NIST SP 800-53 Rev 5 Controls
Develop, document, and disseminate an access control policy and procedures to facilitate implementation of the access control policy and controls.
Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. Establish account types, assign account managers, and require approval for account creation.
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on applicable policy.
Separate duties of individuals as necessary to prevent malicious activity, define authorized access for each individual, and document separation of duties.
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
Enforce a limit of consecutive invalid logon attempts by a user during a specified time period, and automatically lock or delay the account when the maximum number of unsuccessful attempts is exceeded.
Display an approved system use notification message or banner before granting access to the system.
Notify the user, upon successful logon, of the date and time of the last logon and the number of unsuccessful logon attempts since the last successful logon.
Limit the number of concurrent sessions for each account and/or account type.
Prevent further access to the system by initiating a session lock after a period of inactivity or upon receiving a request from a user.
Automatically terminate a user session after defined conditions or trigger events.
Identify and document user actions that can be performed on the system without identification or authentication consistent with organizational missions/business functions.
Support and maintain the binding of security and privacy attributes to information in storage, in process, and in transmission.
Establish and document usage restrictions, configuration and connection requirements, and implementation guidance for remote access. Authorize remote access prior to allowing such connections.
Establish usage restrictions, configuration and connection requirements, and implementation guidance for wireless access. Authorize wireless access to the system prior to allowing such connections.
Establish usage restrictions, configuration requirements, connection requirements, and implementation guidance for mobile devices. Authorize the connection of mobile devices to organizational systems.
Establish terms and conditions for authorized individuals to access the system from external systems. Permit access only when there is authorized use and restrictions are consistent with mission and business needs.
Enable authorized users to determine whether access authorizations assigned to sharing partners match the access restrictions on the information for proposed information-sharing transactions.
Designate individuals authorized to post publicly accessible information on organizational systems. Train authorized individuals to ensure information does not contain nonpublic information.
Employ data mining prevention and detection techniques to protect against unauthorized data mining.
Establish procedures to ensure access control decisions are applied consistent with organizational access control policy wherever possible.
Implement a reference monitor for enforcing access control policies that is tamperproof, always invoked, and small enough to be subject to analysis and testing.
Develop, document, and disseminate an awareness and training policy and procedures to facilitate implementation of the awareness and training controls.
Provide security and privacy literacy training to system users as part of initial training and when required by system changes. Employ security and privacy awareness techniques.
Provide role-based security and privacy training to personnel with assigned security and privacy roles and responsibilities before authorizing access, when required, and at defined frequency.
Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training.
Establish and institutionalize contact with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel.
Provide feedback on organizational training results to the following personnel at the defined frequency.
Develop, document, and disseminate an audit and accountability policy and procedures to facilitate implementation of the audit and accountability controls.
Identify the types of events that the system is capable of logging in support of the audit function and coordinate the event logging function with other organizations requiring audit-related information.
Ensure that audit records contain information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals, subjects, or objects associated with the event.
Allocate audit log storage capacity to accommodate audit log retention requirements and configure auditing to reduce the likelihood of capacity being exceeded.
Alert personnel in the event of an audit logging process failure and take defined actions to be implemented when audit logging process failures are detected.
Review and analyze system audit records at a defined frequency for indications of inappropriate or unusual activity. Report findings to designated organizational officials and take appropriate actions.
Provide and implement an audit record reduction and report generation capability that supports analysis and reporting requirements.
Use internal system clocks to generate time stamps for audit records and record time stamps that meet defined granularity requirements for time measurement.
Protect audit information and audit tools from unauthorized access, modification, and deletion. Alert defined personnel in the event that the audit log protection mechanisms are bypassed.
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed a specified action on the system.
Retain audit records for a defined time period to provide support for after-the-fact investigations of security incidents.
Provide audit record generation capability for the event types defined and allow designated organizational personnel to select which auditable events are to be audited by specific components.
Monitor open-source information and information sites for evidence of unauthorized disclosure of organizational information.
Provide and implement the capability for authorized users to select a user session to capture and log the content.
Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements defined alternate audit logging requirements.
Employ methods for coordinating audit information with external organizations when audit information is transmitted across organizational boundaries.
Develop, document, and disseminate an assessment, authorization, and monitoring policy and procedures to facilitate implementation of the assessment, authorization, and monitoring controls.
Select the appropriate assessor or assessment team and develop, review, and update a plan for assessing the security and privacy controls employed within or inherited by the system.
Approve and manage the exchange of information between the system and other systems using interconnection security agreements, information exchange security agreements, or memoranda of understanding.
(Withdrawn: Incorporated into CA-2.)
Develop a plan of action and milestones for the system to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities.
Assign a senior official as the authorizing official for the system; ensure that the authorizing official authorizes the system for processing before commencing operations and updates the authorization.
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy.
Conduct penetration testing at a defined frequency on defined systems or system components.
Authorize internal connections of system components or classes of components to the system; document for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated.
Develop, document, and disseminate a configuration management policy and procedures to facilitate implementation of the configuration management controls.
Develop, document, and maintain under configuration control, a current baseline configuration of the system. Review and update the baseline configuration at a defined frequency.
Determine and document the types of changes to the system that are configuration-controlled. Review proposed configuration-controlled changes and approve or disapprove such changes.
Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.
Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.
Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements.
Configure the system to provide only essential capabilities by prohibiting or restricting the use of functions, ports, protocols, software, and services not required.
Develop and document an inventory of system components that accurately reflects the system; is consistent with authorization boundary; is at the level of granularity deemed necessary; and is reviewed and updated at a defined frequency.
Develop, document, and implement a configuration management plan for the system that addresses roles, responsibilities, and configuration management processes and procedures.
Use software and associated documentation in accordance with contract agreements and copyright laws. Track the use of software protected by quantity licenses.
Establish a policy governing the installation of software by users. Enforce software installation policies through automated methods.
Identify and document the location of information and the specific system components on which the information is processed and stored.
Develop and document a map of system data actions.
Prevent the installation of software without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.
Develop, document, and disseminate a contingency planning policy and procedures to facilitate implementation of the contingency planning controls.
Develop a contingency plan for the system that identifies essential missions and business functions; provides recovery objectives, restoration priorities, and metrics; addresses contingency roles and responsibilities; maintains the plan.
Provide contingency training to system users consistent with assigned roles and responsibilities and at defined frequencies.
Test the contingency plan for the system at a defined frequency using defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan.
(Withdrawn: Incorporated into CP-2.)
Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information. Ensure that the alternate storage site provides information security safeguards equivalent to those of the primary site.
Establish an alternate processing site including necessary agreements to permit the transfer and resumption of operations for essential missions and business functions within a defined time period.
Establish alternate telecommunications services to resume operations for essential missions and business functions within a defined time period when the primary telecommunications capabilities are unavailable.
Conduct backups of user-level information, system-level information, and system documentation at defined frequencies. Protect the confidentiality, integrity, and availability of backup information.
Provide for the recovery and reconstitution of the system to a known state within a defined time period after a disruption, compromise, or failure.
Provide the capability to employ alternate communications protocols in support of maintaining continuity of operations.
When anomalies are detected, enter a safe mode of operation with restricted capability that employs limited or reduced functionality as a response.
Employ alternative or supplemental security mechanisms for satisfying security requirements when the primary means of implementing a security requirement is unavailable or compromised.
Develop, document, and disseminate an identification and authentication policy and procedures to facilitate implementation of the identification and authentication controls.
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. Implement multi-factor authentication for privileged and non-privileged accounts.
Uniquely identify and authenticate devices before establishing connections to the system.
Manage system identifiers by receiving authorization from designated organizational officials to assign an identifier; selecting an identifier that identifies an individual, group, role, service, or device; assigning the identifier; and preventing reuse.
Manage system authenticators by verifying the identity of the individual, group, role, service, or device receiving the authenticator; establishing initial authenticator content; ensuring authenticators have sufficient strength; and establishing administrative procedures for compromised authenticators.
Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation by unauthorized individuals.
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.
Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
Uniquely identify and authenticate services before establishing communications with those services.
Require individuals accessing the system to employ supplemental authentication techniques or mechanisms under specific circumstances or when defined conditions are met.
Require users to re-authenticate when defined circumstances or situations requiring re-authentication occur.
Identity proof users that require accounts for logical access to systems based on defined identity proofing requirements. Resolve user identities to a unique individual.
Require that the registration and credential issuance process be conducted in person or by a trusted third party before a given registration authority with a defined level of assurance.
Develop, document, and disseminate an incident response policy and procedures to facilitate implementation of the incident response controls.
Provide incident response training to system users consistent with assigned roles and responsibilities and at defined frequencies.
Test the incident response capability for the system at a defined frequency using defined tests to determine the incident response effectiveness and document the results.
Implement an incident handling capability for incidents that includes preparation, detection and analysis, containment, eradication, and recovery. Coordinate incident handling activities with contingency planning activities.
Track and document incidents. Use automated mechanisms to assist in the tracking of security incidents.
Require personnel to report suspected incidents to the organizational incident response capability within a defined time period. Report incident information to defined authorities.
Provide an incident response support resource integral to the organizational incident response capability that offers advice and assistance to users of the system for the handling and reporting of incidents.
Develop an incident response plan that provides the organization with a roadmap for implementing its incident response capability; describes the structure and organization of the incident response capability; and is reviewed and updated at a defined frequency.
Respond to information spills by identifying the specific information involved in the system contamination; alerting personnel with a need to know; and eradicating the information from the system.
Establish an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel.
Develop, document, and disseminate a maintenance policy and procedures to facilitate implementation of the maintenance controls.
Schedule, document, and review records of maintenance and repairs on system components. Approve and monitor all maintenance activities, whether performed on site or remotely. Require that all maintenance personnel have required access authorizations.
Approve, control, and monitor the use of system maintenance tools. Inspect all maintenance tools for improper or unauthorized modifications before use.
Approve and monitor nonlocal maintenance and diagnostic activities. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy. Require strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel. Ensure that personnel without required access authorizations are escorted and supervised.
Obtain maintenance support and spare parts for defined system components within a defined time period of failure.
Develop, document, and disseminate a media protection policy and procedures to facilitate implementation of the media protection controls.
Restrict access to defined types of digital and non-digital media to authorized individuals using defined security safeguards.
Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information.
Physically control and securely store defined types of digital and non-digital media within defined controlled areas using defined security measures.
Protect and control system media during transport outside of controlled areas using defined security measures and maintain accountability for system media during transport outside of controlled areas.
Sanitize system media, both digital and non-digital, prior to disposal, release out of organizational control, or release for reuse using defined sanitization techniques and procedures.
Restrict or prohibit the use of defined types of system media on defined systems or system components using defined security safeguards.
Establish a process for media downgrading that includes the required steps to downgrade the media and the tracking and verification of downgrading actions.
Develop, document, and disseminate a physical and environmental protection policy and procedures to facilitate implementation of the physical and environmental protection controls.
Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides. Issue authorization credentials for facility access.
Enforce physical access authorizations at defined entry and exit points to the facility. Verify individual access authorizations before granting access to the facility.
Control physical access to system distribution and transmission lines within organizational facilities using defined security controls.
Control physical access to output from system output devices to prevent unauthorized individuals from obtaining the output.
Monitor physical access to the facility where the system resides to detect and respond to physical security incidents.
Enforce requirements for the authorization, control, and logging of individuals requiring physical access to organizational facilities other than areas designated as publicly accessible.
Maintain visitor access records to the facility where the system resides for a defined period of time. Review visitor access records at a defined frequency.
Protect power equipment and power cabling for the system from damage and destruction.
Provide the capability of shutting off power to system components in emergency situations.
Provide an uninterruptible power supply to facilitate the orderly shutdown of the system in the event of a primary power source loss.
Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption.
Employ and maintain fire detection and suppression systems that are supported by an independent energy source.
Maintain defined environmental control levels within the facility where the system resides. Monitor environmental control levels at a defined frequency.
Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
Authorize and control defined types of system components entering and exiting the facility and maintain records of those items.
Determine and implement security controls for alternate work sites.
Position system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.
Protect the system from information leakage due to electromagnetic signals emanations.
Employ defined asset location technologies to track and monitor the location and movement of assets within defined controlled areas.
Employ defined hardening and shielding protection measures against electromagnetic pulse (EMP) for defined systems and system components.
Mark defined system hardware components using defined marking methods.
Plan the location or site of the facility where the system resides with regard to physical and environmental hazards.
Develop, document, and disseminate a planning policy and procedures to facilitate implementation of the planning controls.
Develop security and privacy plans for the system that describe the security and privacy controls in place or planned for the system; review plans at a defined frequency; update plans to address changes.
(Withdrawn: Incorporated into PL-2.)
Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage.
(Withdrawn: Incorporated into RA-8.)
(Withdrawn: Incorporated into PL-2.)
Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from an information security and privacy perspective.
Develop security and privacy architectures for the system that describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information.
Centrally manage defined controls and related processes.
Select a control baseline for the system.
Tailor the selected control baseline by applying specified tailoring actions.
Develop and disseminate an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the program management controls and common controls in place or planned.
Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.
Include the resources needed to implement the information security and privacy programs in capital planning and investment requests.
Implement a process for ensuring that plans of action and milestones for the security and privacy programs and associated organizational systems are developed and maintained.
Develop and update at a defined frequency an inventory of organizational systems.
Develop, monitor, and report on the results of information security and privacy measures of performance.
Develop an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations, assets, individuals, and other organizations.
Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.
Develop a comprehensive strategy to manage security and privacy risk to organizational operations and assets, individuals, other organizations, and the Nation.
Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes.
Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations.
Implement an insider threat program that includes a cross-discipline insider threat incident handling team.
Establish a security and privacy workforce development and improvement program.
Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems are developed and maintained.
Establish and institutionalize contact with selected groups and associations within the security and privacy communities to facilitate ongoing education and training for organizational personnel.
Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.
Establish a process for ensuring that organizational plans for managing controlled unclassified information on external systems are developed and maintained.
Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency's privacy program and the privacy controls in place or planned for meeting applicable requirements.
Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement applicable privacy requirements and manage privacy risks.
Implement specific measures to disseminate information about the organization's privacy program and practices.
Develop and maintain an accurate accounting of disclosures of personally identifiable information (PII).
Develop and document policies and procedures that address the quality and integrity of PII.
Appoint a data governance body consisting of key stakeholders with the authority, accountability, and governance roles for organizational data.
Establish a Data Integrity Board to review proposals for the creation of matching programs and for the maintenance of all matching agreements and waivers.
Develop, document, and implement policies and procedures that minimize the use of PII for testing, training, and research.
Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices that includes establishment of a written response process.
Develop and disseminate defined privacy reports to oversight bodies.
Identify and document assumptions and constraints regarding risk so that risk-based decisions remain consistent across the organization.
Appoint a Risk Executive (function) to lead and coordinate the risk management program across the organization.
Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services.
Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs.
Analyze defined systems or system components supporting defined mission and business functions to identify other systems or components that are performing the same or similar functions.
Develop, document, and disseminate a personnel security policy and procedures to facilitate implementation of the personnel security controls.
Assign a risk designation to all organizational positions and establish screening criteria for individuals filling those positions. Review and update position risk designations at a defined frequency.
Screen individuals prior to authorizing access to the system and re-screen individuals according to defined conditions requiring re-screening and, where re-screening is so indicated, at a defined frequency.
Upon termination of individual employment, disable system access within a defined time period; terminate or revoke any authenticators and credentials; and conduct exit interviews that include discussion of information security topics.
Review and confirm ongoing operational need for current logical and physical access authorizations to systems when individuals are reassigned or transferred to other positions.
Develop and document access agreements for organizational systems; review and update the access agreements at a defined frequency; and ensure that individuals requiring access sign appropriate access agreements.
Establish personnel security requirements, including security roles and responsibilities, for external providers; require external providers to comply with personnel security policies and procedures established by the organization.
Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures.
Establish and maintain position descriptions that include information security and privacy roles and responsibilities.
Develop, document, and disseminate a personally identifiable information processing and transparency policy and procedures to facilitate implementation of the PII processing and transparency controls.
Determine and document the authority that permits the processing of PII. Restrict the processing of PII to only that which is authorized.
Identify and document the purpose or purposes for which PII is processed. Describe the purpose for processing PII in privacy notices and other appropriate documentation.
Implement mechanisms to support the ability to request consent to process PII prior to its collection that include a means for individuals to revoke consent.
Provide notice to individuals about the processing of PII that includes information about the authority, purpose, and conditions under which PII is processed and the rights of individuals.
Publish a system of records notice in the Federal Register upon establishment or revision of a system of records.
Apply defined processing conditions for specific categories of PII.
When a matching program is used, obtain approval from the Data Integrity Board and publish a matching agreement in the Federal Register.
Develop, document, and disseminate a risk assessment policy and procedures to facilitate implementation of the risk assessment controls.
Categorize the system and information it processes, stores, and transmits consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
Conduct a risk assessment that includes the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; update the risk assessment at a defined frequency or when there are significant changes.
(Withdrawn: Incorporated into RA-3.)
Monitor and scan for vulnerabilities in the system and hosted applications at a defined frequency and when new vulnerabilities potentially affecting the system are identified; remediate vulnerabilities in accordance with the risk assessment.
Employ a technical surveillance countermeasures survey at defined locations.
Respond to findings from security and privacy assessments, monitoring, and audits consistent with organizational risk tolerance.
Conduct privacy impact assessments for systems, programs, or other activities that process PII.
Identify critical system components and functions by performing a criticality analysis for a defined set of systems, system components, or system services at defined decision points.
Employ a threat hunting capability to search for indicators of compromise in organizational systems, develop and refine threat hunting hypotheses, and employ defined threat hunting techniques.
Develop, document, and disseminate a system and services acquisition policy and procedures to facilitate implementation of the system and services acquisition controls.
Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; determine, document, and allocate the resources required to protect the system.
Acquire, develop, and manage the system using a system development life cycle that incorporates information security and privacy considerations; define and document information security and privacy roles and responsibilities throughout the SDLC.
Include security and privacy functional requirements, strength and assurance requirements, documentation requirements, and other requirements in acquisition contracts for systems, components, or services.
Obtain or develop administrator documentation for the system, system component, or system service that describes secure configuration, installation, and operation; effective use and maintenance; and known vulnerabilities.
(Withdrawn: Incorporated into CM-10 and SI-7.)
(Withdrawn: Incorporated into CM-11 and SI-7.)
Apply security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components.
Require that providers of external system services comply with organizational security and privacy requirements and employ defined controls; define and document organizational oversight and user roles for external system services.
Require the developer of the system, system component, or system service to perform configuration management during design, development, implementation, and operation.
Require the developer of the system, system component, or system service to implement a security and privacy assessment plan; perform unit, integration, system, and regression testing; and produce evidence of the execution of the plan.
(Withdrawn: Incorporated into the SR family.)
(Withdrawn: Incorporated into SA-8.)
(Withdrawn: Incorporated into RA-9.)
Require the developer of the system, system component, or system service to follow a documented development process that explicitly addresses security and privacy requirements, and review and assess the development process at a defined frequency.
Require the developer of the system, system component, or system service to provide training on the correct use and operation of the implemented security and privacy functions, controls, and mechanisms.
Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that provides high-level design and detailed design of the security and privacy functionality.
(Withdrawn: Incorporated into SA-19.)
Develop and implement anti-counterfeit policy and procedures that include: identifying counterfeit components, inspecting components, using component traceability, and reporting suspected counterfeit components.
Reimplement or custom develop defined critical system components.
Require that the developer of defined systems, system components, or system services satisfy security requirements under defined conditions for personnel screening.
Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer or provide defined alternative sources for continued support.
Employ defined specialization techniques in the specification, design, and implementation of the system and system components.
Develop, document, and disseminate a system and communications protection policy and procedures to facilitate implementation of the system and communications protection controls.
Separate user functionality, including user interface services, from system management functionality.
Isolate security functions from non-security functions.
Prevent unauthorized and unintended information transfer via shared system resources.
Protect against or limit the effects of denial-of-service events including defined types of denial-of-service events.
Protect the availability of resources by allocating defined resources by priority, quota, and/or other defined security safeguards.
Monitor and control communications at the external boundary of the system and at key internal boundaries within the system; implement subnetworks for publicly accessible system components.
Implement cryptographic or alternative physical safeguards to protect the confidentiality and integrity of transmitted information.
(Withdrawn: Incorporated into SC-8.)
Terminate the network connection associated with a communications session at the end of the session or after a defined time period of inactivity.
Provide a trusted communications path between the user and defined security functions of the system.
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with requirements for key generation, distribution, storage, access, and destruction.
Implement the following types of cryptography for defined cryptographic uses: use of FIPS-validated or NSA-approved cryptography.
(Withdrawn: Incorporated into AC-2, AC-3, AC-5, SI-3, and SI-7.)
Prohibit remote activation of collaborative computing devices and applications with exceptions or provide an explicit indication of use to present users.
Associate defined security and privacy attributes with information exchanged between systems and between system components.
Issue public key certificates under a defined certificate policy or obtain public key certificates from an approved service provider.
Define acceptable and unacceptable mobile code and mobile code technologies; authorize, monitor, and control the use of mobile code within the system.
Establish usage restrictions and implementation guidelines for VoIP technologies based on the potential to cause damage to the system if used maliciously.
Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data.
Request and perform data origin authentication and data integrity verification on the name/address resolution responses received from authoritative sources.
Ensure the systems that collectively provide name/address resolution service for an organization are fault tolerant and implement internal/external role separation.
Protect the authenticity of communications sessions.
Fail to a defined known state for defined types of system failures while preserving defined system state information in the event of failure.
Employ minimal functionality and information storage on defined system components.
Include components that are specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks.
Include defined platform-independent applications within the system.
Protect the confidentiality and integrity of information at rest.
Employ a diverse set of information technologies for defined system components in the implementation of the system.
Employ the following concealment and misdirection techniques for defined systems at defined times to confuse and mislead adversaries.
Perform a covert channel analysis to identify those aspects of communications that are potential avenues for covert storage and timing channels.
Partition the system into defined components residing in separate physical domains or environments based on defined circumstances.
(Withdrawn: Incorporated into SC-8.)
For defined system components, load and execute the operating environment from hardware-enforced read-only media and load and execute defined applications from hardware-enforced read-only media.
Include system components that proactively seek to identify network-based malicious code or malicious websites.
Distribute defined processing and storage components across multiple defined locations.
Employ defined out-of-band channels for the physical delivery or electronic transmission of defined information, system components, or devices to defined individuals or systems.
Employ operations security controls to protect key organizational information throughout the system development life cycle.
Maintain a separate execution domain for each executing system process.
Protect external and internal wireless links from the following signal parameter attacks: jamming and interception.
Enforce physical controls to prevent unauthorized connection of devices to organization-defined physical ports and I/O interfaces on systems.
Prohibit the use of devices possessing defined environmental sensing capabilities in defined facilities, areas, or systems and notify defined individuals explicitly of the use of such devices.
Establish usage restrictions and implementation guidelines for defined technologies and prohibit use of these technologies when such use is not authorized.
Employ a detonation chamber capability within organizational systems.
Synchronize system clocks within and between systems and system components.
Employ a cross domain solution in defined systems and components.
Establish defined alternate communications paths for system operations organizational command and control.
Relocate defined sensors and monitoring capabilities to defined locations under defined conditions.
Implement hardware-enforced separation and policy enforcement mechanisms between defined security domains.
Implement software-enforced separation and policy enforcement mechanisms between defined security domains.
Employ hardware-based, write-protect for defined system firmware components and employ defined hardware protection measures to defined systems.
Develop, document, and disseminate a system and information integrity policy and procedures to facilitate implementation of the system and information integrity controls.
Identify, report, and correct information system flaws; test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; install security-relevant software updates within a defined time period.
Implement malicious code protection mechanisms at defined system entry and exit points and configure the mechanisms to perform periodic scans of the system and real-time scans of files from external sources.
Monitor the system to detect attacks and indicators of potential attacks, and unauthorized connections; identify unauthorized use of the system through defined techniques and methods.
Receive system security alerts, advisories, and directives from defined external organizations on an ongoing basis; generate internal security alerts, advisories, and directives; disseminate to defined personnel or roles.
Verify the correct operation of defined security and privacy functions; perform verification of functions at defined system transitional states and notify defined personnel of failed verifications.
Employ integrity verification tools to detect unauthorized changes to defined software, firmware, and information.
Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages.
(Withdrawn: Incorporated into AC-2, AC-3, AC-5, and AC-6.)
Check the validity of defined information inputs to the system.
Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited.
Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and operational requirements.
Determine the mean time to failure for defined system components in specific environments of operation and provide substitute or spare components with the capability to transfer duties when the primary component reaches a defined percentage of mean time to failure.
Implement non-persistent defined system components and services that are initiated in a known state and terminated at the end of each session or when no longer needed.
Validate information output from defined software programs and/or applications to ensure that the information is consistent with the expected content.
Implement the following controls to protect the system memory from unauthorized code execution: data execution prevention and address space layout randomization.
Implement defined fail-safe procedures when defined failure conditions occur.
Check the accuracy, relevance, timeliness, and completeness of PII across the information life cycle and correct or delete inaccurate or outdated PII.
Remove the following identifiers from datasets to the extent feasible: direct identifiers and quasi-identifiers with high risk of re-identification.
Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization.
Refresh defined information at a defined frequency from a trusted source.
Implement defined concealment controls for defined system components and information.
Fragment defined information and distribute fragmented components across multiple defined locations with the capability to reconstruct the information when needed.
Develop, document, and disseminate a supply chain risk management policy and procedures to facilitate implementation of the supply chain risk management controls.
Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the system.
Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of the system.
Document and maintain provenance information, including origin, development, acquisition, implementation, and deployment of all systems, system components, and associated data.
Employ defined acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks for the system, system components, or system services.
Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide.
Employ operations security controls to protect supply chain-related information for the system, system component, or system service.
Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for notification of supply chain compromises and results of assessments or audits.
Implement tamper protection measures to detect and respond to physical tampering of the system, system component, or system service throughout the system development life cycle.
Inspect the following systems or system components at random, at defined frequency, upon receipt of the item, upon installation, or when there is indication of tampering.
Develop and implement anti-counterfeit policy and procedures that include: means to detect counterfeit components and report suspected counterfeits to defined personnel.
Dispose of, destroy, or repurpose system components using techniques and methods that prevent component reuse.