Granular 800-53r2 800-53r3 Comparison

From FISMApedia
Jump to: navigation, search

This comparison table is intended to convey changes in security controls and security control enhancements selection between NIST SP 800-53 Revision 2 and 3. Elements from NIST SP 800-53 Revision 3 are highlighted in yellow unless there has been a change from the previous revision, in which case they are highlighted in red. Withdrawn items are indicated by highlighting in light green and use a strike through font.

The table does not convey the scope of changes which has taken place in the text of the security controls, security control enhancements and guidance. 165 selected control enhancements are listed in the table while there an additional 250 unselected control enhancements in NIST SP 800-53 Revision 3.

Key and Color Code
Key Description
Example NIST SP 800-53r2
Example NIST SP 800-53r3, No Change
Example NIST SP 800-53r3, Change
Example Withdrawn
N/S Not Selected

   

Control Number NIST SP 800-53 Rev. 2 NIST SP 800-53 Rev. 3 Priority Rev. 2 LOW Rev. 3 LOW Rev. 2 MOD Rev. 3 MOD Rev. 2 HIGH Rev. 3 HIGH
Access Control
AC-1 Access Control Policy and Procedures Access Control Policy and Procedures P1 AC-1 AC-1 AC-1 AC-1 AC-1 AC-1
AC-2 Account Management Account Management P1 AC-2 AC-2 AC-2 AC-2 AC-2 AC-2
      (1) (1) (1) (1)
      (2) (2) (2) (2)
      (3) (3) (3) (3)
      (4) (4) (4) (4)
AC-3 Access Enforcement Access Enforcement P1 AC-3 AC-3 AC-3 AC-3 AC-3 AC-3
      (1)    (1)   
AC-4 Information Flow Enforcement Information Flow Enforcement P1 N/S N/S AC-4 AC-4 AC-4 AC-4
AC-5 Separation of Duties Separation of Duties P1 N/S N/S AC-5 AC-5 AC-5 AC-5
AC-6 Least Privilege Least Privilege P1 N/S N/S AC-6 AC-6 AC-6 AC-6
         (1)    (1)
         (2)    (2)
AC-7 Unsuccessful Login Attempts Unsuccessful Login Attempts P2 AC-7 AC-7 AC-7 AC-7 AC-7 AC-7
AC-8 System Use Notification System Use Notification P1 AC-8 AC-8 AC-8 AC-8 AC-8 AC-8
AC-9 Previous Logon Notification Previous Logon (Access) Notification P0 N/S N/S N/S N/S N/S N/S
AC-10 Concurrent Session Control Concurrent Session Control P2 N/S N/S N/S N/S AC-10 AC-10
AC-11 Session Lock Session Lock P3 N/S N/S AC-11 AC-11 AC-11 AC-11
AC-12 Session Termination Session Termination (Withdrawn) --- N/S --- AC-12 --- AC-12 ---
            (1)   
AC-13 Supervision and Review-Access Control Supervision and Review-Access Control (Withdrawn) --- AC-13 --- AC-13 --- AC-13 ---
      (1)    (1)   
AC-14 Permitted Actions without Identification or Authentication Permitted Actions without Identification or Authentication P1 AC-14 AC-14 AC-14 AC-14 AC-14 AC-14
      (1) (1) (1) (1)
AC-15 Automated Marking Automated Marking (Withdrawn) --- N/S --- N/S --- AC-15 ---
AC-16 Automated Labeling Security Attributes P0 N/S N/S N/S N/S N/S N/S
AC-17 Remote Access Remote Access P1 AC-17 AC-17 AC-17 AC-17 AC-17 AC-17
      (1) (1) (1) (1)
      (2) (2) (2) (2)
      (3) (3) (3) (3)
      (4) (4) (4) (4)
         (5)    (5)
                 
         (7)    (7)
         (8)    (8)
AC-18 Wireless Access Restrictions Wireless Access P1 AC-18 AC-18 AC-18 AC-18 AC-18 AC-18
      (1) (1) (1) (1)
            (2) (2)
                 
               (4)
               (5)
AC-19 Access Control for Portable and Mobile Devices Access Control for Mobile Devices P1 N/S AC-19 AC-19 AC-19 AC-19 AC-19
         (1)    (1)
         (2)    (2)
         (3)    (3)
AC-20 Use of External Information Systems Use of External Information Systems P1 AC-20 AC-20 AC-20 AC-20 AC-20 AC-20
      (1) (1) (1) (1)
         (2)    (2)
AC-21    User-Based Collaboration and Information Sharing P0    N/S    N/S    N/S
AC-22    Publicly Accessible Content P2    AC-22    AC-22    AC-22
Awareness and Training
AT-1 Security Awareness and Training Policy and Procedures Security Awareness and Training Policy and Procedures P1 AT-1 AT-1 AT-1 AT-1 AT-1 AT-1
AT-2 Security Awareness Security Awareness P1 AT-2 AT-2 AT-2 AT-2 AT-2 AT-2
AT-3 Security Training Security Training P1 AT-3 AT-3 AT-3 AT-3 AT-3 AT-3
AT-4 Security Training Records Security Training Records P3 AT-4 AT-4 AT-4 AT-4 AT-4 AT-4
AT-5 Contacts with Security Groups and Associations Contacts with Security Groups and Associations P0 N/S N/S N/S N/S N/S N/S
Audit and Accountability
AU-1 Audit and Accountability Policy and Procedures Audit and Accountability Policy and Procedures P1 AU-1 AU-1 AU-1 AU-1 AU-1 AU-1
AU-2 Auditable Events Auditable Events P1 AU-2 AU-2 AU-2 AU-2 AU-2 AU-2
            (1)   
            (2)   
      (3) (3) (3) (3)
         (4)    (4)
AU-3 Content of Audit Records Content of Audit Records P1 AU-3 AU-3 AU-3 AU-3 AU-3 AU-3
      (1) (1) (1) (1)
            (2) (2)
AU-4 Audit Storage Capacity Audit Storage Capacity P1 AU-4 AU-4 AU-4 AU-4 AU-4 AU-4
AU-5 Response to Audit Processing Failures Response to Audit Processing Failures P1 AU-5 AU-5 AU-5 AU-5 AU-5 AU-5
            (1) (1)
            (2) (2)
AU-6 Audit Monitoring, Analysis, and Reporting Audit Review, Analysis, and Reporting P1 N/S AU-6 AU-6 AU-6 AU-6 AU-6
            (1) (1)
      (2)    (2)   
AU-7 Audit Reduction and Report Generation Audit Reduction and Report Generation P2 N/S N/S AU-7 AU-7 AU-7 AU-7
      (1) (1) (1) (1)
AU-8 Time Stamps Time Stamps P1 AU-8 AU-8 AU-8 AU-8 AU-8 AU-8
      (1) (1) (1) (1)
AU-9 Protection of Audit Information Protection of Audit Information P1 AU-9 AU-9 AU-9 AU-9 AU-9 AU-9
AU-10 Non-repudiation Non-repudiation P1 N/S N/S N/S N/S N/S AU-10
AU-11 Audit Record Retention Audit Record Retention P3 AU-11 AU-11 AU-11 AU-11 AU-11 AU-11
AU-12    Audit Generation P1    AU-12    AU-12    AU-12
               (1)
AU-13    Monitoring for Information Disclosure P0    N/S    N/S    N/S
AU-14    Session Audit P0    N/S    N/S    N/S
Certification, Accreditation, and Security Assessments / Security Assessment and Authorization
CA-1 Certification, Accreditation, and Security Assessment Policies and Procedures Security Assessment and Authorization Policies and Procedures P1 CA-1 CA-1 CA-1 CA-1 CA-1 CA-1
CA-2 Security Assessments Security Assessments P2 CA-2 CA-2 CA-2 CA-2 CA-2 CA-2
         (1)    (1)
               (2)
CA-3 Information System Connections Information System Connections P1 CA-3 CA-3 CA-3 CA-3 CA-3 CA-3
CA-4 Security Certification Security Certification (Withdrawn) --- CA-4 --- CA-4 --- CA-4 ---
      (1)    (1)   
CA-5 Plan of Action and Milestones Plan of Action and Milestones P3 CA-5 CA-5 CA-5 CA-5 CA-5 CA-5
CA-6 Security Accreditation Security Authorization P3 CA-6 CA-6 CA-6 CA-6 CA-6 CA-6
CA-7 Continuous Monitoring Continuous Monitoring P3 CA-7 CA-7 CA-7 CA-7 CA-7 CA-7
Configuration Management
CM-1 Configuration Management Policy and Procedures Configuration Management Policy and Procedures P1 CM-1 CM-1 CM-1 CM-1 CM-1 CM-1
CM-2 Baseline Configuration Baseline Configuration P1 CM-2 CM-2 CM-2 CM-2 CM-2 CM-2
      (1) (1) (1) (1)
            (2) (2)
         (3)    (3)
         (4)      
               (5)
               (6)
CM-3 Configuration Change Control Configuration Change Control P1 N/S N/S CM-3 CM-3 CM-3 CM-3
            (1) (1)
         (2)    (2)
CM-4 Monitoring Configuration Changes Security Impact Analysis P2 N/S CM-4 CM-4 CM-4 CM-4 CM-4
               (1)
CM-5 Access Restrictions for Change Access Restrictions for Change P1 N/S N/S CM-5 CM-5 CM-5 CM-5
            (1) (1)
               (2)
               (3)
CM-6 Configuration Settings Configuration Settings P1 CM-6 CM-6 CM-6 CM-6 CM-6 CM-6
            (1) (1)
               (2)
         (3)    (3)
CM-7 Least Functionality Least Functionality P1 N/S CM-7 CM-7 CM-7 CM-7 CM-7
         (1) (1) (1)
               (2)
CM-8 Information System Component Inventory Information System Component Inventory P1 CM-8 CM-8 CM-8 CM-8 CM-8 CM-8
      (1) (1) (1) (1)
            (2) (2)
               (3)
               (4)
         (5)    (5)
CM-9    Configuration Management Plan P1    N/S    CM-9    CM-9
Contingency Planning
CP-1 Contingency Planning Policy and Procedures Contingency Planning Policy and Procedures P1 CP-1 CP-1 CP-1 CP-1 CP-1 CP-1
CP-2 Contingency Plan Contingency Plan P1 CP-2 CP-2 CP-2 CP-2 CP-2 CP-2
      (1) (1) (1) (1)
            (2) (2)
               (3)
CP-3 Contingency Training Contingency Training P2 N/S CP-3 CP-3 CP-3 CP-3 CP-3
            (1) (1)
CP-4 Contingency Plan Testing and Exercises Contingency Plan Testing and Exercises P2 CP-4 CP-4 CP-4 CP-4 CP-4 CP-4
      (1) (1) (1) (1)
            (2) (2)
                 
               (4)
CP-5 Contingency Plan Update Contingency Plan Update (Withdrawn) --- CP-5 --- CP-5 --- CP-5 ---
CP-6 Alternate Storage Site Alternate Storage Site P1 N/S N/S CP-6 CP-6 CP-6 CP-6
      (1) (1) (1) (1)
            (2) (2)
      (3) (3) (3) (3)
CP-7 Alternate Processing Site Alternate Processing Site P1 N/S N/S CP-7 CP-7 CP-7 CP-7
      (1) (1) (1) (1)
      (2) (2) (2) (2)
      (3) (3) (3) (3)
            (4) (4)
         (5)    (5)
CP-8 Telecommunications Services Telecommunications Services P1 N/S N/S CP-8 CP-8 CP-8 CP-8
      (1) (1) (1) (1)
      (2) (2) (2) (2)
            (3) (3)
            (4) (4)
CP-9 Information System Backup Information System Backup P1 CP-9 CP-9 CP-9 CP-9 CP-9 CP-9
      (1) (1) (1) (1)
            (2) (2)
            (3) (3)
      (4)    (4)   
CP-10 Information System Recovery and Reconstitution Information System Recovery and Reconstitution P1 CP-10 CP-10 CP-10 CP-10 CP-10 CP-10
            (1)   
         (2)    (2)
         (3)    (3)
               (4)
Identification and Authentication
IA-1 Identification and Authentication Policy and Procedures Identification and Authentication Policy and Procedures P1 IA-1 IA-1 IA-1 IA-1 IA-1 IA-1
IA-2 User Identification and Authentication Identification and Authentication (Organizational Users) P1 IA-2 IA-2 IA-2 IA-2 IA-2 IA-2
   (1) (1) (1)    (1)
         (2) (2) (2)
         (3) (3) (3)
               (4)
                 
                 
                 
         (8)    (8)
               (9)
IA-3 Device Identification and Authentication Device Identification and Authentication P1 N/S N/S IA-3 IA-3 IA-3 IA-3
IA-4 Identifier Management Identifier Management P1 IA-4 IA-4 IA-4 IA-4 IA-4 IA-4
IA-5 Authenticator Management Authenticator Management P1 IA-5 IA-5 IA-5 IA-5 IA-5 IA-5
   (1)    (1)    (1)
         (2)    (2)
         (3)    (3)
IA-6 Authenticator Feedback Authenticator Feedback P1 IA-6 IA-6 IA-6 IA-6 IA-6 IA-6
IA-7 Cryptographic Module Authentication Cryptographic Module Authentication P1 IA-7 IA-7 IA-7 IA-7 IA-7 IA-7
IA-8    Identification and Authentication (Non-Organizational Users) P1    IA-8    IA-8    IA-8
Incident Response
IR-1 Incident Response Policy and Procedures Incident Response Policy and Procedures P1 IR-1 IR-1 IR-1 IR-1 IR-1 IR-1
IR-2 Incident Response Training Incident Response Training P2 N/S IR-2 IR-2 IR-2 IR-2 IR-2
            (1) (1)
               (2)
IR-3 Incident Response Testing and Exercises Incident Response Testing and Exercises P2 N/S N/S IR-3 IR-3 IR-3 IR-3
            (1) (1)
IR-4 Incident Handling Incident Handling P1 IR-4 IR-4 IR-4 IR-4 IR-4 IR-4
      (1) (1) (1) (1)
IR-5 Incident Monitoring Incident Monitoring P1 N/S IR-5 IR-5 IR-5 IR-5 IR-5
            (1) (1)
IR-6 Incident Reporting Incident Reporting P1 IR-6 IR-6 IR-6 IR-6 IR-6 IR-6
      (1) (1) (1) (1)
IR-7 Incident Response Assistance Incident Response Assistance P3 IR-7 IR-7 IR-7 IR-7 IR-7 IR-7
      (1) (1) (1) (1)
IR-8    Incident Response Plan P1    IR-8    IR-8    IR-8
Maintenance
MA-1 System Maintenance Policy and Procedures System Maintenance Policy and Procedures P1 MA-1 MA-1 MA-1 MA-1 MA-1 MA-1
MA-2 Controlled Maintenance Controlled Maintenance P2 MA-2 MA-2 MA-2 MA-2 MA-2 MA-2
      (1) (1) (1) (1)
            (2) (2)
MA-3 Maintenance Tools Maintenance Tools P2 N/S N/S MA-3 MA-3 MA-3 MA-3
         (1) (1) (1)
         (2) (2) (2)
            (3) (3)
MA-4 Remote Maintenance Non-Local Maintenance P1 MA-4 MA-4 MA-4 MA-4 MA-4 MA-4
      (1) (1) (1) (1)
      (2) (2) (2) (2)
            (3) (3)
MA-5 Maintenance Personnel Maintenance Personnel P1 MA-5 MA-5 MA-5 MA-5 MA-5 MA-5
MA-6 Timely Maintenance Timely Maintenance P1 N/S N/S MA-6 MA-6 MA-6 MA-6
Media Protection
MP-1 Media Protection Policy and Procedures Media Protection Policy and Procedures P1 MP-1 MP-1 MP-1 MP-1 MP-1 MP-1
MP-2 Media Access Media Access P1 MP-2 MP-2 MP-2 MP-2 MP-2 MP-2
      (1) (1) (1) (1)
MP-3 Media Labeling Media Marking P1 N/S N/S N/S MP-3 MP-3 MP-3
MP-4 Media Storage Media Storage P1 N/S N/S MP-4 MP-4 MP-4 MP-4
MP-5 Media Transport Media Transport P1 N/S N/S MP-5 MP-5 MP-5 MP-5
      (1)    (1)   
      (2) (2) (2) (2)
            (3) (3)
         (4)    (4)
MP-6 Media Sanitization and Disposal Media Sanitization P1 MP-6 MP-6 MP-6 MP-6 MP-6 MP-6
            (1) (1)
            (2) (2)
               (3)
Physical and Environmental Protection
PE-1 Physical and Environmental Protection Policy and Procedures Physical and Environmental Protection Policy and Procedures P1 PE-1 PE-1 PE-1 PE-1 PE-1 PE-1
PE-2 Physical Access Authorizations Physical Access Authorizations P1 PE-2 PE-2 PE-2 PE-2 PE-2 PE-2
PE-3 Physical Access Control Physical Access Control P1 PE-3 PE-3 PE-3 PE-3 PE-3 PE-3
            (1) (1)
PE-4 Access Control for Transmission Medium Access Control for Transmission Medium P1 N/S N/S N/S PE-4 PE-4 PE-4
PE-5 Access Control for Display Medium Access Control for Output Devices P1 N/S N/S PE-5 PE-5 PE-5 PE-5
PE-6 Monitoring Physical Access Monitoring Physical Access P1 PE-6 PE-6 PE-6 PE-6 PE-6 PE-6
      (1) (1) (1) (1)
            (2) (2)
PE-7 Visitor Control Visitor Control P1 PE-7 PE-7 PE-7 PE-7 PE-7 PE-7
      (1) (1) (1) (1)
PE-8 Access Records Access Records P3 PE-8 PE-8 PE-8 PE-8 PE-8 PE-8
            (1) (1)
            (2) (2)
PE-9 Power Equipment and Power Cabling Power Equipment and Power Cabling P1 N/S N/S PE-9 PE-9 PE-9 PE-9
PE-10 Emergency Shutoff Emergency Shutoff P1 N/S N/S PE-10 PE-10 PE-10 PE-10
            (1)   
PE-11 Emergency Power Emergency Power P1 N/S N/S PE-11 PE-11 PE-11 PE-11
            (1) (1)
PE-12 Emergency Lighting Emergency Lighting P1 PE-12 PE-12 PE-12 PE-12 PE-12 PE-12
PE-13 Fire Protection Fire Protection P1 PE-13 PE-13 PE-13 PE-13 PE-13 PE-13
      (1) (1) (1) (1)
      (2) (2) (2) (2)
      (3) (3) (3) (3)
PE-14 Temperature and Humidity Controls Temperature and Humidity Controls P1 PE-14 PE-14 PE-14 PE-14 PE-14 PE-14
PE-15 Water Damage Protection Water Damage Protection P1 PE-15 PE-15 PE-15 PE-15 PE-15 PE-15
            (1) (1)
PE-16 Delivery and Removal Delivery and Removal P1 PE-16 PE-16 PE-16 PE-16 PE-16 PE-16
PE-17 Alternate Work Site Alternate Work Site P1 N/S N/S PE-17 PE-17 PE-17 PE-17
PE-18 Location of Information System Components Location of Information System Components P2 N/S N/S PE-18 PE-18 PE-18 PE-18
            (1) (1)
PE-19 Information Leakage Information Leakage P0 N/S N/S N/S N/S N/S N/S
Planning
PL-1 Security Planning Policy and Procedures Security Planning Policy and Procedures P1 PL-1 PL-1 PL-1 PL-1 PL-1 PL-1
PL-2 System Security Plan System Security Plan P1 PL-2 PL-2 PL-2 PL-2 PL-2 PL-2
PL-3 System Security Plan Update System Security Plan Update (Withdrawn) --- PL-3 --- PL-3 --- PL-3 ---
PL-4 Rules of Behavior Rules of Behavior P1 PL-4 PL-4 PL-4 PL-4 PL-4 PL-4
PL-5 Privacy Impact Assessment Privacy Impact Assessment P1 PL-5 PL-5 PL-5 PL-5 PL-5 PL-5
PL-6 Security-Related Activity Planning Security-Related Activity Planning P3 N/S N/S PL-6 PL-6 PL-6 PL-6
Personnel Security
PS-1 Personnel Security Policy and Procedures Personnel Security Policy and Procedures P1 PS-1 PS-1 PS-1 PS-1 PS-1 PS-1
PS-2 Position Categorization Position Categorization P1 PS-2 PS-2 PS-2 PS-2 PS-2 PS-2
PS-3 Personnel Screening Personnel Screening P1 PS-3 PS-3 PS-3 PS-3 PS-3 PS-3
PS-4 Personnel Termination Personnel Termination P2 PS-4 PS-4 PS-4 PS-4 PS-4 PS-4
PS-5 Personnel Transfer Personnel Transfer P2 PS-5 PS-5 PS-5 PS-5 PS-5 PS-5
PS-6 Access Agreements Access Agreements P3 PS-6 PS-6 PS-6 PS-6 PS-6 PS-6
PS-7 Third-Party Personnel Security Third-Party Personnel Security P1 PS-7 PS-7 PS-7 PS-7 PS-7 PS-7
PS-8 Personnel Sanctions Personnel Sanctions P3 PS-8 PS-8 PS-8 PS-8 PS-8 PS-8
Risk Assessment
RA-1 Risk Assessment Policy and Procedures Risk Assessment Policy and Procedures P1 RA-1 RA-1 RA-1 RA-1 RA-1 RA-1
RA-2 Security Categorization Security Categorization P1 RA-2 RA-2 RA-2 RA-2 RA-2 RA-2
RA-3 Risk Assessment Risk Assessment P1 RA-3 RA-3 RA-3 RA-3 RA-3 RA-3
RA-4 Risk Assessment Update Risk Assessment Update (Withdrawn) --- RA-4 --- RA-4 --- RA-4 ---
RA-5 Vulnerability Scanning Vulnerability Scanning P1 N/S RA-5 RA-5 RA-5 RA-5 RA-5
         (1) (1) (1)
            (2) (2)
               (3)
               (4)
               (5)
                 
               (7)
System and Services Acquisition
SA-1 System and Services Acquisition Policy and Procedures System and Services Acquisition Policy and Procedures P1 SA-1 SA-1 SA-1 SA-1 SA-1 SA-1
SA-2 Allocation of Resources Allocation of Resources P1 SA-2 SA-2 SA-2 SA-2 SA-2 SA-2
SA-3 Life Cycle Support Life Cycle Support P1 SA-3 SA-3 SA-3 SA-3 SA-3 SA-3
SA-4 Acquisitions Acquisitions P1 SA-4 SA-4 SA-4 SA-4 SA-4 SA-4
      (1) (1) (1) (1)
               (2)
                 
         (4)    (4)
SA-5 Information System Documentation Information System Documentation P2 SA-5 SA-5 SA-5 SA-5 SA-5 SA-5
      (1) (1) (1) (1)
            (2) (2)
         (3)    (3)
SA-6 Software Usage Restrictions Software Usage Restrictions P1 SA-6 SA-6 SA-6 SA-6 SA-6 SA-6
SA-7 User Installed Software User-Installed Software P1 SA-7 SA-7 SA-7 SA-7 SA-7 SA-7
SA-8 Security Engineering Principles Security Engineering Principles P1 N/S N/S SA-8 SA-8 SA-8 SA-8
SA-9 External Information System Services External Information System Services P1 SA-9 SA-9 SA-9 SA-9 SA-9 SA-9
SA-10 Developer Configuration Management Developer Configuration Management P1 N/S N/S N/S SA-10 SA-10 SA-10
SA-11 Developer Security Testing Developer Security Testing P2 N/S N/S SA-11 SA-11 SA-11 SA-11
SA-12    Supply Chain Protection P1    N/S    N/S    SA-12
SA-13    Trustworthiness P1    N/S    N/S    SA-13
SA-14    Critical Information System Components P0    N/S    N/S    N/S
System and Communications Protection
SC-1 System and Communications Protection Policy and Procedures System and Communications Protection Policy and Procedures P1 SC-1 SC-1 SC-1 SC-1 SC-1 SC-1
SC-2 Application Partitioning Application Partitioning P1 N/S N/S SC-2 SC-2 SC-2 SC-2
SC-3 Security Function Isolation Security Function Isolation P1 N/S N/S N/S N/S SC-3 SC-3
SC-4 Information Remnance Information in Shared Resources P1 N/S N/S SC-4 SC-4 SC-4 SC-4
SC-5 Denial of Service Protection Denial of Service Protection P1 SC-5 SC-5 SC-5 SC-5 SC-5 SC-5
SC-6 Resource Priority Resource Priority P0 N/S N/S N/S N/S N/S N/S
SC-7 Boundary Protection Boundary Protection P1 SC-7 SC-7 SC-7 SC-7 SC-7 SC-7
      (1) (1) (1) (1)
      (2) (2) (2) (2)
      (3) (3) (3) (3)
      (4) (4) (4) (4)
      (5) (5) (5) (5)
            (6) (6)
         (7)    (7)
               (8)
SC-8 Transmission Integrity Transmission Integrity P1 N/S N/S SC-8 SC-8 SC-8 SC-8
         (1) (1) (1)
SC-9 Transmission Confidentiality Transmission Confidentiality P1 N/S N/S SC-9 SC-9 SC-9 SC-9
         (1) (1) (1)
SC-10 Network Disconnect Network Disconnect P2 N/S N/S SC-10 SC-10 SC-10 SC-10
SC-11 Trusted Path Trusted Path P0 N/S N/S N/S N/S N/S N/S
SC-12 Cryptographic Key Establishment and Management Cryptographic Key Establishment and Management P1 N/S SC-12 SC-12 SC-12 SC-12 SC-12
               (1)
SC-13 Use of Cryptography Use of Cryptography P1 SC-13 SC-13 SC-13 SC-13 SC-13 SC-13
SC-14 Public Access Protections Public Access Protections P1 SC-14 SC-14 SC-14 SC-14 SC-14 SC-14
SC-15 Collaborative Computing Collaborative Computing Devices P1 N/S SC-15 SC-15 SC-15 SC-15 SC-15
SC-16 Transmission of Security Parameters Transmission of Security Attributes P0 N/S N/S N/S N/S N/S N/S
SC-17 Public Key Infrastructure Certificates Public Key Infrastructure Certificates P1 N/S N/S SC-17 SC-17 SC-17 SC-17
SC-18 Mobile Code Mobile Code P1 N/S N/S SC-18 SC-18 SC-18 SC-18
SC-19 Voice Over Internet Protocol Voice Over Internet Protocol P1 N/S N/S SC-19 SC-19 SC-19 SC-19
SC-20 Secure Name /Address Resolution Service (Authoritative Source) Secure Name /Address Resolution Service (Authoritative Source) P1 N/S SC-20 SC-20 SC-20 SC-20 SC-20
   (1)    (1)    (1)
SC-21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) Secure Name /Address Resolution Service (Recursive or Caching Resolver) P1 N/S N/S N/S N/S SC-21 SC-21
SC-22 Architecture and Provisioning for Name/Address Resolution Service Architecture and Provisioning for Name/Address Resolution Service P1 N/S N/S SC-22 SC-22 SC-22 SC-22
SC-23 Session Authenticity Session Authenticity P1 N/S N/S SC-23 SC-23 SC-23 SC-23
SC-24    Fail in Known State P1    N/S    N/S    SC-24
SC-25    Thin Nodes P0    N/S    N/S    N/S
SC-26    Honeypots P0    N/S    N/S    N/S
SC-27    Operating System-Independent Applications P0    N/S    N/S    N/S
SC-28    Protection of Information at Rest P1    N/S    SC-28    SC-28
SC-29    Heterogeneity P0    N/S    N/S    N/S
SC-30    Virtualization Techniques P0    N/S    N/S    N/S
SC-31    Covert Channel Analysis P0    N/S    N/S    N/S
SC-32    Information System Partitioning P1    N/S    SC-32    SC-32
SC-33    Transmission Preparation Integrity P0    N/S    N/S    N/S
SC-34    Non-Modifiable Executable Programs P0    N/S    N/S    N/S
System and Information Integrity
SI-1 System and Information Integrity Policy and Procedures System and Information Integrity Policy and Procedures P1 SI-1 SI-1 SI-1 SI-1 SI-1 SI-1
SI-2 Flaw Remediation Flaw Remediation P1 SI-2 SI-2 SI-2 SI-2 SI-2 SI-2
            (1) (1)
      (2) (2) (2) (2)
SI-3 Malicious Code Protection Malicious Code Protection P1 SI-3 SI-3 SI-3 SI-3 SI-3 SI-3
      (1) (1) (1) (1)
      (2) (2) (2) (2)
         (3)    (3)
SI-4 Information System Monitoring Tools and Techniques Information System Monitoring P1 N/S N/S SI-4 SI-4 SI-4 SI-4
                 
         (2) (2) (2)
                 
      (4) (4) (4) (4)
         (5) (5) (5)
         (6)    (6)
SI-5 Security Alerts and Advisories Security Alerts, Advisories, and Directives P1 SI-5 SI-5 SI-5 SI-5 SI-5 SI-5
            (1) (1)
SI-6 Security Functionality Verification Security Functionality Verification P1 N/S N/S N/S N/S SI-6 SI-6
SI-7 Software and Information Integrity Software and Information Integrity P1 N/S N/S N/S SI-7 SI-7 SI-7
         (1) (1) (1)
            (2) (2)
SI-8 Spam Protection Spam Protection P1 N/S N/S SI-8 SI-8 SI-8 SI-8
            (1) (1)
SI-9 Information Input Restrictions Information Input Restrictions P2 N/S N/S SI-9 SI-9 SI-9 SI-9
SI-10 Information Accuracy, Completeness, Validity, and Authenticity Information Input Validation P1 N/S N/S SI-10 SI-10 SI-10 SI-10
SI-11 Error Handling Error Handling P2 N/S N/S SI-11 SI-11 SI-11 SI-11
SI-12 Information Output Handling and Retention Information Output Handling and Retention P2 N/S SI-12 SI-12 SI-12 SI-12 SI-12
SI-13    Predictable Failure Prevention P0    N/S    N/S    N/S
Program Management
PM-1    Information Security Program Plan P1 Deployed organization-wide
Supporting all baselines
PM-2    Senior Information Security Officer P1
PM-3    Information Security Resources P1
PM-4    Plan of Action and Milestones Process P1
PM-5    Information System Inventory P1
PM-6    Information Security Measures of Performance P1
PM-7    Enterprise Architecture P1
PM-8    Critical Infrastructure Plan P1
PM-9    Risk Management Strategy P1
PM-10    Security Authorization Process P1
PM-11    Mission/Business Process Definition P1