk
designation to each. No
Develop screening criteria for
each position based on the
assigned risk designation. No
Implement the screening
criteria for all individuals filling
the positions. No

190 | P a g e
 Setup up monitoring processes
and tools for and review
position risk designations on an
organization-defined frequency. No
Update position risk
designations as needed. No

PS-3 Personnel
Screening Implemented? Comments
Develop a screening process to
identify individuals who should
be authorized access to the
system. No
Establish conditions that
require rescreening and the
frequency of rescreening. No
Implement a process to screen
individuals prior to authorizing
access to the system. No
Implement a process to
rescreen individuals in
accordance with the conditions
and frequency established. No
Setup up monitoring processes
and tools for individuals to
ensure that rescreening is
conducted in accordance with
the established conditions and
frequency. No

PS-4 Personnel
Termination Implemented? Comments
Notify the individual of their
termination. No
Disable the individual's system
access within the organization-
defined time period. No

191 | P a g e
 Revoke any authenticators and
credentials associated with the
individual. No
Conduct an exit interview that
includes discussion of
organization-defined
information security topics. No
Retrieve all security-related
organizational system-related
property from the individual. No
Retain access to organizational
information and systems
formerly controlled by the
terminated individual. No
Update the organization's
access control list to reflect the
individual's termination. No

PS-5 Personnel Transfer Implemented? Comments

Review current logical and
physical access authorizations
for individuals who have been
reassigned or transferred to
other positions within the
organization. No
Initiate the organization-
defined transfer or
reassignment actions within the
organization-defined time
period following the formal
transfer action. No
Modify access authorization as
needed to correspond with any
changes in operational need
due to reassignment or
transfer. No
Notify the organization-defined
personnel or roles within the No

192 | P a g e
 organization-defined time
period.

PS-6 Access Agreements Implemented? Comments

Create a template for access
agreements. No
Establish a frequency for review
and update of access
agreements. No
Identify individuals requiring
access to organizational
information and systems. No
Provide access agreements to
individuals requiring access. No
Collect signed access
agreements from individuals. No
Grant access to organizational
information and systems to
individuals with signed access
agreements. No
Setup up monitoring processes
and tools for access agreements
for expiration or changes in
organization-defined frequency. No
Provide updated access
agreements to individuals with
expired or changed access
agreements. No
Collect re-signed access
agreements from individuals. No
Maintain access to
organizational systems for
individuals with re-signed
access agreements. No

PS-7 External Personnel

Security Implemented? Comments

193 | P a g e
 Identify personnel security
requirements, including
security roles and
responsibilities for external
providers. No
Develop personnel security
policies and procedures for
external providers. No
Document personnel security
requirements. No
Establish a notification process
for external personnel transfers
or terminations. No
Require external providers to
comply with personnel security
policies and procedures. No
Setup up monitoring processes
and tools for provider
compliance with personnel
security requirements. No
Establish a system for tracking
personnel security
requirements and compliance. No

PS-8 Personnel
Sanctions Implemented? Comments
Establish information security
and privacy policies and
procedures. No
Develop a formal sanctions
process for individuals who fail
to comply with the established
policies and procedures. No
Identify the personnel or roles
that should be notified when a
formal employee sanctions
process is initiated. No

194 | P a g e
 Establish a timeline for when
personnel or roles should be
notified. No
Implement the formal sanctions
process for individuals who fail
to comply with the established
policies and procedures. No
Notify the personnel or roles
within the established timeline,
identifying the individual
sanctioned and the reason for
the sanction. No

PS-9 Position
Descriptions Implemented? Comments
Identify the roles and
responsibilities related to
security and privacy within the
organization. No
Develop job descriptions for
each role that includes the
security and privacy
responsibilities. No
Update existing position
descriptions to include the
security and privacy roles and
responsibilities. No
Train employees on the security
and privacy roles and
responsibilities associated with
their positions. No
Setup up monitoring processes
and tools for and review the
security and privacy roles and
responsibilities to ensure they
are up-to-date. No
Develop policies and
procedures to ensure
compliance with security and No

195 | P a g e
 privacy roles and
responsibilities.
Create a process for evaluating
employee performance related
to security and privacy roles
and responsibilities. No
Develop a system for tracking
and reporting on security and
privacy roles and
responsibilities. No

Baseline - High

PS-4(2) Personnel
Termination |
Automated Actions Implemented? Comments
Identify organization-defined
personnel or roles to be
notified of individual
termination actions. No
Identify organization-defined
automated mechanisms to be
used for notification. No
Configure the automated
mechanisms to send
notifications to the identified
personnel or roles. No
Configure the automated
mechanisms to disable access
to system resources upon
notification. No
Test the configured automated
mechanisms to ensure proper
functioning. No
Setup up monitoring processes
and tools for the automated
mechanisms for proper
functioning. No
196 | P a g e
 PT PII Processing
and Transparency
Not part of the security baselines, should be
intergrated into the whole organization.

RA Risk
Assessment
Baseline - Low

RA-1 Policy and

Procedures Implemented? Comments
Define who is responsible for
the Policy and Procedures
policy No
Establish a scope for the Policy
and Procedures policy No
Define Policy and Procedures
policy statements that adhere
requirements from law and
organization No

RA-2 Security
Categorization Implemented? Comments
Identify the system and
information it processes, stores,
and transmits. No
Categorize the system and
information based on the
security requirements. No
Document the security
categorization results, including No
197 | P a g e
 supporting rationale, in the
security plan for the system.
Verify that the authorizing
official or authorizing official
designated representative
reviews and approves the
security categorization decision. No
Update the security plan with
the security categorization
results. No

RA-3 Risk Assessment Implemented? Comments

Identify threats to and
vulnerabilities in the system No
Determine the likelihood and
magnitude of harm from
unauthorized access, use,
disclosure, disruption,
modification, or destruction of
the system, the information it
processes, stores, or transmits,
and any related information No
Determine the likelihood and
impact of adverse effects on
individuals arising from the
processing of personally
identifiable information No
Integrate risk assessment
results and risk management
decisions from the organization
and mission or business process
perspectives with system-level
risk assessments No
Document risk assessment
results in security and privacy
plans, risk assessment report,
or organization-defined
document No

198 | P a g e
 Review risk assessment results
at organization-defined
frequency No
Disseminate risk assessment
results to organization-defined
personnel or roles No
Update the risk assessment at
organization-defined frequency
or when there are significant
changes to the system, its
environment of operation, or
other conditions that may
impact the security or privacy
state of the system No

RA-3(1) Risk Assessment

| Supply Chain Risk
Assessment Implemented? Comments
Identify the organization-
defined systems, system
components, and system
services. No
Research and analyze the
supply chain associated with
the identified systems,
components, and services. No
Identify potential risks
associated with the supply
chain. No
Assess the potential risks and
document the findings. No
Establish an organization-
defined frequency for updating
the supply chain risk
assessment. No
Setup up monitoring processes
and tools for the supply chain
for significant changes. No

199 | P a g e
 Setup up monitoring processes
and tools for the system,
environment of operations, and
other conditions for changes
that may necessitate a change
in the supply chain. No
Update the supply chain risk
assessment according to the
established frequency. No

RA-5 Vulnerability
Monitoring and
Scanning Implemented? Comments
Research and select
vulnerability monitoring tools
and techniques that meet the
organization’s requirements. No
Install and configure the
vulnerability monitoring tools. No
Set up the vulnerability
scanning process to run at the
organization-defined frequency. No
Setup up monitoring processes
and tools for the vulnerability
scan results and analyze the
reports. No
Identify and prioritize
legitimate vulnerabilities based
on an organizational
assessment of risk. No
Develop a plan to remediate
the vulnerabilities within the
organization-defined response
times. No
Implement the remediation
plan. No
Share information obtained
from the vulnerability
monitoring process and control No
200 | P a g e
 assessments with organization-
defined personnel or roles.
Update the vulnerability
monitoring tools to include the
latest vulnerabilities. No

RA-5(2) Vulnerability
Monitoring and
Scanning | Update
Vulnerabilities to Be
Scanned Implemented? Comments
Establish an organization-
defined frequency for system
vulnerability scans. No
Prior to a new scan, update the
system vulnerabilities to be
scanned. No
Setup up monitoring processes
and tools for for new
vulnerabilities and report them. No
Update the system
vulnerabilities to be scanned
when new vulnerabilities are
identified and reported. No
Run the system vulnerability
scan. No
Analyze the scan results and
take appropriate action. No

RA-5(11) Vulnerability
Monitoring and
Scanning | Public
Disclosure Program Implemented? Comments
Research and select a public
reporting channel (e.g. email
address, web form, etc.) No

201 | P a g e
 Create a public-facing page with
instructions on how to submit
reports of vulnerabilities No
Set up the selected public
reporting channel No
Promote the public reporting
channel to stakeholders No
Setup up monitoring processes
and tools for the public
reporting channel for incoming
reports No
Establish a process for triaging
and responding to reports No
Create a secure repository for
storing reports No
Train staff on the process for
handling reports of
vulnerabilities No

RA-7 Risk Response Implemented? Comments

Identify security and privacy
findings from assessments,
monitoring, and audits. No
Assess the risk associated with
each finding. No
Develop a plan to address each
finding based on the risk
assessment. No
Implement the plan to address
each finding. No
Setup up monitoring processes
and tools for the
implementation of the plan to
ensure it is effective. No
Evaluate the effectiveness of
the plan and adjust as
necessary. No
Document the findings, risk
assessment, plan, No

202 | P a g e
 implementation, and
evaluation.
Report the findings, risk
assessment, plan,
implementation, and evaluation
to relevant stakeholders. No

Baseline - Moderate

RA-5(5) Vulnerability
Monitoring and
Scanning | Privileged
Access Implemented? Comments
Identify the system
components that require
privileged access authorization
for vulnerability scanning
activities. No
Establish a process to grant and
revoke privileged access
authorization. No
Develop a policy to define the
roles and responsibilities of
users with privileged access
authorization. No
Create a secure authentication
mechanism to grant privileged
access authorization. No
Setup up monitoring processes
and tools for and audit
privileged access authorization
activities. No
Implement technical controls to
restrict privileged access
authorization. No

203 | P a g e
 Establish a process to review
and update privileged access
authorization. No
Develop a procedure to revoke
privileged access authorization
when no longer required. No
Train users on the proper use of
privileged access authorization. No
Implement a process to review
and approve privileged access
authorization requests. No

SA-14 Criticality Analysis Implemented? Comments

Identify the organization-
defined systems, system
components, or system
services. No
Identify the organization-
defined decision points in the
system development life cycle. No
Analyze the system
components, functions, and
services to determine their
importance to the organization. No
Assess the impact of any
potential failure or disruption of
the system components,
functions, and services. No
Identify any potential risks
associated with the system
components, functions, and
services. No
Develop a plan for mitigating
any identified risks. No
Document the criticality
analysis results. No

Baseline - High
204 | P a g e
 RA-5(4) Vulnerability
Monitoring and
Scanning | Discoverable
Information Implemented? Comments
Identify system information
that is discoverable. No
Analyze the system information
to determine potential security
risks. No
Develop a plan to address the
security risks. No
Implement the plan to address
the security risks. No
Setup up monitoring processes
and tools for the system to
ensure the security risks have
been addressed. No
Take corrective actions as
defined by the organization. No

SA System and
Services
Acquisition
Baseline - Low

SA-1 Policy and

Procedures Implemented? Comments
Define who is responsible for
the system and services
acquisition policy No
Establish a scope for the Policy
and Procedures policy No

205 | P a g e
 Define Policy and Procedures
policy statements that adhere
requirements from law and
organization No

SA-2 Allocation of
Resources Implemented? Comments
Analyze mission and business
processes to identify high-level
information security and
privacy requirements. No
Estimate resources needed to
protect the system or system
service. No
Develop a plan to allocate
resources to meet the security
and privacy requirements. No
Create a discrete line item for
information security and
privacy in organizational
programming and budgeting
documentation. No
Setup up monitoring processes
and tools for and adjust
resource allocations as needed
to ensure security and privacy
requirements are met. No

SA-3 System
Development Life Cycle Implemented? Comments
Acquire the system and define
the organization-defined
system development life cycle. No
Develop the system according
to the system development life
cycle. No
Document information security
and privacy roles and No

206 | P a g e
 responsibilities throughout the
system development life cycle.
Identify individuals having
information security and
privacy roles and
responsibilities. No
Integrate the organizational
information security and
privacy risk management
process into system
development life cycle
activities. No
Manage the system according
to the system development life
cycle. No

SA-4 Acquisition Process Implemented? Comments

Identify the security and privacy
functional requirements for the
system, system component, or
system service. No
Identify the strength of
mechanism requirements for
the system, system component,
or system service. No
Identify the security and privacy
assurance requirements for the
system, system component, or
system service. No
Identify the controls needed to
satisfy the security and privacy
requirements for the system,
system component, or system
service. No
Identify the security and privacy
documentation requirements
for the system, system
component, or system service. No

207 | P a g e
 Identify the requirements for
protecting security and privacy
documentation for the system,
system component, or system
service. No
Identify the description of the
system development
environment and environment
in which the system is intended
to operate. No
Identify the allocation of
responsibility or identification
of parties responsible for
information security, privacy,
and supply chain risk
management. No
Identify the acceptance criteria
for the system, system
component, or system service. No
Include the identified
requirements, descriptions, and
criteria in the acquisition
contract for the system, system
component, or system service
using [Selection (one or more):
standardized contract language;
[Assignment: organization-
defined contract language]]. No

SA-4(10) Acquisition
Process | Use of
Approved PIV Products Implemented? Comments
Research the FIPS 201-
approved products list for
Personal Identity Verification
(PIV) capability. No
Evaluate the products on the
list to determine which best
meets the organization's needs. No

208 | P a g e
 Develop a plan to implement
the chosen product within the
organizational systems. No
Test the product to ensure it
meets the organization's needs
and complies with FIPS 201
standards. No
Train staff on the product and
its use. No
Implement the product within
the organizational systems. No
Setup up monitoring processes
and tools for the product's
performance and usage. No
Make any necessary
adjustments to ensure the
product meets the
organization's needs and
complies with FIPS 201
standards. No

SA-5 System
Documentation Implemented? Comments
Develop administrator
documentation for the system,
system component, or system
service that describes:
a. Secure configuration,
installation, and operation of
the system, component, or
service;
b. Effective use and
maintenance of security and
privacy functions and
mechanisms;
c. Known vulnerabilities
regarding configuration and use
of administrative or privileged
functions; No

209 | P a g e
 Develop user documentation
for the system, system
component, or system service
that describes:
a. User-accessible security
and privacy functions and
mechanisms and how to
effectively use those functions
and mechanisms;
b. Methods for user
interaction, which enables
individuals to use the system,
component, or service in a
more secure manner and
protect individual privacy;
c. User responsibilities in
maintaining the security of the
system, component, or service
and privacy of individuals; No
Document attempts to obtain
system, system component, or
system service documentation
when such documentation is
either unavailable or
nonexistent and take
[Assignment: organization-
defined actions] in response; No
Distribute documentation to
[Assignment: organization-
defined personnel or roles]; No
Review and update
documentation as necessary. No

SA-8 Security and

Privacy Engineering
Principles Implemented? Comments
Specify the organization-
defined systems security and
privacy engineering principles. No

210 | P a g e
 Design the system and system
components with the specified
principles in mind. No
Develop the system and system
components according to the
specified principles. No
Implement the system and
system components according
to the specified principles. No
Setup up monitoring processes
and tools for the system and
system components for
compliance with the specified
principles. No
Modify the system and system
components as needed to
ensure compliance with the
specified principles. No

SA-9 External System

Services Implemented? Comments
Identify external system
services that require
compliance with organizational
security and privacy
requirements. No
Develop and document
organizational oversight and
user roles and responsibilities
with regard to external system
services. No
Develop and document
organization-defined controls
for external system services. No
Develop and document
organization-defined processes,
methods, and techniques to
monitor control compliance by
external service providers. No

211 | P a g e
 Implement the organization-
defined controls and processes,
methods, and techniques. No
Setup up monitoring processes
and tools for control
compliance by external service
providers on an ongoing basis. No
Report any non-compliance to
relevant stakeholders. No
Take corrective action as
necessary. No

SA-22 Unsupported
System Components Implemented? Comments
Identify the system
components that are no longer
supported by the developer,
vendor, or manufacturer. No
Research in-house support and
external providers for
alternative sources of support
for the unsupported
components. No
Evaluate the options for
alternative sources of support
and select one or more. No
Replace the system
components with supported
components. No
Document the organization-
defined support from external
providers. No
Setup up monitoring processes
and tools for the system
components for any changes or
updates. No

Baseline - Moderate
212 | P a g e
 SA-4(1) Acquisition
Process | Functional
Properties of Controls Implemented? Comments
Identify the system, system
component, or system service
to be developed. No
Define the functional
requirements of the system,
system component, or system
service. No
Develop a list of controls to be
implemented to meet the
functional requirements. No
Request the developer to
provide a description of the
functional properties of the
controls to be implemented. No
Evaluate the description of the
functional properties of the
controls to ensure that they
meet the functional
requirements. No
Implement the controls
according to the description of
the functional properties. No
Test the implemented controls
to ensure that they meet the
functional requirements. No

SA-4(2) Acquisition
Process | Design and
Implementation
Information for Controls Implemented? Comments
Explain the requirement to the
developer of the system, No

213 | P a g e
 system component, or system
service.
Identify the security-relevant
external system interfaces,
high-level design, low-level
design, source code or
hardware schematics that need
to be provided. No
Determine the level of detail
required for the design and
implementation information. No
Request the design and
implementation information
from the developer. No
Review the provided design and
implementation information. No
Confirm that the design and
implementation information
meets the required level of
detail. No

SA-4(9) Acquisition
Process | Functions,
Ports, Protocols, and
Services in Use Implemented? Comments
Identify the system, system
component, or system service. No
Determine the functions, ports,
protocols, and services
intended for organizational use. No
Document the functions, ports,
protocols, and services. No
Communicate the functions,
ports, protocols, and services to
the developer. No
Setup up monitoring processes
and tools for the system, No

214 | P a g e
 system component, or system
service for compliance.

SA-9(2) External System

Services | Identification
of Functions, Ports,
Protocols, and Services Implemented? Comments
Identify the external system
services required by the
organization. No
Determine the functions, ports,
protocols, and other services
required for the use of such
services. No
Contact the providers of the
external system services and
request information about the
functions, ports, protocols, and
other services required for the
use of such services. No
Document the functions, ports,
protocols, and other services
required for the use of such
services. No
Implement the necessary
security controls to protect the
external system services. No

SA-10 Developer
Configuration
Management Implemented? Comments
Design a configuration
management process for the
system, component, or service. No
Document, manage, and
control the integrity of changes
to organization-defined No

215 | P a g e
 configuration items under
configuration management.
Implement organization-
approved changes to the
system, component, or service. No
Document approved changes to
the system, component, or
service and the potential
security and privacy impacts of
such changes. No
Track security flaws and flaw
resolution within the system,
component, or service. No
Report findings to organization-
defined personnel. No

SA-11 Developer Testing

and Evaluation Implemented? Comments
Develop a plan for ongoing
security and privacy control
assessments. No
Select type of
testing/evaluation (unit,
integration, system,
regression). No
Determine frequency of
testing/evaluation. No
Determine depth and coverage
of testing/evaluation. No
Execute assessment plan. No
Record results of
testing/evaluation. No
Implement a verifiable flaw
remediation process. No
Correct flaws identified during
testing/evaluation. No

216 | P a g e
 SA-15 Development
Process, Standards, and
Tools Implemented? Comments
Create a documented
development process that
explicitly addresses security and
privacy requirements. No
Identify the standards and tools
used in the development
process. No
Document the specific tool
options and tool configurations
used in the development
process. No
Document, manage, and ensure
the integrity of changes to the
process and/or tools used in
development. No
Review the development
process, standards, tools, tool
options, and tool configurations
at an organization-defined
frequency. No
Determine if the process,
standards, tools, tool options
and tool configurations selected
and employed can satisfy the
organization-defined security
and privacy requirements. No

SA-15(3) Development
Process, Standards, and
Tools | Criticality
Analysis Implemented? Comments
Identify the organization-
defined decision points in the
system development life cycle. No

217 | P a g e
 Determine the organization-
defined breadth and depth of
criticality analysis. No
Develop a criticality analysis
plan that outlines the steps to
be taken and the resources
required. No
Execute the criticality analysis
plan. No
Document the results of the
criticality analysis. No
Review the results of the
criticality analysis with the
system developer. No
Make any necessary changes to
the system based on the results
of the criticality analysis. No
Document any changes made to
the system. No

Baseline - High

SA-4(5) Acquisition
Process | System,
Component, and Service
Configurations Implemented? Comments
Identify the system,
component, or service to be
developed. No
Define the security
configurations that must be
implemented. No
Develop the system,
component, or service with the
security configurations in place. No
Test the system, component, or
service to ensure the security No

218 | P a g e
 configurations are functioning
properly.
Deploy the system, component,
or service with the security
configurations in place. No
Ensure the security
configurations are used as the
default for any subsequent
system, component, or service
reinstallation or upgrade. No
Setup up monitoring processes
and tools for the system,
component, or service to
ensure the security
configurations remain in place. No

SA-16 Developer-
provided Training Implemented? Comments
Identify the security and privacy
functions, controls, and/or
mechanisms that need to be
trained. No
Develop a training plan that
outlines the topics to be
covered and the methods of
delivery. No
Create training materials such
as slides, handouts, and/or
videos. No
Schedule training sessions and
invite the relevant
stakeholders. No
Deliver the training sessions. No
Evaluate the effectiveness of
the training. No
Document the training results. No

219 | P a g e
 SA-17 Developer
Security and Privacy
Architecture and Design Implemented? Comments
Gather requirements from the
organization’s security and
privacy architecture and
enterprise architecture. No
Develop a design specification
that accurately and completely
describes the required security
and privacy functionality and
the allocation of controls
among physical and logical
components. No
Develop a security and privacy
architecture that expresses how
individual security and privacy
functions, mechanisms, and
services work together to
provide required security and
privacy capabilities and a
unified approach to protection. No
Review the design specification
and security and privacy
architecture with the
organization’s security and
privacy architecture and
enterprise architecture teams
to ensure consistency. No
Present the design specification
and security and privacy
architecture to the developer
for implementation. No

SA-21 Developer
Screening Implemented? Comments
Assign an organization-defined
official government duty. No

220 | P a g e
 Assign organization-defined
additional personnel screening
criteria. No
Ensure that the developer has
appropriate access
authorizations as determined
by the assigned official
government duty. No
Verify that the developer
satisfies the additional
personnel screening criteria. No

SC System and
Communications
Protection
Baseline - Low

SC-1 Policy and

Procedures Implemented? Comments
Define who is responsible for
the system and
communications protection
policy No
Establish a scope for the Policy
and Procedures policy No
Define Policy and Procedures
policy statements that adhere
requirements from law and
organization No

SC-5 Denial-of-service
Protection Implemented? Comments
Identify the organization-
defined types of denial-of-
service events. No
221 | P a g e
 Identify the organization-
defined controls by type of
denial-of-service event. No
Implement the identified
controls to protect against and
limit the effects of the
identified types of denial-of-
service events. No
Setup up monitoring processes
and tools for the effectiveness
of the implemented controls. No
Adjust the controls as needed
to ensure the desired level of
protection against and
limitation of the effects of the
identified types of denial-of-
service events. No

SC-7 Boundary
Protection Implemented? Comments
Identify external and internal
managed interfaces to the
system. No
Install boundary protection
devices at the managed
interfaces. No
Configure the boundary
protection devices to monitor
and control communications. No
Create subnetworks for publicly
accessible system components. No
Physically or logically separate
the subnetworks from internal
organizational networks. No
Connect to external networks
or systems only through the
managed interfaces. No

222 | P a g e
 Implement the organizational
security and privacy
architecture. No

SC-12 Cryptographic Key

Establishment and
Management Implemented? Comments
Generate cryptographic keys
according to organization-
defined requirements. No
Distribute cryptographic keys
according to organization-
defined requirements. No
Store cryptographic keys
according to organization-
defined requirements. No
Grant access to cryptographic
keys according to organization-
defined requirements. No
Destroy cryptographic keys
according to organization-
defined requirements. No
Setup up monitoring processes
and tools for and audit
cryptographic keys according to
organization-defined
requirements. No

SC-13 Cryptographic
Protection Implemented? Comments
Identify the organization-
defined cryptographic uses. No
Identify the organization-
defined types of cryptography
for each specified cryptographic
use. No

223 | P a g e
 Develop an implementation
plan for the identified types of
cryptography. No
Implement the cryptographic
solutions according to the plan. No
Test the cryptographic solutions
for accuracy and effectiveness. No
Setup up monitoring processes
and tools for and review the
cryptographic solutions for any
changes or updates. No
Document the cryptographic
solutions and their
implementation. No

SC-15 Collaborative
Computing Devices and
Applications Implemented? Comments
Identify the organization-
defined exceptions where
remote activation is to be
allowed. No
Establish a policy that prohibits
remote activation of
collaborative computing
devices and applications, except
for the exceptions identified in
step No
Implement technical controls to
enforce the policy. No
Develop a procedure to provide
an explicit indication of use to
users physically present at the
devices. No
Train users on the policy and
procedure. No
Setup up monitoring processes
and tools for and audit the No

224 | P a g e
 implementation of the policy
and procedure.

SC-20 Secure
Name/address
Resolution Service
(authoritative Source) Implemented? Comments
Establish a secure connection
between the authoritative
name resolution system and
external name/address
resolution queries. No
Implement additional data
origin authentication and
integrity verification artifacts. No
Provide the means to indicate
the security status of child
zones. No
Enable verification of a chain of
trust among parent and child
domains. No
Configure the authoritative
name resolution system to
return the additional
authentication and integrity
verification artifacts in response
to external name/address
resolution queries. No
Test the system to ensure that
the additional authentication
and integrity verification
artifacts are returned correctly. No

SC-21 Secure
Name/address
Resolution Service Implemented? Comments

225 | P a g e
 (recursive or Caching
Resolver)
Request data origin
authentication:
a. Identify the authoritative
sources from which the
name/address resolution
responses will be received.
b. Establish secure
communication channels with
the authoritative sources.
c. Request authentication of the
data origin from the
authoritative sources. No
Perform data integrity
verification:
a. Receive the name/address
resolution responses from the
authoritative sources.
b. Verify the integrity of the
data received by using
cryptographic techniques such
as message authentication
codes or digital signatures.
c. Compare the received data
with the expected data to
ensure accuracy.
d. Log any discrepancies or
errors. No

SC-22 Architecture and

Provisioning for
Name/address
Resolution Service Implemented? Comments
Identify the systems that
provide name/address
resolution service. No

226 | P a g e
 Evaluate the existing fault-
tolerance of the systems. No
Implement internal role
separation by assigning
different roles to different
users. No
Implement external role
separation by assigning
different roles to different
systems. No
Test the fault-tolerance of the
systems to ensure they are
working properly. No
Setup up monitoring processes
and tools for the systems to
ensure they remain fault-
tolerant. No

SC-39 Process Isolation Implemented? Comments

Create a separate execution
domain for each system
process. No
Establish a secure boundary
between the execution
domains. No
Implement access control
mechanisms to ensure that
processes in different execution
domains cannot interfere with
each other. No
Setup up monitoring processes
and tools for the execution
domains to detect any
unauthorized access attempts. No
Implement logging and auditing
mechanisms to track any access
attempts. No
Implement security measures
to prevent malicious code from No

227 | P a g e
 entering the execution
domains.
Ensure that all processes within
the execution domains are
running with the appropriate
privileges. No
Regularly update the security
measures to keep up with the
changing threat landscape. No

Baseline - Moderate

SC-2 Separation of
System and User
Functionality Implemented? Comments
Identify user functionality and
system management
functionality. No
Design user interfaces and
services to support user
functionality. No
Design system management
functionality to support system
management tasks. No
Develop user interfaces and
services to support user
functionality. No
Develop system management
functionality to support system
management tasks. No
Test user interfaces and
services to ensure they meet
user requirements. No
Test system management
functionality to ensure it meets
system management
requirements. No

228 | P a g e
 Deploy user interfaces and
services. No
Deploy system management
functionality. No
Setup up monitoring processes
and tools for user interfaces
and services for performance
and usability. No
Setup up monitoring processes
and tools for system
management functionality for
performance and reliability. No

SC-4 Information in
Shared System
Resources Implemented? Comments
Establish user authentication
and authorization protocols. No
Implement access control
measures to limit access to
shared system resources. No
Establish data encryption
protocols for sensitive
information. No
Setup up monitoring processes
and tools for system resources
for unauthorized access
attempts. No
Implement data backup and
recovery procedures. No
Establish a policy for data
retention and disposal. No
Educate users on the
importance of security and the
risks of unauthorized access. No
Implement a system of regular
security audits. No

229 | P a g e
 SC-7(3) Boundary
Protection | Access
Points Implemented? Comments
Identify the external network
connections that need to be
limited. No
Create a firewall rule to limit
the external network
connections. No
Configure the firewall to
enforce the rule. No
Test the firewall rule to ensure
it is working as expected. No
Setup up monitoring processes
and tools for the firewall rule to
ensure it is still effective. No

SC-7(4) Boundary
Protection | External
Telecommunications
Services Implemented? Comments
Design a managed interface for
each external
telecommunication service. No
Establish a traffic flow policy for
each managed interface. No
Implement measures to protect
the confidentiality and integrity
of the information being
transmitted across each
interface. No
Document each exception to
the traffic flow policy with a
supporting mission or business
need and duration of that need. No

230 | P a g e
 Review exceptions to the traffic
flow policy at an organization-
defined frequency and remove
exceptions that are no longer
supported by an explicit mission
or business need. No
Implement measures to
prevent unauthorized exchange
of control plane traffic with
external networks. No
Publish information to enable
remote networks to detect
unauthorized control plane
traffic from internal networks. No
Implement measures to filter
unauthorized control plane
traffic from external networks. No

SC-7(5) Boundary
Protection | Deny by
Default — Allow by
Exception Implemented? Comments
Identify the systems that need
to be allowed network
communications traffic. No
Configure the managed
interfaces to deny all network
communications traffic by
default. No
Create exceptions to allow
network communications traffic
for the identified systems. No
Test the configuration to ensure
that the exceptions are working
as expected. No
Setup up monitoring processes
and tools for the network
communications traffic to No

231 | P a g e
 ensure that only the allowed
systems are communicating.

SC-7(7) Boundary
Protection | Split
Tunneling for Remote
Devices Implemented? Comments
Define the organization-defined
safeguards for securely
provisioning split tunneling. No
Implement a system to monitor
and detect any unauthorized
split tunneling attempts. No
Create a policy to restrict access
to organizational systems
unless the split tunnel is
securely provisioned using the
organization-defined
safeguards. No
Train employees on the policy
and the organization-defined
safeguards for securely
provisioning split tunneling. No
Implement an authentication
system to verify the identity of
remote devices connecting to
organizational systems. No
Implement a system to log and
audit all split tunneling
attempts. No
Setup up monitoring processes
and tools for and review the
logs and audit results regularly. No
Update the policy and
organization-defined
safeguards as needed. No

232 | P a g e
 SC-7(8) Boundary
Protection | Route
Traffic to Authenticated
Proxy Servers Implemented? Comments
Define the internal
communications traffic. No
Define the external networks. No
Install authenticated proxy
servers at managed interfaces. No
Configure the proxy servers to
route the internal
communications traffic to the
external networks. No
Test the configuration to ensure
that the traffic is routed
correctly. No
Setup up monitoring processes
and tools for the proxy servers
to ensure that they are
functioning properly. No

SC-8 Transmission
Confidentiality and
Integrity Implemented? Comments
Encrypt the transmitted
information using a secure
encryption algorithm. No
Use secure protocols such as
TLS/SSL to protect the
transmitted information. No
Use secure authentication
methods to ensure only
authorized users can access the
transmitted information. No
Implement access control
measures to limit access to the
transmitted information. No

233 | P a g e
 Setup up monitoring processes
and tools for the transmitted
information for any suspicious
activity. No
Implement data backup and
disaster recovery plans to
protect the transmitted
information. No
Regularly update the security
measures to protect the
transmitted information. No

SC-8(1) Transmission
Confidentiality and
Integrity | Cryptographic
Protection Implemented? Comments
Research and select an
appropriate cryptographic
mechanism to prevent
unauthorized disclosure of
information and detect changes
to information during
transmission. No
Implement the cryptographic
mechanism in the system. No
Test the cryptographic
mechanism to ensure it is
functioning correctly. No
Setup up monitoring processes
and tools for the system to
ensure the cryptographic
mechanism is working properly. No
Update the cryptographic
mechanism as needed to
maintain its effectiveness. No

SC-10 Network
Disconnect Implemented? Comments
234 | P a g e
 Establish a network connection
associated with a
communications session. No
Setup up monitoring processes
and tools for the
communications session for
activity. No
Track the duration of the
communications session. No
Set an organization-defined
time period for inactivity. No
Compare the duration of the
communications session to the
organization-defined time
period. No
If the duration of the
communications session
exceeds the organization-
defined time period, terminate
the network connection
associated with the
communications session. No

SC-17 Public Key

Infrastructure
Certificates Implemented? Comments
Define the certificate policy for
issuing public key certificates. No
Identify an approved service
provider for obtaining public
key certificates. No
Create trust stores or certificate
stores managed by the
organization. No
Include only approved trust
anchors in the trust stores or
certificate stores. No

235 | P a g e
 Issue public key certificates
under the defined certificate
policy. No
Obtain public key certificates
from the approved service
provider. No
Setup up monitoring processes
and tools for and review the
trust stores or certificate stores
for any unauthorized changes. No

SC-18 Mobile Code Implemented? Comments

Establish guidelines for
acceptable and unacceptable
mobile code and mobile code
technologies. No
Develop a policy for
authorizing, monitoring, and
controlling the use of mobile
code within the system. No
Implement a system for
monitoring and logging mobile
code activity. No
Establish a process for
authorizing the use of mobile
code in the system. No
Develop a system for
controlling the use of mobile
code within the system. No
Train system users on the use
of mobile code and the
associated security risks. No
Setup up monitoring processes
and tools for mobile code
activity and take appropriate
action when unauthorized or
malicious code is detected. No

236 | P a g e
 Periodically review and update
the policy and guidelines for
mobile code use. No

SC-23 Session
Authenticity Implemented? Comments
Establish secure communication
protocols such as Transport
Layer Security (TLS) or Secure
Sockets Layer (SSL). No
Implement authentication
protocols such as two-factor
authentication or public key
infrastructure (PKI). No
Implement encryption
protocols such as Advanced
Encryption Standard (AES) or
Rivest-Shamir-Adleman (RSA). No
Setup up monitoring processes
and tools for network traffic for
suspicious activity. No
Implement access control
measures such as firewalls,
intrusion detection systems,
and virtual private networks
(VPNs). No
Implement data integrity
measures such as digital
signatures and message
authentication codes (MACs). No
Implement secure data storage
and transmission protocols such
as Secure File Transfer Protocol
(SFTP) and Secure Shell (SSH). No
Implement secure
authentication protocols such
as Kerberos or OpenID Connect. No

237 | P a g e
 Implement secure
authentication protocols such
as OAuth No
0 or SAML. No
Implement secure protocols
such as Secure Real-time
Transport Protocol (SRTP) for
voice and video
communications. No

SC-28 Protection of
Information at Rest Implemented? Comments
Identify the organization-
defined information at rest that
needs to be protected. No
Establish policies and
procedures to protect the
confidentiality and integrity of
the information at rest. No
Implement technical controls to
protect the confidentiality and
integrity of the information at
rest. No
Setup up monitoring processes
and tools for the system to
ensure the confidentiality and
integrity of the information at
rest is maintained. No
Test the system to ensure the
confidentiality and integrity of
the information at rest is
maintained. No
Regularly review the policies
and procedures to ensure they
are up-to-date and appropriate. No
Train personnel on the policies
and procedures to ensure they
are aware of the requirements. No

238 | P a g e
 Implement an incident
response plan to address any
security incidents. No

SC-28(1) Protection of
Information at Rest |
Cryptographic
Protection Implemented? Comments
Identify the organization-
defined system components or
media where the information is
stored. No
Identify the organization-
defined information that needs
to be protected. No
Select an appropriate
cryptographic mechanism to
protect the information. No
Implement the cryptographic
mechanism on the identified
system components or media. No
Test the cryptographic
mechanism to ensure it is
functioning correctly. No
Setup up monitoring processes
and tools for the cryptographic
mechanism to ensure it
continues to function correctly. No

Baseline - High

SC-3 Security Function

Isolation Implemented? Comments
Identify the security functions
of the system. No

239 | P a g e
 Create a separate system for
the security functions. No
Implement a secure network
architecture to protect the
security functions from
nonsecurity functions. No
Implement access control
measures to restrict access to
the security functions. No
Setup up monitoring processes
and tools for the security
functions for any unauthorized
access attempts. No
Implement a system to log and
audit all access attempts to the
security functions. No
Test the security functions
regularly to ensure they are
functioning correctly. No
Update the security functions
as needed to keep them secure. No

SC-7(18) Boundary
Protection | Fail Secure Implemented? Comments
Setup up monitoring processes
and tools for the operational
status of the boundary
protection device. No
Establish a secure connection
between the boundary
protection device and the
systems. No
Implement a fail-safe
mechanism to prevent systems
from entering unsecure states
in the event of an operational
failure of the boundary
protection device. No

240 | P a g e
 Test the fail-safe mechanism to
ensure it is working properly. No
Implement a backup boundary
protection device in case of a
failure of the primary device. No
Setup up monitoring processes
and tools for the operational
status of the backup boundary
protection device. No
Establish a secure connection
between the backup boundary
protection device and the
systems. No
Implement a fail-safe
mechanism to prevent systems
from entering unsecure states
in the event of an operational
failure of the backup boundary
protection device. No
Test the fail-safe mechanism to
ensure it is working properly. No
Develop a plan to regularly test
and maintain the boundary
protection devices. No

SC-7(21) Boundary
Protection | Isolation of
System Components Implemented? Comments
Identify the system
components supporting
organization-defined missions
and/or business functions. No
Research and select boundary
protection mechanisms that are
appropriate for the identified
system components. No
Implement the selected
boundary protection
mechanisms. No
241 | P a g e
 Test the boundary protection
mechanisms to ensure they are
functioning properly. No
Setup up monitoring processes
and tools for the boundary
protection mechanisms to
detect any unauthorized access
or activity. No
Update the boundary
protection mechanisms as
necessary to maintain their
effectiveness. No

SC-12(1) Cryptographic
Key Establishment and
Management |
Availability Implemented? Comments
Establish a secure backup
system for storing
cryptographic keys. No
Develop a policy for regularly
backing up cryptographic keys. No
Ensure that the backup system
is regularly tested and updated. No
Educate users on the
importance of backing up
cryptographic keys. No
Provide users with the
necessary tools to securely
backup their cryptographic
keys. No
Setup up monitoring processes
and tools for user activity to
ensure that cryptographic keys
are being backed up regularly. No
Establish a process for
recovering cryptographic keys
in the event of loss. No

242 | P a g e
 Develop a plan for securely
storing backup copies of
cryptographic keys. No
Develop a policy for securely
sharing cryptographic keys with
authorized personnel. No
Implement a system for
securely transferring
cryptographic keys between
authorized personnel. No

SC-24 Fail in Known

State Implemented? Comments
Identify the types of system
failures on the organization-
defined system components. No
Determine the organization-
defined known system state to
fail to. No
Establish a plan to preserve the
organization-defined system
state information in failure. No
Implement the plan to fail to
the organization-defined known
system state. No
Test the system to ensure the
failure to the organization-
defined known system state
was successful. No

SI System and
Information
Integrity
Baseline - Low

243 | P a g e
 SI-1 Policy and
Procedures Implemented? Comments
Define who is responsible for
the system and information
integrity policy No
Establish a scope for the Policy
and Procedures policy No
Define Policy and Procedures
policy statements that adhere
requirements from law and
organization No

SI-2 Flaw Remediation Implemented? Comments

Analyze system logs and reports
to identify potential flaws. No
Document flaws and report to
relevant personnel. No
Develop a plan to remediate
identified flaws. No
Test software and firmware
updates related to flaw
remediation for effectiveness
and potential side effects. No
Install security-relevant
software and firmware updates
within the assigned time
period. No
Setup up monitoring processes
and tools for system
performance after installation
of updates. No
Incorporate flaw remediation
into the organizational
configuration management
process. No
Create procedures for regularly
monitoring system logs and
reports for potential flaws. No

244 | P a g e
 SI-3 Malicious Code
Protection Implemented? Comments
Research and select signature-
based and non-signature based
malicious code protection
mechanisms. No
Configure malicious code
protection mechanisms to
perform periodic scans of the
system at an organization-
defined frequency and real-
time scans of files from external
sources at endpoint, network
entry and exit points. No
Configure malicious code
protection mechanisms to
block, quarantine, or take an
organization-defined action in
response to malicious code
detection and send alert to
organization-defined personnel
or roles. No
Automatically update malicious
code protection mechanisms as
new releases are available in
accordance with organizational
configuration management
policy and procedures. No
Setup up monitoring processes
and tools for false positives
during malicious code detection
and eradication and address the
potential impact on the
availability of the system. No

SI-4 System Monitoring Implemented? Comments

245 | P a g e
 Establish organization-defined
monitoring objectives. No
Establish organization-defined
techniques and methods to
identify unauthorized use of the
system. No
Strategically place monitoring
devices within the system to
collect organization-determined
essential information. No
Place ad hoc monitoring devices
within the system to track
specific types of transactions of
interest to the organization. No
Setup up monitoring processes
and tools for the system for
attacks and indicators of
potential attacks. No
Setup up monitoring processes
and tools for the system for
unauthorized local, network,
and remote connections. No
Analyze detected events and
anomalies. No
Adjust the level of system
monitoring activity when there
is a change in risk to
organizational operations and
assets, individuals, other
organizations, or the Nation. No
Obtain legal opinion regarding
system monitoring activities. No
Provide organization-defined
system monitoring information
to organization-defined
personnel or roles as needed or
at organization-defined
frequency. No

246 | P a g e
 SI-5 Security Alerts,
Advisories, and
Directives Implemented? Comments
Establish a process for receiving
system security alerts,
advisories, and directives from
external organizations. No
Setup up monitoring processes
and tools for external
organizations for new security
alerts, advisories, and
directives. No
Generate internal security
alerts, advisories, and directives
as necessary. No
Disseminate security alerts,
advisories, and directives to
personnel, elements within the
organization, and external
organizations. No
Establish time frames for
implementing security
directives. No
Notify the issuing organization
of any degree of
noncompliance. No

SI-12 Information
Management and
Retention Implemented? Comments
Develop a system to store and
manage information. No
Establish policies and
procedures for information
retention. No
Develop a system for
outputting information in
accordance with applicable No
247 | P a g e
 laws, executive orders,
directives, regulations, policies,
standards, and guidelines.
Train staff on the policies and
procedures for information
retention and output. No
Setup up monitoring processes
and tools for the system to
ensure compliance with
applicable laws, executive
orders, directives, regulations,
policies, standards, and
guidelines. No
Update the system as needed
to ensure compliance with
applicable laws, executive
orders, directives, regulations,
policies, standards, and
guidelines. No
Develop a system for archiving
information in accordance with
applicable laws, executive
orders, directives, regulations,
policies, standards, and
guidelines. No
Develop a system for securely
disposing of information in
accordance with applicable
laws, executive orders,
directives, regulations, policies,
standards, and guidelines. No

Baseline - Moderate

SI-2(2) Flaw Remediation

| Automated Flaw
Remediation Status Implemented? Comments

248 | P a g e
 Identify the system
components that need to be
updated. No
Determine the applicable
security-relevant software and
firmware updates for each
system component. No
Establish an automated
mechanism to check for
updates. No
Define a frequency for the
automated mechanism to check
for updates. No
Implement the automated
mechanism. No
Setup up monitoring processes
and tools for the automated
mechanism to ensure it is
running as expected. No

SI-4(2) System
Monitoring | Automated
Tools and Mechanisms
for Real-time Analysis Implemented? Comments
Identify the events that need to
be analyzed. No
Research and select automated
tools and mechanisms that can
support near real-time analysis
of the identified events. No
Develop a strategy to integrate
the automated tools and
mechanisms into the existing
system. No
Implement the automated tools
and mechanisms into the
existing system. No

249 | P a g e
 Test and evaluate the
performance of the automated
tools and mechanisms. No
Setup up monitoring processes
and tools for and adjust the
automated tools and
mechanisms as needed. No
Document and communicate
the automated tools and
mechanisms to stakeholders. No

SI-4(4) System
Monitoring | Inbound
and Outbound
Communications Traffic Implemented? Comments
Establish criteria for unusual or
unauthorized activities or
conditions for inbound and
outbound communications
traffic. No
Set up a monitoring system to
track inbound and outbound
communications traffic. No
Define the frequency of
monitoring. No
Setup up monitoring processes
and tools for inbound and
outbound communications
traffic for unusual or
unauthorized activities or
conditions. No
Analyze the data collected from
the monitoring process. No
Take appropriate actions based
on the analysis. No

250 | P a g e
 SI-4(5) System
Monitoring | System-
generated Alerts Implemented? Comments
Define the personnel or roles
that will be alerted in case of a
compromise or potential
compromise. No
Define the compromise
indicators that will trigger an
alert. No
Create an alert system that will
notify the personnel or roles
when a compromise indicator is
detected. No
Implement the alert system in
the organization's IT
infrastructure. No
Test the alert system to ensure
it is working properly. No
Setup up monitoring processes
and tools for the alert system to
ensure it is functioning
properly. No
Update the alert system as
needed to ensure it is up to
date with the latest
compromise indicators. No

SI-7 Software, Firmware,

and Information
Integrity Implemented? Comments
Identify the software, firmware,
and information that needs to
be monitored for unauthorized
changes. No
Select and deploy integrity
verification tools to detect
unauthorized changes. No

251 | P a g e
 Configure the integrity
verification tools to monitor the
software, firmware, and
information. No
Setup up monitoring processes
and tools for the software,
firmware, and information for
unauthorized changes. No
Analyze the results of the
integrity verification tools to
detect unauthorized changes. No
Document any unauthorized
changes that are detected. No
Take the organization-defined
actions when unauthorized
changes are detected. No
Review the integrity verification
tools and organization-defined
actions on a regular basis to
ensure they remain effective. No

SI-7(1) Software,
Firmware, and
Information Integrity |
Integrity Checks Implemented? Comments
Identify the software, firmware,
and information to be checked
for integrity. No
Establish organization-defined
transitional states or security-
relevant events that will trigger
the integrity check. No
Establish an organization-
defined frequency for the
integrity check. No
Develop a process to perform
the integrity check. No

252 | P a g e
 Implement the process to
perform the integrity check. No
Test the process to ensure it is
functioning correctly. No
Setup up monitoring processes
and tools for the integrity check
process to ensure it is running
as expected. No

SI-7(7) Software,
Firmware, and
Information Integrity |
Integration of Detection
and Response Implemented? Comments
Establish a policy that defines
what constitutes an
unauthorized change. No
Develop a process for detecting
unauthorized changes. No
Implement a system for
monitoring and alerting of
unauthorized changes. No
Establish a procedure for
responding to unauthorized
changes. No
Train personnel on the policy,
process, and procedure for
responding to unauthorized
changes. No
Test the system for detecting
unauthorized changes. No
Document the system for
detecting unauthorized
changes. No
Update the incident response
capability to include detection
of unauthorized changes. No

253 | P a g e
 SI-8 Spam Protection Implemented? Comments
Identify system entry and exit
points. No
Research and select
appropriate spam protection
mechanisms. No
Install and configure the spam
protection mechanisms. No
Setup up monitoring processes
and tools for the system for
unsolicited messages. No
Take appropriate action when
unsolicited messages are
detected. No
Establish a process to track new
releases of spam protection
mechanisms. No
Implement organizational
configuration management
policy and procedures. No
Update spam protection
mechanisms when new releases
are available. No

SI-8(2) Spam Protection

| Automatic Updates Implemented? Comments
Determine the frequency of
updates required for the spam
protection mechanisms. No
Set up a system to automate
the updates at the specified
frequency. No
Setup up monitoring processes
and tools for the system to
ensure that the updates are
taking place as scheduled. No
Test the spam protection
mechanisms after each update No

254 | P a g e
 to ensure that they are
functioning correctly.
Document the process for
updating the spam protection
mechanisms. No

SI-10 Information Input

Validation Implemented? Comments
Identify the information inputs
to be checked. No
Design a process to validate the
accuracy of the information
inputs. No
Develop a program to execute
the validation process. No
Test the program to ensure it is
functioning properly. No
Implement the program in the
system. No
Setup up monitoring processes
and tools for the program to
ensure it is working correctly. No

SI-11 Error Handling Implemented? Comments

Identify the types of errors that
could occur in the system. No
Create a list of error messages
that provide the necessary
information for corrective
actions without revealing any
exploitable information. No
Define the personnel or roles
who should have access to the
error messages. No
Develop a system to restrict
access to the error messages to
the defined personnel or roles. No

255 | P a g e
 Test the system to ensure that
the error messages are only
revealed to the designated
personnel or roles. No
Setup up monitoring processes
and tools for the system to
ensure that the error messages
are only revealed to the
designated personnel or roles. No

SI-16 Memory
Protection Implemented? Comments
Implement access control
measures to limit access to
system memory. No
Implement authentication
measures to verify the identity
of users attempting to access
system memory. No
Implement encryption
measures to protect system
memory from unauthorized
access. No
Implement logging and
monitoring measures to detect
any unauthorized access to
system memory. No
Implement a patch
management system to ensure
system memory is up to date
with the latest security patches. No
Implement a system of regular
security scans to identify any
vulnerabilities in the system
memory. No
Implement a system of regular
backups to ensure that system
memory is not lost in the event
of an attack. No

256 | P a g e
 Implement a system of regular
audits to ensure that system
memory is not compromised. No

Baseline - High

SI-4(10) System
Monitoring | Visibility of
Encrypted
Communications Implemented? Comments
Identify the organization-
defined encrypted
communications traffic. No
Identify the organization-
defined system monitoring
tools and mechanisms. No
Configure the system
monitoring tools and
mechanisms to detect the
encrypted communications
traffic. No
Set up the necessary encryption
keys and protocols to ensure
secure communication between
the system monitoring tools
and the encrypted
communications traffic. No
Test the system monitoring
tools and mechanisms to
ensure that they are able to
detect and monitor the
encrypted communications
traffic. No
Document the process for
monitoring the encrypted
communications traffic and the No

257 | P a g e
 system monitoring tools and
mechanisms used.

SI-4(12) System
Monitoring | Automated
Organization-generated
Alerts Implemented? Comments
Define personnel or roles to be
alerted. No
Define automated mechanisms
to be used for alerting. No
Define activities that trigger
alerts. No
Implement automated
mechanisms for alerting. No
Setup up monitoring processes
and tools for activities for
indications of inappropriate or
unusual activities with security
or privacy implications. No
Generate alerts when activities
trigger alerts. No
Notify personnel or roles when
alerts are generated. No

SI-4(14) System
Monitoring | Wireless
Intrusion Detection Implemented? Comments
Research and select a wireless
intrusion detection system that
meets the organization's needs. No
Install the wireless intrusion
detection system. No
Configure the system to detect
rogue wireless devices and
attack attempts. No

258 | P a g e
 Setup up monitoring processes
and tools for the system for
alerts and suspicious activity. No
Investigate any alerts or
suspicious activity. No
Take appropriate action to
address any identified threats. No
Update the system regularly to
ensure it is up-to-date with the
latest security patches and
updates. No
Test the system regularly to
ensure it is functioning
properly. No

SI-4(20) System
Monitoring | Privileged
Users Implemented? Comments
Identify the privileged users
who need to be monitored. No
Define the organization-defined
additional monitoring. No
Establish procedures for
collecting and analyzing the
additional monitoring data. No
Implement the additional
monitoring of privileged users. No
Setup up monitoring processes
and tools for the additional
monitoring data for any
suspicious activity. No
Report any suspicious activity to
the appropriate personnel. No
Update the organization’s
policies and procedures to
reflect the additional
monitoring. No

259 | P a g e
 SI-4(22) System
Monitoring |
Unauthorized Network
Services Implemented? Comments
Establish organization-defined
authorization or approval
processes. No
Setup up monitoring processes
and tools for network services
for unauthorized or
unapproved services. No
Audit detected unauthorized or
unapproved services. No
Alert organization-defined
personnel or roles when
unauthorized or unapproved
services are detected. No

SI-5(1) Security Alerts,

Advisories, and
Directives | Automated
Alerts and Advisories Implemented? Comments
Identify the security alert and
advisory information to be
broadcast. No
Establish automated
mechanisms for broadcasting
the security alert and advisory
information. No
Configure the automated
mechanisms to broadcast the
security alert and advisory
information. No
Test the automated
mechanisms to ensure they are
functioning properly. No

260 | P a g e
 Setup up monitoring processes
and tools for the automated
mechanisms to ensure the
security alert and advisory
information is being broadcast
correctly. No
Update the automated
mechanisms as needed to
ensure the security alert and
advisory information is up-to-
date. No

SI-6 Security and Privacy

Function Verification Implemented? Comments
Identify the security and privacy
functions to be verified. No
Define the system transitional
states to be verified. No
Establish the frequency of
verification tests. No
Identify the personnel or roles
to be alerted to failed
verification tests. No
Develop procedures to shut
down or restart the system or
alternative actions when
anomalies are discovered. No
Perform verification tests. No
Analyze the results of the
verification tests. No
Alert the appropriate personnel
or roles to failed verification
tests. No
Take appropriate action when
anomalies are discovered. No

SI-7(2) Software,
Firmware, and Implemented? Comments
261 | P a g e
 Information Integrity |
Automated Notifications
of Integrity Violations
Research automated tools that
provide notification to
organization-defined personnel
or roles upon discovering
discrepancies during integrity
verification. No
Select an appropriate
automated tool. No
Install the automated tool. No
Configure the automated tool
to send notifications to
organization-defined personnel
or roles. No
Test the automated tool to
ensure it is working properly. No
Setup up monitoring processes
and tools for the automated
tool to ensure it is providing
accurate notifications. No

SI-7(5) Software,
Firmware, and
Information Integrity |
Automated Response to
Integrity Violations Implemented? Comments
Define the organization-defined
controls. No
Setup up monitoring processes
and tools for the system for
integrity violations. No
When an integrity violation is
detected, automatically shut
the system down, restart the No

262 | P a g e
 system, or implement the
organization-defined controls.

SI-7(15) Software,
Firmware, and
Information Integrity |
Code Authentication Implemented? Comments
Identify the software or
firmware components to be
authenticated. No
Select an appropriate
cryptographic mechanism for
authentication. No
Configure the cryptographic
mechanism for authentication. No
Generate cryptographic keys for
authentication. No
Integrate the cryptographic
mechanism into the software or
firmware components. No
Test the authentication process. No
Deploy the authenticated
software or firmware
components. No

SR Supply Chain
Risk Management
Baseline - Low

SR-1 Policy and

Procedures Implemented? Comments
Define who is responsible for
the supply chain risk
management policy No

263 | P a g e
 Establish a scope for the Policy
and Procedures policy No
Define Policy and Procedures
policy statements that adhere
requirements from law and
organization No

SR-2 Supply Chain Risk

Management Plan Implemented? Comments
Identify the organization-
defined systems, system
components, or system
services. No
Research and analyze potential
supply chain risks associated
with the research and
development, design,
manufacturing, acquisition,
delivery, integration, operations
and maintenance, and disposal
of the systems, system
components, or system
services. No
Develop a supply chain risk
management plan to address
the identified risks. No
Review and update the supply
chain risk management plan at
the organization-defined
frequency or as required, to
address threat, organizational
or environmental changes. No
Protect the supply chain risk
management plan from
unauthorized disclosure and
modification. No

264 | P a g e
 SR-2(1) Supply Chain
Risk Management Plan |
Establish SCRM Team Implemented? Comments
Identify personnel to be
included in the supply chain risk
management team. No
Assign roles and responsibilities
to each member of the team. No
Establish a timeline for the
implementation of the supply
chain risk management
activities. No
Establish a budget for the
supply chain risk management
activities. No
Create a plan for the
implementation of the supply
chain risk management
activities. No
Develop a communication
strategy to inform stakeholders
of the supply chain risk
management activities. No
Setup up monitoring processes
and tools for and evaluate the
effectiveness of the supply
chain risk management
activities. No
Update the supply chain risk
management team and
activities as needed. No

SR-3 Supply Chain

Controls and Processes Implemented? Comments
Identify weaknesses or
deficiencies in the supply chain
elements and processes of the
system or system component. No

265 | P a g e
 Coordinate with supply chain
personnel to address the
identified weaknesses or
deficiencies. No
Select and implement supply
chain controls to protect
against supply chain risks to the
system, system component, or
system service. No
Document the selected and
implemented supply chain
processes and controls in
security and privacy plans,
supply chain risk management
plan, or other organization-
defined document. No

SR-5 Acquisition
Strategies, Tools, and
Methods Implemented? Comments
Identify and assess the supply
chain risks associated with the
organization's operations. No
Develop an acquisition strategy
to mitigate the identified risks. No
Develop contract tools and
procurement methods to
protect against the identified
risks. No
Implement the acquisition
strategy, contract tools, and
procurement methods. No
Setup up monitoring processes
and tools for the effectiveness
of the acquisition strategy,
contract tools, and
procurement methods. No
Update the acquisition strategy,
contract tools, and No
266 | P a g e
 procurement methods as
needed.

SR-8 Notification
Agreements Implemented? Comments
Identify entities involved in the
supply chain. No
Establish agreements with the
entities. No
Establish procedures for
notification of supply chain
compromises. No
Establish procedures for results
of assessments or audits. No
Establish procedures for
organization-defined
information. No
Setup up monitoring processes
and tools for and review the
agreements and procedures. No

SR-10 Inspection of
Systems or Components Implemented? Comments
Identify the systems or system
components to be inspected. No
Determine the frequency of
inspections. No
Establish indications of need for
inspection. No
Perform inspections at random
or at the specified frequency. No
Detect any tampering with the
systems or system components. No

SR-11 Component
Authenticity Implemented? Comments

267 | P a g e
 Research and develop an anti-
counterfeit policy and
procedures. No
Establish a means to detect and
prevent counterfeit
components from entering the
system. No
Determine the source of
counterfeit components. No
Identify external reporting
organizations to report
counterfeit system
components. No
Identify personnel or roles
responsible for reporting
counterfeit system
components. No
Implement the anti-counterfeit
policy and procedures. No
Setup up monitoring processes
and tools for and review the
policy and procedures for
effectiveness. No
Report counterfeit system
components to the identified
external reporting organizations
and personnel or roles. No

SR-11(1) Component
Authenticity | Anti-
counterfeit Training Implemented? Comments
Identify personnel or roles to be
trained. No
Develop training materials on
how to detect counterfeit
system components. No
Schedule and conduct training
sessions for the identified
personnel or roles. No
268 | P a g e
 Evaluate the effectiveness of
the training sessions. No
Document the training results. No

SR-11(2) Component
Authenticity |
Configuration Control
for Component Service
and Repair Implemented? Comments
Identify the system
components that need to be
serviced or repaired. No
Create a list of the system
components that need to be
serviced or repaired. No
Establish a tracking system to
monitor the status of the
system components. No
Ensure that the system
components are properly
labeled and tracked. No
Document the configuration of
the system components before
they are serviced or repaired. No
Setup up monitoring processes
and tools for the progress of
the servicing or repair of the
system components. No
Document the configuration of
the system components after
they are serviced or repaired. No
Ensure that the system
components are returned to
service in accordance with the
organization's policies and
procedures. No

269 | P a g e
 Setup up monitoring processes
and tools for the return of the
system components to service. No
Maintain records of the
servicing or repair of the system
components. No

SR-12 Component
Disposal Implemented? Comments
Identify the data,
documentation, tools, or
system components that need
to be disposed of. No
Determine the organization-
defined techniques and
methods for disposal. No
Create a plan for the disposal of
the data, documentation, tools,
or system components. No
Implement the plan for
disposal. No
Setup up monitoring processes
and tools for the disposal
process to ensure it is
completed in accordance with
the plan. No
Document the disposal process. No
Verify that the disposal process
was successful. No

Baseline - Moderate

SR-6 Supplier
Assessments and
Reviews Implemented? Comments

270 | P a g e
 Identify potential suppliers or
contractors and the system,
system component, or system
service they provide. No
Analyze the supply chain-
related risks associated with the
identified suppliers or
contractors and the system,
system component, or system
service they provide. No
Develop a plan to assess and
review the identified risks. No
Execute the plan to assess and
review the identified risks. No
Document the results of the
assessment and review. No
Develop and implement
mitigation strategies for any
identified risks. No
Setup up monitoring processes
and tools for the effectiveness
of the mitigation strategies. No
Repeat the assessment and
review process at the
organization-defined frequency. No

Baseline - High

SR-9 Tamper Resistance

and Detection Implemented? Comments
Identify the system, system
component, or system service
that needs tamper protection. No
Assess the current security
measures in place for the
system, system component, or
system service. No

271 | P a g e
 Develop a tamper protection
plan based on the assessment. No
Implement the tamper
protection plan. No
Setup up monitoring processes
and tools for the system,
system component, or system
service for any suspicious
activity. No
Update the tamper protection
plan as needed. No
Test the tamper protection plan
to ensure it is effective. No
Document the tamper
protection plan and any
changes made. No
Train personnel on the tamper
protection plan. No
Regularly review the tamper
protection plan to ensure it is
up to date. No

SR-9(1) Tamper
Resistance and
Detection | Multiple
Stages of System
Development Life Cycle Implemented? Comments
Identify the system
requirements and design
specifications. No
Establish an anti-tamper policy
and strategy. No
Develop anti-tamper
techniques and tools. No
Implement anti-tamper
techniques and tools into the
system development life cycle. No

272 | P a g e
 Test and validate the anti-
tamper techniques and tools. No
Setup up monitoring processes
and tools for and review the
anti-tamper techniques and
tools. No
Update the anti-tamper policy
and strategy as needed. No

273 | P a g e