Select a categorization:
Confidentiality
Integrity
Availability
Confidentiality | Integrity | Availability | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
Number | Title | L | M | H | L | M | H | L | M | H |
Account Management | ||||||||||
Account Management | Automated System Account Management | ||||||||||
Account Management | Removal Of Temporary / Emergency Accounts | ||||||||||
Account Management | Disable Inactive Accounts | ||||||||||
Account Management | Automated Audit Actions | ||||||||||
Account Management | Inactivity Logout | ||||||||||
Account Management | Role-Based Schemes | ||||||||||
Collaborative Computing Devices | Blocking Inbound / Outbound Communications Traffic | ||||||||||
Account Management | Restrictions On Use Of Shared / Group Accounts | ||||||||||
Account Management | Shared / Group Account Credential Termination | ||||||||||
Account Management | Usage Conditions | ||||||||||
Account Management | Account Monitoring / Atypical Usage | ||||||||||
Access Enforcement | ||||||||||
Access Enforcement | Restricted Access To Privileged Functions | ||||||||||
Access Enforcement | Dual Authorization | ||||||||||
Information Flow Enforcement | Security Attribute Binding | ||||||||||
Access Enforcement | Security-Relevant Information | ||||||||||
Access Enforcement | Protection Of User And System Information | ||||||||||
Access Enforcement | Role-Based Access Control | ||||||||||
Access Enforcement | Revocation Of Access Authorizations | ||||||||||
Access Enforcement | Audited Override Of Access Control Mechanisms | ||||||||||
Least Privilege | Separate Processing Domains | ||||||||||
Information Flow Enforcement | Object Security Attributes | ||||||||||
Information Flow Enforcement | Dynamic Information Flow Control | ||||||||||
Information Flow Enforcement | Content Check Encrypted Information | ||||||||||
Information Flow Enforcement | Embedded Data Types | ||||||||||
Information Flow Enforcement | Metadata | ||||||||||
Information Flow Enforcement | One-Way Flow Mechanisms | ||||||||||
Session Authenticity | Unique Session Identifiers With Randomization | ||||||||||
Information Flow Enforcement | Human Reviews | ||||||||||
Information Flow Enforcement | Enable / Disable Security Policy Filters | ||||||||||
Information Flow Enforcement | Configuration Of Security Policy Filters | ||||||||||
Information Flow Enforcement | Data Type Identifiers | ||||||||||
Information Flow Enforcement | Decomposition Into Policy-Relevant Subcomponents | ||||||||||
Information Flow Enforcement | Security Policy Filter Constraints | ||||||||||
Information Flow Enforcement | Detection Of Unsanctioned Information | ||||||||||
Information Flow Enforcement | Information Transfers On Interconnected Systems | ||||||||||
Information Flow Enforcement | Domain Authentication | ||||||||||
Information Flow Enforcement | Approved Solutions | ||||||||||
Information Flow Enforcement | Physical / Logical Separation Of Information Flows | ||||||||||
Information Flow Enforcement | Access Only | ||||||||||
Least Privilege | ||||||||||
Least Privilege | Non-Privileged Access For Nonsecurity Functions | ||||||||||
Least Privilege | Network Access To Privileged Commands | ||||||||||
Identification And Authentication (Organizational Users) | Network Access To Non-Privileged Accounts - Separate Device | ||||||||||
Least Privilege | Privileged Access By Non-Organizational Users | ||||||||||
Least Privilege | Review Of User Privileges | ||||||||||
Least Privilege | Privilege Levels For Code Execution | ||||||||||
Least Privilege | Auditing Use Of Privileged Functions | ||||||||||
Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions | ||||||||||
Unsuccessful Logon Attempts | Automatic Account Lock | ||||||||||
Unsuccessful Logon Attempts | Purge / Wipe Mobile Device | ||||||||||
Previous Logon (Access) Notification | ||||||||||
Previous Logon (Access) Notification | Unsuccessful Logons | ||||||||||
Previous Logon (Access) Notification | Successful / Unsuccessful Logons | ||||||||||
Previous Logon (Access) Notification | Notification Of Account Changes | ||||||||||
Previous Logon (Access) Notification | Additional Logon Information | ||||||||||
Concurrent Session Control | ||||||||||
Session Lock | ||||||||||
Session Lock | Pattern-Hiding Displays | ||||||||||
Supervision And Review - Access Control | ||||||||||
Permitted Actions Without Identification Or Authentication | Necessary Uses | ||||||||||
Automated Marking | ||||||||||
Security Attributes | ||||||||||
Security Attributes | Dynamic Attribute Association | ||||||||||
Security Attributes | Attribute Value Changes By Authorized Individuals | ||||||||||
Security Attributes | Maintenance Of Attribute Associations By Information System | ||||||||||
Security Attributes | Association Of Attributes By Authorized Individuals | ||||||||||
Security Attributes | Attribute Displays For Output Devices | ||||||||||
Security Attributes | Maintenance Of Attribute Association By Organization | ||||||||||
Remote Access | Disable Nonsecure Network Protocols | ||||||||||
Device Identification And Authentication | Cryptographic Bidirectional Network Authentication | ||||||||||
Security Attributes | Attribute Reassignment | ||||||||||
Security Attributes | Attribute Configuration By Authorized Individuals | ||||||||||
Remote Access | Automated Monitoring / Control | ||||||||||
Remote Access | Protection Of Confidentiality / Integrity Using Encryption | ||||||||||
Remote Access | Managed Access Control Points | ||||||||||
Remote Access | Privileged Commands / Access | ||||||||||
Remote Access | Monitoring For Unauthorized Connections | ||||||||||
Remote Access | Protection Of Information | ||||||||||
Remote Access | Additional Protection For Security Function Access | ||||||||||
Wireless Access | ||||||||||
Wireless Access | Authentication And Encryption | ||||||||||
Wireless Access | Monitoring Unauthorized Connections | ||||||||||
Wireless Access | Disable Wireless Networking | ||||||||||
Wireless Access | Restrict Configurations By Users | ||||||||||
Access Control For Mobile Devices | ||||||||||
Access Control For Mobile Devices | Use Of Writable / Portable Storage Devices | ||||||||||
Access Control For Mobile Devices | Use Of Personally Owned Portable Storage Devices | ||||||||||
Access Control For Mobile Devices | Use Of Portable Storage Devices With No Identifiable Owner | ||||||||||
Access Control For Mobile Devices | Restrictions For Classified Information | ||||||||||
Access Control For Mobile Devices | Full Device / Container-Based Encryption | ||||||||||
Use Of External Information Systems | ||||||||||
Use Of External Information Systems | Portable Storage Devices | ||||||||||
Use Of External Information Systems | Network Accessible Storage Devices | ||||||||||
Information Sharing | ||||||||||
Information Sharing | Automated Decision Support | ||||||||||
Information Sharing | Information Search And Retrieval | ||||||||||
Publicly Accessible Content | ||||||||||
Alternate Audit Capability | ||||||||||
Access Control Decisions | ||||||||||
Access Control Decisions | Transmit Access Authorization Information | ||||||||||
Access Control Decisions | No User Or Process Identity | ||||||||||
Role-Based Security Training | Physical Security Controls | ||||||||||
Role-Based Security Training | Practical Exercises | ||||||||||
Security Awareness Training | ||||||||||
Security Awareness Training | Practical Exercises | ||||||||||
Security Awareness Training | Insider Threat | ||||||||||
Role-Based Security Training | ||||||||||
Role-Based Security Training | Environmental Controls | ||||||||||
Security Training Records | ||||||||||
Contacts With Security Groups And Associations | ||||||||||
Audit Events | ||||||||||
Audit Events | Compilation Of Audit Records From Multiple Sources | ||||||||||
Audit Events | Selection Of Audit Events By Component | ||||||||||
Audit Events | Reviews And Updates | ||||||||||
Audit Events | Privileged Functions | ||||||||||
Content Of Audit Records | ||||||||||
Session Audit | ||||||||||
Content Of Audit Records | Centralized Management Of Planned Audit Record Content | ||||||||||
Audit Storage Capacity | ||||||||||
Audit Storage Capacity | Transfer To Alternate Storage | ||||||||||
Response To Audit Processing Failures | Audit Storage Capacity | ||||||||||
Response To Audit Processing Failures | Real-Time Alerts | ||||||||||
Response To Audit Processing Failures | Configurable Traffic Volume Thresholds | ||||||||||
Response To Audit Processing Failures | Shutdown On Failure | ||||||||||
Session Audit | System Start-Up | ||||||||||
Session Audit | Capture/Record And Log Content | ||||||||||
Audit Review, Analysis, And Reporting | Process Integration | ||||||||||
Audit Review, Analysis, And Reporting | Automated Security Alerts | ||||||||||
Audit Review, Analysis, And Reporting | Correlate Audit Repositories | ||||||||||
Audit Review, Analysis, And Reporting | Central Review And Analysis | ||||||||||
Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring | ||||||||||
Audit Review, Analysis, And Reporting | Permitted Actions | ||||||||||
Audit Review, Analysis, And Reporting | Full Text Analysis Of Privileged Commands | ||||||||||
Audit Review, Analysis, And Reporting | Audit Level Adjustment | ||||||||||
Audit Reduction And Report Generation | Automatic Processing | ||||||||||
Audit Reduction And Report Generation | Automatic Sort And Search | ||||||||||
Time Stamps | Synchronization With Authoritative Time Source | ||||||||||
Time Stamps | Secondary Authoritative Time Source | ||||||||||
Protection Of Audit Information | ||||||||||
Session Audit | Remote Viewing / Listening | ||||||||||
Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components | ||||||||||
Protection Of Audit Information | Cryptographic Protection | ||||||||||
Protection Of Audit Information | Access By Subset Of Privileged Users | ||||||||||
Protection Of Audit Information | Dual Authorization | ||||||||||
Protection Of Audit Information | Read Only Access | ||||||||||
Non-Repudiation | Association Of Identities | ||||||||||
Non-Repudiation | Validate Binding Of Information Producer Identity | ||||||||||
Non-Repudiation | Chain Of Custody | ||||||||||
Non-Repudiation | Digital Signatures | ||||||||||
Audit Record Retention | Long-Term Retrieval Capability | ||||||||||
Audit Generation | ||||||||||
Audit Generation | System-Wide / Time-Correlated Audit Trail | ||||||||||
Audit Generation | Standardized Formats | ||||||||||
Audit Generation | Changes By Authorized Individuals | ||||||||||
Monitoring For Information Disclosure | ||||||||||
Monitoring For Information Disclosure | Use Of Automated Tools | ||||||||||
Monitoring For Information Disclosure | Review Of Monitored Sites | ||||||||||
Physical Access Control | Continuous Guards / Alarms / Monitoring | ||||||||||
Cross-Organizational Auditing | Identity Preservation | ||||||||||
Cross-Organizational Auditing | Sharing Of Audit Information | ||||||||||
Security Assessments | ||||||||||
Security Assessments | Independent Assessors | ||||||||||
Configuration Change Control | Cryptography Management | ||||||||||
Security Assessments | External Organizations | ||||||||||
System Interconnections | Unclassified National Security System Connections | ||||||||||
System Interconnections | Classified National Security System Connections | ||||||||||
System Interconnections | Unclassified Non-National Security System Connections | ||||||||||
System Interconnections | Connections To Public Networks | ||||||||||
Access Restrictions For Change | Limit Library Privileges | ||||||||||
Access Restrictions For Change | Automatic Implementation Of Security Safeguards | ||||||||||
Security Certification | ||||||||||
Plan Of Action And Milestones | Automation Support For Accuracy / Currency | ||||||||||
Continuous Monitoring | ||||||||||
Continuous Monitoring | Independent Assessment | ||||||||||
Continuous Monitoring | Types Of Assessments | ||||||||||
Physical Access Control | Lockable Casings | ||||||||||
Penetration Testing | Independent Penetration Agent Or Team | ||||||||||
Penetration Testing | Red Team Exercises | ||||||||||
Internal System Connections | ||||||||||
Internal System Connections | Security Compliance Checks | ||||||||||
Configuration Settings | ||||||||||
Baseline Configuration | ||||||||||
Baseline Configuration | Reviews And Updates | ||||||||||
Baseline Configuration | Automation Support For Accuracy / Currency | ||||||||||
Baseline Configuration | Retention Of Previous Configurations | ||||||||||
Baseline Configuration | Unauthorized Software | ||||||||||
Baseline Configuration | Authorized Software | ||||||||||
Baseline Configuration | Development And Test Environments | ||||||||||
Configuration Settings | Automated Central Management / Application / Verification | ||||||||||
Configuration Change Control | ||||||||||
Configuration Change Control | Automated Document / Notification / Prohibition Of Changes | ||||||||||
Configuration Change Control | Automated Change Implementation | ||||||||||
Configuration Change Control | Security Representative | ||||||||||
Configuration Change Control | Automated Security Response | ||||||||||
Maintenance Tools | Inspect Media | ||||||||||
Security Impact Analysis | Separate Test Environments | ||||||||||
Security Impact Analysis | Verification Of Security Functions | ||||||||||
Access Restrictions For Change | Automated Access Enforcement / Auditing | ||||||||||
Access Restrictions For Change | Review System Changes | ||||||||||
Access Restrictions For Change | Signed Components | ||||||||||
Access Restrictions For Change | Dual Authorization | ||||||||||
Access Restrictions For Change | Limit Production / Operational Privileges | ||||||||||
Configuration Settings | Unauthorized Change Detection | ||||||||||
Configuration Settings | Conformance Demonstration | ||||||||||
Least Functionality | Periodic Review | ||||||||||
Least Functionality | Prevent Program Execution | ||||||||||
Least Functionality | Registration Compliance | ||||||||||
Least Functionality | Unauthorized Software / Blacklisting | ||||||||||
Least Functionality | Authorized Software / Whitelisting | ||||||||||
Information System Component Inventory | Automated Location Tracking | ||||||||||
Information System Component Inventory | Updates During Installations / Removals | ||||||||||
Information System Component Inventory | Automated Maintenance | ||||||||||
Information System Component Inventory | Automated Unauthorized Component Detection | ||||||||||
Information System Component Inventory | Accountability Information | ||||||||||
Information System Component Inventory | No Duplicate Accounting Of Components | ||||||||||
Information System Component Inventory | Assessed Configurations / Approved Deviations | ||||||||||
Information System Component Inventory | Centralized Repository | ||||||||||
Contingency Plan Testing | Full Recovery / Reconstitution | ||||||||||
Contingency Plan Update | ||||||||||
Configuration Management Plan | Assignment Of Responsibility | ||||||||||
Software Usage Restrictions | ||||||||||
Software Usage Restrictions | Open Source Software | ||||||||||
User-Installed Software | ||||||||||
User-Installed Software | Alerts For Unauthorized Installations | ||||||||||
User-Installed Software | Prohibit Installation Without Privileged Status | ||||||||||
Alternate Processing Site | Equivalent Information Security Safeguards | ||||||||||
Alternate Processing Site | Inability To Return To Primary Site | ||||||||||
Contingency Plan | ||||||||||
Contingency Plan | Coordinate With Related Plans | ||||||||||
Contingency Plan | Capacity Planning | ||||||||||
Contingency Plan | Resume Essential Missions / Business Functions | ||||||||||
Contingency Plan | Resume All Missions / Business Functions | ||||||||||
Contingency Plan | Continue Essential Missions / Business Functions | ||||||||||
Contingency Plan | Alternate Processing / Storage Site | ||||||||||
Contingency Training | ||||||||||
Contingency Training | Simulated Events | ||||||||||
Contingency Training | Automated Training Environments | ||||||||||
Contingency Plan Testing | ||||||||||
Contingency Plan Testing | Coordinate With Related Plans | ||||||||||
Contingency Plan Testing | Alternate Processing Site | ||||||||||
Contingency Plan Testing | Automated Testing | ||||||||||
Alternate Storage Site | Separation From Primary Site | ||||||||||
Alternate Storage Site | Recovery Time / Point Objectives | ||||||||||
Alternate Storage Site | Accessibility | ||||||||||
Alternate Processing Site | Separation From Primary Site | ||||||||||
Alternate Processing Site | Accessibility | ||||||||||
Alternate Processing Site | Priority Of Service | ||||||||||
Alternate Processing Site | Preparation For Use | ||||||||||
Telecommunications Services | Priority Of Service Provisions | ||||||||||
Telecommunications Services | Single Points Of Failure | ||||||||||
Telecommunications Services | Provider Contingency Plan | ||||||||||
Telecommunications Services | Alternate Telecommunication Service Testing | ||||||||||
Information System Backup | ||||||||||
Information System Backup | Testing For Reliability / Integrity | ||||||||||
Information System Backup | Test Restoration Using Sampling | ||||||||||
Information System Backup | Protection From Unauthorized Modification | ||||||||||
Information System Backup | Transfer To Alternate Storage Site | ||||||||||
Information System Backup | Redundant Secondary System | ||||||||||
Information System Backup | Dual Authorization | ||||||||||
Information System Recovery And Reconstitution | Contingency Plan Testing | ||||||||||
Information System Recovery And Reconstitution | Transaction Recovery | ||||||||||
Information System Recovery And Reconstitution | Compensating Security Controls | ||||||||||
Information System Recovery And Reconstitution | Restore Within Time Period | ||||||||||
Information System Recovery And Reconstitution | Failover Capability | ||||||||||
Information System Recovery And Reconstitution | Component Protection | ||||||||||
Alternate Communications Protocols | ||||||||||
Identification And Authentication Policy And Procedures | ||||||||||
Identification And Authentication (Organizational Users) | ||||||||||
Identification And Authentication (Organizational Users) | Network Access To Privileged Accounts | ||||||||||
Identification And Authentication (Organizational Users) | Network Access To Non-Privileged Accounts | ||||||||||
Identification And Authentication (Organizational Users) | Local Access To Privileged Accounts | ||||||||||
Identification And Authentication (Organizational Users) | Local Access To Non-Privileged Accounts | ||||||||||
Identification And Authentication (Organizational Users) | Group Authentication | ||||||||||
Identification And Authentication (Organizational Users) | Network Access To Privileged Accounts - Separate Device | ||||||||||
Identification And Authentication (Organizational Users) | Network Access To Non-Privileged Accounts - Replay Resistant | ||||||||||
Identification And Authentication (Organizational Users) | Single Sign-On | ||||||||||
Identification And Authentication (Organizational Users) | Acceptance Of Piv Credentials | ||||||||||
Device Identification And Authentication | ||||||||||
Device Identification And Authentication | Cryptographic Bidirectional Authentication | ||||||||||
Device Identification And Authentication | Device Attestation | ||||||||||
Identifier Management | Prohibit Account Identifiers As Public Identifiers | ||||||||||
Identifier Management | Supervisor Authorization | ||||||||||
Identifier Management | Multiple Forms Of Certification | ||||||||||
Identifier Management | Identify User Status | ||||||||||
Identifier Management | Dynamic Management | ||||||||||
Identifier Management | Cross-Organization Management | ||||||||||
Identifier Management | In-Person Registration | ||||||||||
Authenticator Management | Password-Based Authentication | ||||||||||
Authenticator Management | Pki-Based Authentication | ||||||||||
Authenticator Management | In-Person Or Trusted Third-Party Registration | ||||||||||
Authenticator Management | Automated Support For Password Strength Determination | ||||||||||
Authenticator Management | Change Authenticators Prior To Delivery | ||||||||||
Authenticator Management | Protection Of Authenticators | ||||||||||
Authenticator Management | No Embedded Unencrypted Static Authenticators | ||||||||||
Authenticator Management | Cross-Organization Credential Management | ||||||||||
Authenticator Management | Hardware Token-Based Authentication | ||||||||||
Authenticator Management | Biometric-Based Authentication | ||||||||||
Authenticator Management | Expiration Of Cached Authenticators | ||||||||||
Authenticator Management | Managing Content Of Pki Trust Stores | ||||||||||
Authenticator Management | Ficam-Approved Products And Services | ||||||||||
Cryptographic Module Authentication | ||||||||||
Identification And Authentication (Non-Organizational Users) | Acceptance Of Piv Credentials From Other Agencies | ||||||||||
Identification And Authentication (Non-Organizational Users) | Acceptance Of Third-Party Credentials | ||||||||||
Identification And Authentication (Non-Organizational Users) | Use Of Ficam-Approved Products | ||||||||||
Identification And Authentication (Non-Organizational Users) | Use Of Ficam-Issued Profiles | ||||||||||
Identification And Authentication (Non-Organizational Users) | Acceptance Of Piv-I Credentials | ||||||||||
Service Identification And Authentication | ||||||||||
Service Identification And Authentication | Information Exchange | ||||||||||
Re-Authentication | ||||||||||
Incident Response Training | ||||||||||
Incident Response Training | Simulated Events | ||||||||||
Incident Response Training | Automated Training Environments | ||||||||||
Incident Response Testing | ||||||||||
Incident Response Testing | Coordination With Related Plans | ||||||||||
Incident Handling | Automated Incident Handling Processes | ||||||||||
Incident Handling | Dynamic Reconfiguration | ||||||||||
Incident Handling | Continuity Of Operations | ||||||||||
Incident Handling | Information Correlation | ||||||||||
Incident Handling | Automatic Disabling Of Information System | ||||||||||
Incident Handling | Insider Threats - Specific Capabilities | ||||||||||
Incident Handling | Insider Threats - Intra-Organization Coordination | ||||||||||
Incident Handling | Dynamic Response Capability | ||||||||||
Incident Handling | Supply Chain Coordination | ||||||||||
Incident Monitoring | ||||||||||
Incident Monitoring | Automated Tracking / Data Collection / Analysis | ||||||||||
Incident Reporting | Automated Reporting | ||||||||||
Incident Reporting | Vulnerabilities Related To Incidents | ||||||||||
Incident Reporting | Coordination With Supply Chain | ||||||||||
Incident Response Assistance | ||||||||||
Incident Response Assistance | Coordination With External Providers | ||||||||||
Information Spillage Response | ||||||||||
Information Spillage Response | Responsible Personnel | ||||||||||
Information Spillage Response | Training | ||||||||||
Information Spillage Response | Post-Spill Operations | ||||||||||
Information Spillage Response | Exposure To Unauthorized Personnel | ||||||||||
Maintenance Tools | Prevent Unauthorized Removal | ||||||||||
Controlled Maintenance | ||||||||||
Controlled Maintenance | Record Content | ||||||||||
Controlled Maintenance | Automated Maintenance Activities | ||||||||||
Maintenance Tools | ||||||||||
Maintenance Tools | Inspect Tools | ||||||||||
Maintenance Tools | Restricted Tool Use | ||||||||||
Nonlocal Maintenance | Auditing And Review | ||||||||||
Nonlocal Maintenance | Document Nonlocal Maintenance | ||||||||||
Nonlocal Maintenance | Comparable Security / Sanitization | ||||||||||
Nonlocal Maintenance | Authentication / Separation Of Maintenance Sessions | ||||||||||
Nonlocal Maintenance | Approvals And Notifications | ||||||||||
Nonlocal Maintenance | Cryptographic Protection | ||||||||||
Nonlocal Maintenance | Remote Disconnect Verification | ||||||||||
Media Downgrading | Documentation Of Process | ||||||||||
Maintenance Personnel | Security Clearances For Classified Systems | ||||||||||
Maintenance Personnel | Citizenship Requirements For Classified Systems | ||||||||||
Maintenance Personnel | Foreign Nationals | ||||||||||
Maintenance Personnel | Nonsystem-Related Maintenance | ||||||||||
Timely Maintenance | ||||||||||
Timely Maintenance | Predictive Maintenance | ||||||||||
Timely Maintenance | Automated Support For Predictive Maintenance | ||||||||||
Media Downgrading | Equipment Testing | ||||||||||
Media Access | ||||||||||
Media Access | Automated Restricted Access | ||||||||||
Media Access | Cryptographic Protection | ||||||||||
Media Marking | ||||||||||
Media Storage | ||||||||||
Media Storage | Cryptographic Protection | ||||||||||
Media Storage | Automated Restricted Access | ||||||||||
Media Downgrading | Controlled Unclassified Information | ||||||||||
Media Transport | Protection Outside Of Controlled Areas | ||||||||||
Media Transport | Documentation Of Activities | ||||||||||
Media Transport | Custodians | ||||||||||
Media Transport | Cryptographic Protection | ||||||||||
Media Sanitization | ||||||||||
Media Sanitization | Review / Approve / Track / Document / Verify | ||||||||||
Media Sanitization | Equipment Testing | ||||||||||
Media Downgrading | Classified Information | ||||||||||
Monitoring Physical Access | Monitoring Physical Access To Information Systems | ||||||||||
Media Sanitization | Controlled Unclassified Information | ||||||||||
Media Sanitization | Classified Information | ||||||||||
Media Sanitization | Media Destruction | ||||||||||
Media Sanitization | Remote Purging / Wiping Of Information | ||||||||||
Media Use | Prohibit Use Without Owner | ||||||||||
Media Use | Prohibit Use Of Sanitization-Resistant Media | ||||||||||
Media Downgrading | ||||||||||
Physical Access Authorizations | ||||||||||
Physical Access Authorizations | Access By Position / Role | ||||||||||
Physical Access Authorizations | Two Forms Of Identification | ||||||||||
Physical Access Control | ||||||||||
Physical Access Control | Information System Access | ||||||||||
Physical Access Control | Facility / Information System Boundaries | ||||||||||
Visitor Control | ||||||||||
Physical Access Control | Facility Penetration Testing | ||||||||||
Access Control For Transmission Medium | ||||||||||
Access Control For Output Devices | ||||||||||
Access Control For Output Devices | Access To Output By Authorized Individuals | ||||||||||
Access Control For Output Devices | Access To Output By Individual Identity | ||||||||||
Access Control For Output Devices | Marking Output Devices | ||||||||||
Monitoring Physical Access | ||||||||||
Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment | ||||||||||
Monitoring Physical Access | Automated Intrusion Recognition / Responses | ||||||||||
Monitoring Physical Access | Video Surveillance | ||||||||||
Visitor Access Records | Automated Records Maintenance / Review | ||||||||||
Visitor Access Records | Physical Access Records | ||||||||||
Power Equipment And Cabling | ||||||||||
Power Equipment And Cabling | Redundant Cabling | ||||||||||
Power Equipment And Cabling | Automatic Voltage Controls | ||||||||||
Emergency Shutoff | ||||||||||
Emergency Shutoff | Accidental / Unauthorized Activation | ||||||||||
Emergency Power | ||||||||||
Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability | ||||||||||
Emergency Power | Long-Term Alternate Power Supply - Self-Contained | ||||||||||
Emergency Lighting | ||||||||||
Emergency Lighting | Essential Missions / Business Functions | ||||||||||
Fire Protection | ||||||||||
Location Of Information System Components | Facility Site | ||||||||||
Fire Protection | Suppression Devices / Systems | ||||||||||
Fire Protection | Automatic Fire Suppression | ||||||||||
Fire Protection | Inspections | ||||||||||
Temperature And Humidity Controls | ||||||||||
Temperature And Humidity Controls | Automatic Controls | ||||||||||
Temperature And Humidity Controls | Monitoring With Alarms / Notifications | ||||||||||
Water Damage Protection | ||||||||||
Water Damage Protection | Automation Support | ||||||||||
Delivery And Removal | ||||||||||
Location Of Information System Components | ||||||||||
Information Leakage | National Emissions / Tempest Policies And Procedures | ||||||||||
Asset Monitoring And Tracking | ||||||||||
System Security Plan | ||||||||||
System Security Plan | Concept Of Operations | ||||||||||
System Security Plan | Functional Architecture | ||||||||||
System Security Plan | Plan / Coordinate With Other Organizational Entities | ||||||||||
System Security Plan Update | ||||||||||
Access Agreements | Post-Employment Requirements | ||||||||||
Rules Of Behavior | Social Media And Networking Restrictions | ||||||||||
Privacy Impact Assessment | ||||||||||
Security-Related Activity Planning | ||||||||||
Security Concept Of Operations | ||||||||||
Information Security Architecture | ||||||||||
Information Security Architecture | Supplier Diversity | ||||||||||
Boundary Protection | Deny By Default / Allow By Exception | ||||||||||
Position Risk Designation | ||||||||||
Personnel Screening | ||||||||||
Personnel Screening | Classified Information | ||||||||||
Personnel Screening | Formal Indoctrination | ||||||||||
Personnel Screening | Information With Special Protection Measures | ||||||||||
Boundary Protection | Response To Recognized Failures | ||||||||||
Personnel Termination | Post-Employment Requirements | ||||||||||
Personnel Termination | Automated Notification | ||||||||||
Personnel Transfer | ||||||||||
Access Agreements | ||||||||||
Access Agreements | Information Requiring Special Protection | ||||||||||
Personnel Sanctions | ||||||||||
Security Categorization | ||||||||||
Technical Surveillance Countermeasures Survey | ||||||||||
Risk Assessment Update | ||||||||||
Vulnerability Scanning | ||||||||||
Vulnerability Scanning | Update Tool Capability | ||||||||||
Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified | ||||||||||
Vulnerability Scanning | Breadth / Depth Of Coverage | ||||||||||
Vulnerability Scanning | Discoverable Information | ||||||||||
Vulnerability Scanning | Privileged Access | ||||||||||
Vulnerability Scanning | Automated Trend Analyses | ||||||||||
Vulnerability Scanning | Automated Detection And Notification Of Unauthorized Components | ||||||||||
Vulnerability Scanning | Review Historic Audit Logs | ||||||||||
Vulnerability Scanning | Penetration Testing And Analyses | ||||||||||
Vulnerability Scanning | Correlate Scanning Information | ||||||||||
Allocation Of Resources | ||||||||||
Acquisition Process | ||||||||||
Acquisition Process | Functional Properties Of Security Controls | ||||||||||
Acquisition Process | Use Of Approved Piv Products | ||||||||||
External Information System Services | Identification Of Functions / Ports / Protocols / Services | ||||||||||
Acquisition Process | Development Methods / Techniques / Practices | ||||||||||
Acquisition Process | Assignment Of Components To Systems | ||||||||||
Acquisition Process | System / Component / Service Configurations | ||||||||||
Acquisition Process | Use Of Information Assurance Products | ||||||||||
Acquisition Process | Continuous Monitoring Plan | ||||||||||
Acquisition Process | Functions / Ports / Protocols / Services In Use | ||||||||||
Information System Documentation | Functional Properties Of Security Controls | ||||||||||
Information System Documentation | Security-Relevant External System Interfaces | ||||||||||
Information System Documentation | High-Level Design | ||||||||||
Information System Documentation | Low-Level Design | ||||||||||
Information System Documentation | Source Code | ||||||||||
Software Usage Restrictions | ||||||||||
User-Installed Software | ||||||||||
Security Engineering Principles | ||||||||||
External Information System Services | ||||||||||
External Information System Services | Risk Assessments / Organizational Approvals | ||||||||||
External Information System Services | Consistent Interests Of Consumers And Providers | ||||||||||
External Information System Services | Processing, Storage, And Service Location | ||||||||||
Developer Configuration Management | ||||||||||
Developer Configuration Management | Software / Firmware Integrity Verification | ||||||||||
Developer Configuration Management | Hardware Integrity Verification | ||||||||||
Developer Configuration Management | Trusted Generation | ||||||||||
Developer Configuration Management | Mapping Integrity For Version Control | ||||||||||
Developer Configuration Management | Trusted Distribution | ||||||||||
Developer Security Testing And Evaluation | ||||||||||
Developer Security Testing And Evaluation | Threat And Vulnerability Analyses | ||||||||||
Developer Security Testing And Evaluation | Attack Surface Reviews | ||||||||||
Developer Security Testing And Evaluation | Verify Scope Of Testing / Evaluation | ||||||||||
Developer Security Testing And Evaluation | Dynamic Code Analysis | ||||||||||
Supply Chain Protection | Supplier Reviews | ||||||||||
Supply Chain Protection | Trusted Shipping And Warehousing | ||||||||||
Supply Chain Protection | Diversity Of Suppliers | ||||||||||
Supply Chain Protection | Limitation Of Harm | ||||||||||
Supply Chain Protection | Minimizing Procurement Time | ||||||||||
Supply Chain Protection | Assessments Prior To Selection / Acceptance / Update | ||||||||||
Supply Chain Protection | Use Of All-Source Intelligence | ||||||||||
Supply Chain Protection | Processes To Address Weaknesses Or Deficiencies | ||||||||||
Supply Chain Protection | Validate As Genuine And Not Altered | ||||||||||
Supply Chain Protection | Inter-Organizational Agreements | ||||||||||
Supply Chain Protection | Critical Information System Components | ||||||||||
Supply Chain Protection | Identity And Traceability | ||||||||||
Developer Security Architecture And Design | Structure For Least Privilege | ||||||||||
Criticality Analysis | Critical Components With No Viable Alternative Sourcing | ||||||||||
Development Process, Standards, And Tools | ||||||||||
Development Process, Standards, And Tools | Security Tracking Tools | ||||||||||
Development Process, Standards, And Tools | Criticality Analysis | ||||||||||
Development Process, Standards, And Tools | Continuous Improvement | ||||||||||
Development Process, Standards, And Tools | Automated Vulnerability Analysis | ||||||||||
Development Process, Standards, And Tools | Reuse Of Threat / Vulnerability Information | ||||||||||
Development Process, Standards, And Tools | Use Of Live Data | ||||||||||
Development Process, Standards, And Tools | Incident Response Plan | ||||||||||
Development Process, Standards, And Tools | Archive Information System / Component | ||||||||||
Developer-Provided Training | ||||||||||
Information Input Validation | Manual Override Capability | ||||||||||
Developer Security Architecture And Design | Formal Policy Model | ||||||||||
Developer Security Architecture And Design | Security-Relevant Components | ||||||||||
Developer Security Architecture And Design | Informal Correspondence | ||||||||||
Developer Security Architecture And Design | Conceptually Simple Design | ||||||||||
Developer Security Architecture And Design | Structure For Testing | ||||||||||
Tamper Resistance And Detection | Multiple Phases Of Sdlc | ||||||||||
Component Authenticity | ||||||||||
Component Authenticity | Anti-Counterfeit Training | ||||||||||
Component Authenticity | Configuration Control For Component Service / Repair | ||||||||||
Component Authenticity | Component Disposal | ||||||||||
Component Authenticity | Anti-Counterfeit Scanning | ||||||||||
Customized Development Of Critical Components | ||||||||||
Developer Screening | ||||||||||
Non-Modifiable Executable Programs | Hardware-Based Protection | ||||||||||
Unsupported System Components | Alternative Sources For Continued Support | ||||||||||
Application Partitioning | ||||||||||
Application Partitioning | Interfaces For Non-Privileged Users | ||||||||||
Denial Of Service Protection | ||||||||||
Process Isolation | Thread Isolation | ||||||||||
Security Function Isolation | Hardware Separation | ||||||||||
Security Function Isolation | Access / Flow Control Functions | ||||||||||
Security Function Isolation | Minimize Nonsecurity Functionality | ||||||||||
Security Function Isolation | Module Coupling And Cohesiveness | ||||||||||
Security Function Isolation | Layered Structures | ||||||||||
Information In Shared Resources | ||||||||||
Information In Shared Resources | Security Levels | ||||||||||
Information In Shared Resources | Periods Processing | ||||||||||
Denial Of Service Protection | Excess Capacity / Bandwidth / Redundancy | ||||||||||
Resource Availability | ||||||||||
Boundary Protection | Physically Separated Subnetworks | ||||||||||
Boundary Protection | Public Access | ||||||||||
Boundary Protection | Access Points | ||||||||||
Boundary Protection | External Telecommunications Services | ||||||||||
Information Input Validation | Review / Resolution Of Errors | ||||||||||
Boundary Protection | Route Traffic To Authenticated Proxy Servers | ||||||||||
Boundary Protection | Prevent Unauthorized Exfiltration | ||||||||||
Boundary Protection | Restrict Incoming Communications Traffic | ||||||||||
Boundary Protection | Host-Based Protection | ||||||||||
Boundary Protection | Isolation Of Security Tools / Mechanisms / Support Components | ||||||||||
Boundary Protection | Route Privileged Network Accesses | ||||||||||
Boundary Protection | Prevent Discovery Of Components / Devices | ||||||||||
Boundary Protection | Automated Enforcement Of Protocol Formats | ||||||||||
Boundary Protection | Fail Secure | ||||||||||
Boundary Protection | Blocks Communication From Non-Organizationally Configured Hosts | ||||||||||
Boundary Protection | Dynamic Isolation / Segregation | ||||||||||
Boundary Protection | Separate Subnets For Connecting To Different Security Domains | ||||||||||
Boundary Protection | Disable Sender Feedback On Protocol Validation Failure | ||||||||||
Transmission Confidentiality And Integrity | Cryptographic Or Alternate Physical Protection | ||||||||||
Transmission Confidentiality And Integrity | Pre / Post Transmission Handling | ||||||||||
Transmission Confidentiality And Integrity | Cryptographic Protection For Message Externals | ||||||||||
Transmission Confidentiality | ||||||||||
Network Disconnect | ||||||||||
Collaborative Computing Devices | ||||||||||
Trusted Path | Logical Isolation | ||||||||||
Cryptographic Key Establishment And Management | Availability | ||||||||||
Cryptographic Key Establishment And Management | Symmetric Keys | ||||||||||
Cryptographic Key Establishment And Management | Asymmetric Keys | ||||||||||
Cryptographic Key Establishment And Management | Pki Certificates | ||||||||||
Cryptographic Key Establishment And Management | Pki Certificates / Hardware Tokens | ||||||||||
Cryptographic Protection | ||||||||||
Cryptographic Protection | Fips-Validated Cryptography | ||||||||||
Cryptographic Protection | Nsa-Approved Cryptography | ||||||||||
Cryptographic Protection | Individuals Without Formal Access Approvals | ||||||||||
Cryptographic Protection | Digital Signatures | ||||||||||
Public Access Protections | ||||||||||
Collaborative Computing Devices | Physical Disconnect | ||||||||||
Collaborative Computing Devices | Explicitly Indicate Current Participants | ||||||||||
Transmission Of Security Attributes | ||||||||||
Transmission Of Security Attributes | Integrity Validation | ||||||||||
Public Key Infrastructure Certificates | ||||||||||
Mobile Code | Identify Unacceptable Code / Take Corrective Actions | ||||||||||
Mobile Code | Acquisition / Development / Use | ||||||||||
Mobile Code | Prevent Downloading / Execution | ||||||||||
Mobile Code | Prevent Automatic Execution | ||||||||||
Mobile Code | Allow Execution Only In Confined Environments | ||||||||||
Voice Over Internet Protocol | ||||||||||
Secure Name / Address Resolution Service (Authoritative Source) | Child Subspaces | ||||||||||
Secure Name / Address Resolution Service (Authoritative Source) | Data Origin / Integrity | ||||||||||
Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | ||||||||||
Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | Data Origin / Integrity | ||||||||||
Architecture And Provisioning For Name / Address Resolution Service | ||||||||||
Session Authenticity | ||||||||||
Session Authenticity | Invalidate Session Identifiers At Logout | ||||||||||
Session Authenticity | User-Initiated Logouts / Message Displays | ||||||||||
Session Authenticity | Unique Session Identifiers With Randomization | ||||||||||
Fail In Known State | ||||||||||
Thin Nodes | ||||||||||
Honeypots | ||||||||||
Honeypots | Detection Of Malicious Code | ||||||||||
Platform-Independent Applications | ||||||||||
Protection Of Information At Rest | Cryptographic Protection | ||||||||||
Protection Of Information At Rest | Off-Line Storage | ||||||||||
Heterogeneity | Virtualization Techniques | ||||||||||
Concealment And Misdirection | Virtualization Techniques | ||||||||||
Concealment And Misdirection | Randomness | ||||||||||
Concealment And Misdirection | Misleading Information | ||||||||||
Information System Monitoring | Testing Of Monitoring Tools | ||||||||||
Covert Channel Analysis | ||||||||||
Covert Channel Analysis | Test Covert Channels For Exploitability | ||||||||||
Covert Channel Analysis | Maximum Bandwidth | ||||||||||
Covert Channel Analysis | Measure Bandwidth In Operational Environments | ||||||||||
Transmission Preparation Integrity | ||||||||||
Non-Modifiable Executable Programs | ||||||||||
Non-Modifiable Executable Programs | No Writable Storage | ||||||||||
Non-Modifiable Executable Programs | Integrity Protection / Read-Only Media | ||||||||||
Distributed Processing And Storage | ||||||||||
Out-Of-Band Channels | ||||||||||
Out-Of-Band Channels | Ensure Delivery / Transmission | ||||||||||
Process Isolation | ||||||||||
Process Isolation | Hardware Separation | ||||||||||
Wireless Link Protection | Electromagnetic Interference | ||||||||||
Wireless Link Protection | Reduce Detection Potential | ||||||||||
Wireless Link Protection | Imitative Or Manipulative Communications Deception | ||||||||||
Wireless Link Protection | Signal Parameter Identification | ||||||||||
Port And I/O Device Access | ||||||||||
Sensor Capability And Data | ||||||||||
Sensor Capability And Data | Reporting To Authorized Individuals Or Roles | ||||||||||
Information System Monitoring | Probationary Periods | ||||||||||
Sensor Capability And Data | Prohibit Use Of Devices | ||||||||||
Usage Restrictions | ||||||||||
System And Information Integrity Policy And Procedures | ||||||||||
Flaw Remediation | ||||||||||
Flaw Remediation | Central Management | ||||||||||
Flaw Remediation | Automated Flaw Remediation Status | ||||||||||
Flaw Remediation | Time To Remediate Flaws / Benchmarks For Corrective Actions | ||||||||||
Flaw Remediation | Automated Patch Management Tools | ||||||||||
Flaw Remediation | Removal Of Previous Versions Of Software / Firmware | ||||||||||
Malicious Code Protection | Central Management | ||||||||||
Malicious Code Protection | Automatic Updates | ||||||||||
Malicious Code Protection | Non-Privileged Users | ||||||||||
Malicious Code Protection | Updates Only By Privileged Users | ||||||||||
Malicious Code Protection | Portable Storage Devices | ||||||||||
Malicious Code Protection | Testing / Verification | ||||||||||
Malicious Code Protection | Nonsignature-Based Detection | ||||||||||
Information System Monitoring | Unauthorized Network Services | ||||||||||
Malicious Code Protection | Malicious Code Analysis | ||||||||||
Information System Monitoring | ||||||||||
Information System Monitoring | System-Wide Intrusion Detection System | ||||||||||
Information System Monitoring | Automated Tools For Real-Time Analysis | ||||||||||
Information System Monitoring | Automated Tool Integration | ||||||||||
Information System Monitoring | Inbound And Outbound Communications Traffic | ||||||||||
Information System Monitoring | System-Generated Alerts | ||||||||||
Information System Monitoring | Restrict Non-Privileged Users | ||||||||||
Information System Monitoring | Automated Response To Suspicious Events | ||||||||||
Information System Monitoring | Protection Of Monitoring Information | ||||||||||
Information System Monitoring | Analyze Communications Traffic Anomalies | ||||||||||
Information System Monitoring | Automated Alerts | ||||||||||
Information System Monitoring | Analyze Traffic / Event Patterns | ||||||||||
Information System Monitoring | Wireless Intrusion Detection | ||||||||||
Information System Monitoring | Wireless To Wireline Communications | ||||||||||
Information System Monitoring | Correlate Monitoring Information | ||||||||||
Information System Monitoring | Analyze Traffic / Covert Exfiltration | ||||||||||
Information System Monitoring | Individuals Posing Greater Risk | ||||||||||
Information System Monitoring | Privileged Users | ||||||||||
Security Alerts, Advisories, And Directives | ||||||||||
Security Alerts, Advisories, And Directives | Automated Alerts And Advisories | ||||||||||
Security Function Verification | Notification Of Failed Security Tests | ||||||||||
Security Function Verification | Automation Support For Distributed Testing | ||||||||||
Security Function Verification | Report Verification Results | ||||||||||
Software, Firmware, And Information Integrity | ||||||||||
Software, Firmware, And Information Integrity | Automated Notifications Of Integrity Violations | ||||||||||
Software, Firmware, And Information Integrity | Centrally-Managed Integrity Tools | ||||||||||
Software, Firmware, And Information Integrity | Tamper-Evident Packaging | ||||||||||
Software, Firmware, And Information Integrity | Automated Response To Integrity Violations | ||||||||||
Software, Firmware, And Information Integrity | Cryptographic Protection | ||||||||||
Software, Firmware, And Information Integrity | Integration Of Detection And Response | ||||||||||
Software, Firmware, And Information Integrity | Auditing Capability For Significant Events | ||||||||||
Software, Firmware, And Information Integrity | Verify Boot Process | ||||||||||
Software, Firmware, And Information Integrity | Protection Of Boot Firmware | ||||||||||
Software, Firmware, And Information Integrity | Confined Environments With Limited Privileges | ||||||||||
Software, Firmware, And Information Integrity | Code Execution In Protected Environments | ||||||||||
Software, Firmware, And Information Integrity | Code Authentication | ||||||||||
Software, Firmware, And Information Integrity | Time Limit On Process Execution W/O Supervision | ||||||||||
Spam Protection | ||||||||||
Spam Protection | Central Management | ||||||||||
Spam Protection | Automatic Updates | ||||||||||
Spam Protection | Continuous Learning Capability | ||||||||||
Information Input Restrictions | ||||||||||
Information Input Validation | Review / Timing Interactions | ||||||||||
Information Input Validation | Restrict Inputs To Trusted Sources And Approved Formats | ||||||||||
Error Handling | ||||||||||
Information Handling And Retention | ||||||||||
Predictable Failure Prevention | ||||||||||
Predictable Failure Prevention | Transferring Component Responsibilities | ||||||||||
Predictable Failure Prevention | Time Limit On Process Execution Without Supervision | ||||||||||
Predictable Failure Prevention | Manual Transfer Between Components | ||||||||||
Predictable Failure Prevention | Standby Component Installation / Notification | ||||||||||
Information Security Program Plan | ||||||||||
Senior Information Security Officer | ||||||||||
Information Security Resources | ||||||||||
Non-Persistence | Refresh From Trusted Sources | ||||||||||
Information Output Filtering | ||||||||||
Memory Protection | ||||||||||
Fail-Safe Procedures | ||||||||||
Plan Of Action And Milestones Process | ||||||||||
Information System Inventory | ||||||||||
Information Security Measures Of Performance | ||||||||||
Enterprise Architecture | ||||||||||
Critical Infrastructure Plan | ||||||||||
Risk Management Strategy | ||||||||||
Account Management | Dynamic Account Creation | ||||||||||
Security Authorization Process | ||||||||||
Mission/Business Process Definition | ||||||||||
Insider Threat Program | ||||||||||
Information Security Workforce | ||||||||||
Account Management | Disable Accounts For High-Risk Individuals | ||||||||||
Testing, Training, And Monitoring | ||||||||||
Contacts With Security Groups And Associations | ||||||||||
Threat Awareness Program | ||||||||||
Access Control Policy And Procedures | ||||||||||
Account Management | Dynamic Privilege Management | ||||||||||
Access Enforcement | Mandatory Access Control | ||||||||||
Access Enforcement | Discretionary Access Control | ||||||||||
Access Enforcement | Controlled Release | ||||||||||
Information Flow Enforcement | ||||||||||
Information Flow Enforcement | Processing Domains | ||||||||||
Information Flow Enforcement | Security Policy Filters | ||||||||||
Information Flow Enforcement | Validation Of Metadata | ||||||||||
Separation Of Duties | ||||||||||
Least Privilege | Authorize Access To Security Functions | ||||||||||
Least Privilege | Privileged Accounts | ||||||||||
Unsuccessful Logon Attempts | ||||||||||
System Use Notification | ||||||||||
Session Termination | ||||||||||
Session Termination | User-Initiated Logouts / Message Displays | ||||||||||
Permitted Actions Without Identification Or Authentication | ||||||||||
Security Attributes | Consistent Attribute Interpretation | ||||||||||
Security Attributes | Association Techniques / Technologies | ||||||||||
Remote Access | ||||||||||
Remote Access | Disconnect / Disable Access | ||||||||||
Wireless Access | Antennas / Transmission Power Levels | ||||||||||
Use Of External Information Systems | Limits On Authorized Use | ||||||||||
Use Of External Information Systems | Non-Organizationally Owned Systems / Components / Devices | ||||||||||
Data Mining Protection | ||||||||||
Reference Monitor | ||||||||||
Security Awareness And Training Policy And Procedures | ||||||||||
Role-Based Security Training | Suspicious Communications And Anomalous System Behavior | ||||||||||
Audit And Accountability Policy And Procedures | ||||||||||
Content Of Audit Records | Additional Audit Information | ||||||||||
Response To Audit Processing Failures | ||||||||||
Audit Review, Analysis, And Reporting | ||||||||||
Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities | ||||||||||
Audit Review, Analysis, And Reporting | Correlation With Information From Nontechnical Sources | ||||||||||
Audit Reduction And Report Generation | ||||||||||
Time Stamps | ||||||||||
Protection Of Audit Information | Hardware Write-Once Media | ||||||||||
Non-Repudiation | ||||||||||
Non-Repudiation | Validate Binding Of Information Reviewer Identity | ||||||||||
Audit Record Retention | ||||||||||
Cross-Organizational Auditing | ||||||||||
Telecommunications Services | ||||||||||
Security Assessment And Authorization Policy And Procedures | ||||||||||
Security Assessments | Specialized Assessments | ||||||||||
System Interconnections | ||||||||||
System Interconnections | Restrictions On External System Connections | ||||||||||
Plan Of Action And Milestones | ||||||||||
Telecommunications Services | Separation Of Primary / Alternate Providers | ||||||||||
Security Authorization | ||||||||||
Continuous Monitoring | Trend Analyses | ||||||||||
Penetration Testing | ||||||||||
Configuration Management Policy And Procedures | ||||||||||
Information System Backup | Separate Storage For Critical Information | ||||||||||
Baseline Configuration | Configure Systems, Components, Or Devices For High-Risk Areas | ||||||||||
Configuration Change Control | Test / Validate / Document Changes | ||||||||||
Security Impact Analysis | ||||||||||
Access Restrictions For Change | ||||||||||
Configuration Settings | Respond To Unauthorized Changes | ||||||||||
Information System Recovery And Reconstitution | ||||||||||
Least Functionality | ||||||||||
Information System Component Inventory | ||||||||||
Information System Component Inventory | Assignment Of Components To Systems | ||||||||||
Configuration Management Plan | ||||||||||
Safe Mode | ||||||||||
Contingency Planning Policy And Procedures | ||||||||||
Contingency Plan | Coordinate With External Service Providers | ||||||||||
Contingency Plan | Identify Critical Assets | ||||||||||
Alternate Storage Site | ||||||||||
Alternate Processing Site | ||||||||||
Visitor Access Records | ||||||||||
Alternative Security Mechanisms | ||||||||||
Identification And Authentication (Organizational Users) | Network Access To Privileged Accounts - Replay Resistant | ||||||||||
Identification And Authentication (Organizational Users) | Remote Access - Separate Device | ||||||||||
Identification And Authentication (Organizational Users) | Out-Of-Band Authentication | ||||||||||
Device Identification And Authentication | Dynamic Address Allocation | ||||||||||
Identifier Management | ||||||||||
Development Process, Standards, And Tools | Threat Modeling / Vulnerability Analysis | ||||||||||
Authenticator Management | ||||||||||
Authenticator Management | Multiple Information System Accounts | ||||||||||
Authenticator Management | Dynamic Credential Association | ||||||||||
Authenticator Feedback | ||||||||||
Identification And Authentication (Non-Organizational Users) | ||||||||||
Service Identification And Authentication | Transmission Of Decisions | ||||||||||
Session Authenticity | Allowed Certificate Authorities | ||||||||||
Adaptive Identification And Authentication | ||||||||||
Incident Response Policy And Procedures | ||||||||||
Incident Response Testing | Automated Testing | ||||||||||
Incident Handling | ||||||||||
Incident Handling | Correlation With External Organizations | ||||||||||
Physical Access Authorizations | Restrict Unescorted Access | ||||||||||
Incident Reporting | ||||||||||
Incident Response Assistance | Automation Support For Availability Of Information / Support | ||||||||||
Incident Response Plan | ||||||||||
Integrated Information Security Analysis Team | ||||||||||
System Maintenance Policy And Procedures | ||||||||||
Physical Access Control | Tamper Protection | ||||||||||
Nonlocal Maintenance | ||||||||||
Maintenance Personnel | ||||||||||
Maintenance Personnel | Individuals Without Appropriate Access | ||||||||||
Timely Maintenance | Preventive Maintenance | ||||||||||
Media Protection Policy And Procedures | ||||||||||
Media Transport | ||||||||||
Media Sanitization | Nondestructive Techniques | ||||||||||
Media Sanitization | Dual Authorization | ||||||||||
Media Use | ||||||||||
Physical And Environmental Protection Policy And Procedures | ||||||||||
Fire Protection | Detection Devices / Systems | ||||||||||
Alternate Work Site | ||||||||||
Information Leakage | ||||||||||
Security Planning Policy And Procedures | ||||||||||
Rules Of Behavior | ||||||||||
Information Security Architecture | Defense-In-Depth | ||||||||||
Central Management | ||||||||||
Personnel Security Policy And Procedures | ||||||||||
Personnel Termination | ||||||||||
Access Agreements | Classified Information Requiring Special Protection | ||||||||||
Third-Party Personnel Security | ||||||||||
Risk Assessment Policy And Procedures | ||||||||||
Risk Assessment | ||||||||||
System And Services Acquisition Policy And Procedures | ||||||||||
System Development Life Cycle | ||||||||||
Acquisition Process | Design / Implementation Information For Security Controls | ||||||||||
Acquisition Process | Niap-Approved Protection Profiles | ||||||||||
Information System Documentation | ||||||||||
External Information System Services | Establish / Maintain Trust Relationship With Providers | ||||||||||
Developer Configuration Management | Alternative Configuration Management Processes | ||||||||||
Honeyclients | ||||||||||
Developer Security Testing And Evaluation | Static Code Analysis | ||||||||||
Developer Security Testing And Evaluation | Independent Verification Of Assessment Plans / Evidence | ||||||||||
Developer Security Testing And Evaluation | Manual Code Reviews | ||||||||||
Developer Security Testing And Evaluation | Penetration Testing | ||||||||||
Supply Chain Protection | ||||||||||
Development Process, Standards, And Tools | Quality Metrics | ||||||||||
Supply Chain Protection | Acquisition Strategies / Tools / Methods | ||||||||||
Supply Chain Protection | Operations Security | ||||||||||
Supply Chain Protection | Penetration Testing / Analysis Of Elements, Processes, And Actors | ||||||||||
Trustworthiness | ||||||||||
Criticality Analysis | ||||||||||
Development Process, Standards, And Tools | Attack Surface Reduction | ||||||||||
Developer Security Architecture And Design | ||||||||||
Developer Security Architecture And Design | Formal Correspondence | ||||||||||
Tamper Resistance And Detection | ||||||||||
Tamper Resistance And Detection | Inspection Of Information Systems, Components, Or Devices | ||||||||||
Developer Screening | Validation Of Screening | ||||||||||
Unsupported System Components | ||||||||||
System And Communications Protection Policy And Procedures | ||||||||||
Security Function Isolation | ||||||||||
Denial Of Service Protection | Restrict Internal Users | ||||||||||
Denial Of Service Protection | Detection / Monitoring | ||||||||||
Boundary Protection | ||||||||||
Boundary Protection | Prevent Split Tunneling For Remote Devices | ||||||||||
Boundary Protection | Restrict Threatening Outgoing Communications Traffic | ||||||||||
Boundary Protection | Protects Against Unauthorized Physical Connections | ||||||||||
Boundary Protection | Isolation Of Information System Components | ||||||||||
Transmission Confidentiality And Integrity | ||||||||||
Software, Firmware, And Information Integrity | Integrity Verification | ||||||||||
Transmission Confidentiality And Integrity | Conceal / Randomize Communications | ||||||||||
Trusted Path | ||||||||||
Cryptographic Key Establishment And Management | ||||||||||
Collaborative Computing Devices | Disabling / Removal In Secure Work Areas | ||||||||||
Mobile Code | ||||||||||
Secure Name / Address Resolution Service (Authoritative Source) | ||||||||||
Protection Of Information At Rest | ||||||||||
Heterogeneity | ||||||||||
Concealment And Misdirection | ||||||||||
Concealment And Misdirection | Change Processing / Storage Locations | ||||||||||
Concealment And Misdirection | Concealment Of System Components | ||||||||||
Information System Partitioning | ||||||||||
Distributed Processing And Storage | Polling Techniques | ||||||||||
Operations Security | ||||||||||
Wireless Link Protection | ||||||||||
Sensor Capability And Data | Authorized Use | ||||||||||
Detonation Chambers | ||||||||||
Flaw Remediation | Automatic Software / Firmware Updates | ||||||||||
Malicious Code Protection | ||||||||||
Malicious Code Protection | Detect Unauthorized Commands | ||||||||||
Malicious Code Protection | Authenticate Remote Commands | ||||||||||
Information System Monitoring | Visibility Of Encrypted Communications | ||||||||||
Information System Monitoring | Integrated Situational Awareness | ||||||||||
Information System Monitoring | Host-Based Devices | ||||||||||
Information System Monitoring | Indicators Of Compromise | ||||||||||
Security Function Verification | ||||||||||
Software, Firmware, And Information Integrity | Integrity Checks | ||||||||||
Software, Firmware, And Information Integrity | Binary Or Machine Executable Code | ||||||||||
Information Input Validation | ||||||||||
Information Input Validation | Predictable Behavior | ||||||||||
Predictable Failure Prevention | Failover Capability | ||||||||||
Non-Persistence |