controls.md

• AC: Access Control
  • AC-1: Policy and Procedures
  • AC-2: Account Management
  • AC-3: Access Enforcement
  • AC-3 (14): Individual Access
  • AC-7: Unsuccessful Logon Attempts
  • AC-8: System Use Notification
  • AC-14: Permitted Actions Without Identification or Authentication
  • AC-17: Remote Access
  • AC-18: Wireless Access
  • AC-19: Access Control for Mobile Devices
  • AC-20: Use of External Systems
  • AC-21: Information Sharing
  • AC-22: Publicly Accessible Content
• AT: Awareness And Training
  • AT-1: Policy and Procedures
  • AT-2: Literacy Training and Awareness
  • AT-2 (2): Insider Threat
  • AT-3: Role-based Training
  • AT-3 (5): Processing Personally Identifiable Information
  • AT-4: Training Records
• AU: Audit And Accountability
  • AU-1: Policy and Procedures
  • AU-2: Event Logging
  • AU-3: Content of Audit Records
  • AU-4: Audit Log Storage Capacity
  • AU-5: Response to Audit Logging Process Failures
  • AU-6: Audit Record Review, Analysis, and Reporting
  • AU-8: Time Stamps
  • AU-9: Protection of Audit Information
  • AU-11: Audit Record Retention
  • AU-12: Audit Record Generation
• CA: Assessment Authorization And Monitoring
  • CA-1: Policy and Procedures
  • CA-2: Control Assessments
  • CA-3: Information Exchange
  • CA-5: Plan of Action and Milestones
  • CA-6: Authorization
  • CA-7: Continuous Monitoring
  • CA-7 (4): Risk Monitoring
  • CA-9: Internal System Connections
• CM: Configuration Management
  • CM-1: Policy and Procedures
  • CM-2: Baseline Configuration
  • CM-4: Impact Analyses
  • CM-5: Access Restrictions for Change
  • CM-6: Configuration Settings
  • CM-7: Least Functionality
  • CM-8: System Component Inventory
  • CM-10: Software Usage Restrictions
  • CM-11: User-installed Software
• CP: Contingency Planning
  • CP-1: Policy and Procedures
  • CP-2: Contingency Plan
  • CP-3: Contingency Training
  • CP-4: Contingency Plan Testing
  • CP-9: System Backup
  • CP-10: System Recovery and Reconstitution
• IA: Identification And Authentication
  • IA-1: Policy and Procedures
  • IA-2: Identification and Authentication (organizational Users)
  • IA-2 (1): Multi-factor Authentication to Privileged Accounts
  • IA-2 (2): Multi-factor Authentication to Non-privileged Accounts
  • IA-2 (8): Access to Accounts — Replay Resistant
  • IA-2 (12): Acceptance of PIV Credentials
  • IA-4: Identifier Management
  • IA-5: Authenticator Management
  • IA-5 (1): Password-based Authentication
  • IA-6: Authentication Feedback
  • IA-7: Cryptographic Module Authentication
  • IA-8: Identification and Authentication (non-organizational Users)
  • IA-8 (1): Acceptance of PIV Credentials from Other Agencies
  • IA-8 (2): Acceptance of External Authenticators
  • IA-8 (4): Use of Defined Profiles
  • IA-11: Re-authentication
• IR: Incident Response
  • IR-1: Policy and Procedures
  • IR-2: Incident Response Training
  • IR-4: Incident Handling
  • IR-5: Incident Monitoring
  • IR-6: Incident Reporting
  • IR-7: Incident Response Assistance
  • IR-8: Incident Response Plan
• MA: Maintenance
  • MA-1: Policy and Procedures
  • MA-2: Controlled Maintenance
  • MA-4: Nonlocal Maintenance
  • MA-5: Maintenance Personnel
• MP: Media Protection
  • MP-1: Policy and Procedures
  • MP-2: Media Access
  • MP-6: Media Sanitization
  • MP-7: Media Use
• PE: Physical And Environmental Protection
  • PE-1: Policy and Procedures
  • PE-2: Physical Access Authorizations
  • PE-3: Physical Access Control
  • PE-6: Monitoring Physical Access
  • PE-8: Visitor Access Records
  • PE-12: Emergency Lighting
  • PE-13: Fire Protection
  • PE-14: Environmental Controls
  • PE-15: Water Damage Protection
  • PE-16: Delivery and Removal
• PL: Planning
  • PL-1: Policy and Procedures
  • PL-2: System Security and Privacy Plans
  • PL-4: Rules of Behavior
  • PL-4 (1): Social Media and External Site/application Usage Restrictions
  • PL-10: Baseline Selection
  • PL-11: Baseline Tailoring
• PS: Personnel Security
  • PS-1: Policy and Procedures
  • PS-2: Position Risk Designation
  • PS-3: Personnel Screening
  • PS-4: Personnel Termination
  • PS-5: Personnel Transfer
  • PS-6: Access Agreements
  • PS-7: External Personnel Security
  • PS-8: Personnel Sanctions
  • PS-9: Position Descriptions
• RA: Risk Assessment
  • RA-1: Policy and Procedures
  • RA-2: Security Categorization
  • RA-3: Risk Assessment
  • RA-3 (1): Supply Chain Risk Assessment
  • RA-5: Vulnerability Monitoring and Scanning
  • RA-5 (2): Update Vulnerabilities to Be Scanned
  • RA-5 (11): Public Disclosure Program
  • RA-7: Risk Response
• SA: System And Services Acquisition
  • SA-1: Policy and Procedures
  • SA-2: Allocation of Resources
  • SA-3: System Development Life Cycle
  • SA-4: Acquisition Process
  • SA-4 (10): Use of Approved PIV Products
  • SA-5: System Documentation
  • SA-8: Security and Privacy Engineering Principles
  • SA-8 (33): Minimization
  • SA-9: External System Services
• SC: System And Communications Protection
  • SC-1: Policy and Procedures
  • SC-5: Denial-of-service Protection
  • SC-7: Boundary Protection
  • SC-12: Cryptographic Key Establishment and Management
  • SC-13: Cryptographic Protection
  • SC-15: Collaborative Computing Devices and Applications
  • SC-20: Secure Name/address Resolution Service (authoritative Source)
  • SC-21: Secure Name/address Resolution Service (recursive or Caching Resolver)
  • SC-22: Architecture and Provisioning for Name/address Resolution Service
  • SC-39: Process Isolation
• SI: System And Information Integrity
  • SI-1: Policy and Procedures
  • SI-2: Flaw Remediation
  • SI-3: Malicious Code Protection
  • SI-4: System Monitoring
  • SI-5: Security Alerts, Advisories, and Directives
  • SI-12: Information Management and Retention
  • SI-12 (1): Limit Personally Identifiable Information Elements
  • SI-12 (2): Minimize Personally Identifiable Information in Testing, Training, and Research
  • SI-12 (3): Information Disposal
  • SI-18: Personally Identifiable Information Quality Operations