The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:

Transcription

1 Major Enhancements to NIST SP Revision 4 BD Pro The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states: "The proposed changes included in Revision 4 are directly linked to the current state of the threat space (i.e., capabilities, intentions, and targeting activities of adversaries) and the attack data collected and analyzed over a substantial time period. In particular, the major changes in Revision 4 include: New security controls and control enhancements; Clarification of security control requirements and specification language; New tailoring guidance including the introduction of overlays; Additional supplemental guidance for security controls and enhancements; New privacy controls and implementation guidance; Updated security control baselines; New summary tables for security controls to facilitate ease-of-use; and Revised minimum assurance requirements and designated assurance controls. Many of the changes were driven by particular cyber security issues and challenges requiring greater attention including, for example, insider threat, mobile and cloud computing, application security, firmware integrity, supply chain risk, and the advanced persistent threat (APT)." With the introduction of Revision 4, the total number of controls in SP has increased by about 22%. The earlier August 2009 SP Revision 3 set of security controls has been leveraged in various third party security guidance documents such as the following: - SANS Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines (CAG) Version 3.1, Oct 11. (The SANS 20 critical control areas (and 179 detailed security controls) are mapped to SP Rev 3 "Priority 1" security controls); - CSEC Guide to Managing Security Risks from Using Information Systems, Security Control Catalogue, ITSG-33 Annex 3, final draft, 31 Mar 11. (The ITSG-33 catalogue includes all SP Rev 3 security controls plus another 20 CSEC unique controls in the AC, CP, IA, IR, PE, SA and SC control areas. Annex 4 includes profiles and guidance for selecting these controls for Protected-A, Protected-B and Secret system implementations); - Cloud Security Alliance, Cloud Controls Matrix (CCM) Release 1.2. (The CCM controls are mapped to SP Rev 3 security controls); - US Federal Risk and Authorization Management Program (FedRAMP) Security Controls Baseline, Version 1.1. (The FedRAMP Security Controls Baseline for Cloud Computing uses controls selected from SP Rev 3); - Security Categorization and Control Selection for National Security Systems, Version 2, CNNSI No 1253, 13 March (This document provides guidance for selecting security controls from SP Rev 3 for securiing classified systems.) - Others... Until such third party guidance documents have been updated to leverage the Revision 4 set of security controls, security analysts should also consider using relevant control improvements introduced in Revision 4 to help mitigate security risks to critical assets. To assist in such security risk analysis, the following table summarizes the major changes which have been introduced in Revision 4 with respect to the SP Revision 3 security controls catalogue (and the Revision 3 based ITSG-33 security controls catalogue). AC-2 AC-2 (8) AC-2 (9) AC-2 (10) AC-2 (11) AC-2 (12) AC-2 (13) AC-2 (14) AC-2 (15) AC-3 Technical / Access Control / Account Management Technical / Access Control / Account Management / Dynamic Account Creation Technical / Access Control / Account Management / Restrictions on Use of Shared Groups - Accounts Technical / Access Control / Account Management / Group Account Requests - Appovals Technical / Access Control / Account Management / Group Account Credential Renewals Technical / Access Control / Account Management / Usage Conditions Technical / Access Control / Account Management / Account Reviews Technical / Access Control / Account Management / Account Monitoring - Atypical Usage Technical / Access Control / Account Management / Disable Accounts for High-Risk Individuals Technical / Access Control / Access Enforcement AC-2 and AU-8 incorporates r3 AC-13 AC-2(8) new in AC-2(9) new in AC-2(10) new in AC-2(11) new in AC-2(12) new in AC-2(13) new in AC-2(14) new in AC-2(15) new in AC-3 incorporates r3 AC-17(7)

2 AC-3 (7) AC-3 (8) AC-3 (9) AC-3 (10) AC-4 (18) AC-4 (19) AC-4 (20) AC-4 (21) AC-6 (7) AC-6 (8) AC-9 (4) AC-14 AC-16 (6) AC-16 (7) AC-16 (8) AC-16 (9) AC-16 (10) AC-16 (11) AC-16 (12) AC-17 AC-17 (9) AC-18 AC-19 (5) AC-19 (6) AC-19 (7) AC-19 (8) AC-19 (9) AC-20 (3) AC-20 (4) AC-21 (2) AC-23 AC-24 AC-24 (1) AC-24 (2) AC-25 AT-2 (2) AT-3 (3) Technical / Access Control / Access Enforcement / Mandatory Access Control Technical / Access Control / Access Enforcement / Role Based Access Control Technical / Access Control / Access Enforcement / Revocation of Access Authorizations Technical / Access Control / Access Enforcement / Network Access Security-Related Functions Technical / Access Control / Information Flow Enforcement / Security Attribute Bindind Technical / Access Control / Information Flow Enforcement / Protection of Metadata Technical / Access Control / Information Flow Enforcement / Classified Information Technical / Access Control / Information Flow Enforcement / Logical Separation of Information Flows Technical / Access Control / Least Privilege / Review of User Privileges Technical / Access Control / Least Privilege / Privilege Levels for Code Execution Technical / Access Control / Previous Logon (Access) Notification / Additional Logon Information Technical / Access Control / Permitted Actions without Identification or Authentication Technical / Access Control / Security Attributes / Maintenance of Attribute Association by Organization Technical / Access Control / Security Attributes / Consistent Attribute Interpretation Technical / Access Control / Security Attributes / Association Techniques - Technologies Technical / Access Control / Security Attributes / Attribute Reassignment Technical / Access Control / Security Attributes / Attribute Configuration by Authorized Individuals Technical / Access Control / Security Attributes / Permitted Attributes for Specified Information Systems Technical / Access Control / Security Attributes / Permitted Values and Ranges for Attributes Technical / Access Control / Remote Access Technical / Access Control / Remote Access / Disconnect - Disable Access Technical / Access Control / Wireless Access Technical / Access Control / Mobile Devices / Personally Owned Devices Technical / Access Control / Mobile Devices / Full Disk Encryption Technical / Access Control / Mobile Devices / Central Management of Mobile Devices Technical / Access Control / Mobile Devices / Remote Purging of Information Technical / Access Control / Mobile Devices / Tamper Detection Technical / Access Control / Use of External Information Systems / Personally Owned Information Systems - Devices Technical / Access Control / Use of External Information Systems / Network Accessible Storage Devices Technical / Access Control / Collaboration and Information Sharing / Information Search and Retrieval Technical / Access Control / Data Mining Protection Technical / Access Control / Access Control Decisions Technical / Access Control / Access Control Decisions / Transmit Access Authorization Information Technical / Access Control / Access Control Decisions / No User or Process Identity Technical / Access Control / Reference Monitor Function Operational / Awareness and Training / Security Awareness / Insider Threat Operational / Awareness and Training / Security Training / Practical Exercises Page 2 AC-3(7) new in AC-3(8) new in AC-3(9) new in AC-3(10) new in AC-4(18) new in AC-4(19) new in AC-4(20) new in AC-4(21) new in AC-6(7) new in AC-6(8) new in AC-9(4) new in AC-14 incorporates r3 AC-14(1) AC-16(6) new in AC-16(7) new in AC-16(8) new in AC-16(9) new in AC-16(10) new in AC-16(11) new in AC-16(12) new in AC-17 incorporates r3 AC-17(5) AC-17(9) new in AC-18 incorporates r3 AC-18(2) AC-19(5) new in AC-19(6) new in AC-19(7) new in AC-19(8) new in AC-19(9) new in AC-20(3) new in AC-20(4) new in AC-21(2) new in AC-23 new in AC-24 new in AC-24(1) new in AC-24(2) new in AC-25 new in AT-2(2) new in AT-3(3) new in

3 AU-4 (1) AU-6 AU-7 (2) AU-8 AU-8 (2) AU-9 (5) AU-9 (6) AU-12 AU-12 (3) AU-15 AU-16 AU-16 (1) AU-16 (2) CA-2 (3) CA-3 (3) CA-7 CM-7 CM-7 (4) CM-7 (5) CM-10 CM-11 CM-11 (1) CP-2 (7) CP-2 (8) CP-7 CP-7 (6) CP-8 (5) CP-9 CP-9 (7) CP-11 CP-11 (1) Technical / Audit and Accountability / Audit Storage Capacity / Transfer to Alternate Storage Technical / Audit and Accountability / Audit Review, Analysis and Reporting Technical / Audit and Accountability / Audit Reduction and Report Generation / Automatic Sorting Technical / Audit and Accountability / Time Stamps Technical / Audit and Accountability / Time Stamps / Secondary Authoritative Time Source Technical / Audit and Accountability / Protection of Audit Information / Dual Authorization Technical / Audit and Accountability / Protection of Audit Information / Read Only Access Technical / Audit and Accountability / Audit Generation Technical / Audit and Accountability / Audit Generation / Changes by Authorized Individuals Technical / Audit and Accountability / Alternate Audit Capability Technical / Audit and Accountability / Cross-Organizational Auditing Technical / Audit and Accountability / Cross-Organizational Auditing / Identity Preservation Technical / Audit and Accountability / Cross-Organizational Auditing / Sharing of Audit Information Management / Security Assessment and Authorization / Security Assessments / External Organizations Management / Security Assessment and Authorization / Prohibit Connections to Public Networks Management / Security Assessment and Authorization / Continuous Monitoring Operational / Configuration Management / Least Functionality Operational / Configuration Management / Least Functionality / Unauthorized Software Operational / Configuration Management / Least Functionality / Authorized Software Operational / Configuration Management / Software Usage Restrictions Operational / Configuration Management / User Installed Software Operational / Configuration Management / User Installed Software / Automated Alerts for Unauthorized Installations Operational / Contingency Planning / Contingency Plan / Coordinate with External Service Providers Operational / Contingency Planning / Contingency Plan / Identify Critical Assets Operational / Contingency Planning / Alternate Processing Site Operational / Contingency Planning / Alternate Processing Site / Inability to Return to Primary Site Operational / Contingency Planning / Telecommunications Services / Alternate Telecommunication Service Testing Operational / Contingency Planning / Information System Backup Operational / Contingency Planning / Information System Backup / Two-person Rule Operational / Contingency Planning / Predictable Failure Prevention Operational / Contingency Planning / Predictable Failure Prevention / Transferring Component Responsibilities Page 3 AU-4(1) new in AU-6 incorporates r3 AU-6(7) AU-7(2) new in AC-2 and AU-8 incorporates r3 AC-13 AU-8(2) new in AU-8(5) new in AU-9(6) new in AU-12 incorporates r3 AU-2(1) and AU-2(2) AU-12(3) new in AU-15 new in AU-16 new in AU-16(1) new in AU-16(2) new in CA-2(3) new in CA-3(3) new in CA-7 incorporates r3 CM-6(4) CM-7 incorporates r3 AC-17(8) CM-7(4) new in CM-7(5) new in CM-10 new in CM-11 new in CM-11(1) new in CP-2(7) new in CP-2(8) new in CP-7 incorporates r3 CM-2(4), CM-3(5) and CP-7(5) CP-7 (6 new in CP-8(5) new in CP-9 incorporates r3 CP-9(4) CP-9 (7) new in CP-11 new in CP-11(1) new in

4 CP-11 (2) CP-11 (3) CP-11 (4) CP-12 CP-13 IA-2 (10) IA-3 IA-4 (6) IA-5 (9) IA-5 (10) IA-5 (11) IA-5 (12) IA-9 IA-9 (1) IA-9 (2) IA-10 IA-11 IA-12 IR-3 (2) IR-4 (6) IR-4 (7) IR-4 (8) IR-4 (9) IR-4 (10) IR-6 (3) IR-9 IR-9 (1) IR-9 (2) IR-9 (3) IR-9 (4) MP-3 MP-4(2) MP-6 (7) MP-7 MP-7 (1) MP-7 (1) MP-8 Operational / Contingency Planning / Predictable Failure Prevention / Time Limit on Process Execution without Supervision Operational / Contingency Planning / Predictable Failure Prevention / Manual Transfer Between Components Operational / Contingency Planning / Predictable Failure Prevention / Standby Component Installation - Notification Operational / Contingency Planning / Alternate Communications Protocols Operational / Contingency Planning / Safe Mode Technical / Identification and Authentication / Organizational Users / Single Sign-on Technical / Identification and Authentication / Device to Device Technical / Identification and Authentication / Identifier Management / Cross-organization Management Technical / Identification and Authentication / Authenticator Management / Cross-organization Management Technical / Identification and Authentication / Authenticator Management / Dynamic Authenticator Association Technical / Identification and Authentication / Authenticator Management / Hardware Token-based Authentication Technical / Identification and Authentication / Authenticator Management / Biometric Authentication Technical / Identification and Authentication / Service I&A Technical / Identification and Authentication / Service I&A / Information Exchange Technical / Identification and Authentication / Service I&A / Transmission of Decisions Technical / Identification and Authentication / Alternative Authentication Technical / Identification and Authentication / Adaptive I&A Technical / Identification and Authentication / Reauthentication Operational / Incident Response / Testing / Coordination with Related Plans Operational / Incident Response / Incident Handling / Insider Threats - Specific Capabilities Operational / Incident Response / Incident Handling / Insider Threats - Intra-organization Coordination Operational / Incident Response / Incident Handling / Correlation with External Organizations Operational / Incident Response / Incident Handling / Dynamic Response Capability Operational / Incident Response / Incident Handling / Supply Chain Coordination Operational / Incident Response / Reporting / Coordination with Supply Chain Operational / Incident Response / Information Spillage Response Operational / Incident Response / Information Spillage Response / Responsible Personnel Operational / Incident Response / Information Spillage Response / Training Operational / Incident Response / Information Spillage Response / Post-spill Operations Operational / Incident Response / Information Spillage Response / Exposure to Unauthorized Personnel Operational / Media Protection / Media Marking Operational / Media Protection / Media Storage / Off-line Storage Operational / Media Protection / Media Sanitation / Two-person Rule Operational / Media Protection / Media Use Operational / Media Protection / Media Use / Organizational Restrictions Operational / Media Protection / Media Use / Prohibition of Use without Owner Operational / Media Protection / Media Downgrading Page 4 CP-11(2) new in CP-11(3) new in CP-11(4) new in CP-12 new in CP-13 new in IA-2(10) new in IA-3 incorporates r3 IA-3(2) IA-4(6) new in IA-5(9) new in IA-5(10) new in IA-5(11) new in IA-5(12) new in IA-9 new in IA-9(1) new in IA-9(2) new in IA-10 new in IA-11 new in IA-12 new in IR-3(2) new in IR-4(6) new in IR-4(7) new in IR-4(8) new in IR-4(9) new in IR-4(10) new in IR-6(3) new in IR-9 new in IR-9(1) new in IR-9(2) new in IR-9(3) new in IR-9(4) new in MP-3 incorporates r3 AC-15 MP-4(2) new in MP-6(7) new in MP-7 incorporates r3 AC-19(1), AC-19(2) and AC-19(3) MP-7(1) new in MP-7(2) new in MP-8 new in

5 MP-8 (1) MP-8 (2) MP-8 (3) MP-8 (4) PE-5 (1) PE-6 (3) PE-20 PL-2 (3) PL-7 PL-8 PM-12 PM-13 PM-14 PM-15 PS-3 (3) PS-3 (4) PS-4 (1) PS-4 (2) PS-7 (1) PS-8 (1) RA-5 (10) SA-4 (8) SA-5 (6) SA-9 (2) SA-9 (3) SA-9 (4) SA-9 (5) SA-10 (3) SA-11 (4) SA-11 (5) SA-11 (6) SA-11 (7) SA-11 (8) Operational / Media Protection / Media Downgrading / Tracking - Documenting Operational / Media Protection / Media Downgrading / Equipment Testing Operational / Media Protection / Media Downgrading / Controlled Unclassified Information Operational / Media Protection / Media Downgrading / Classified Information Operational / Physical and Environmental Protection / Access Control for Output Devices / Automated Access Control - Identity Linkage Operational / Physical and Environmental Protection / Monitoring Physical Access / Video Surveillance Operational / Physical and Environmental Protection / Port and I/O Device Access Management / Planning / System Security Plan / Plan - Coordinate with other Organizational Entities Management / Planning / Security Concept of Operations Management / Planning / Security Architecture Management / Program Management / Insider Threat Program Management / Program Management / Information Security Workforce Management / Program Management / Operations Security Program Management / Program Management / Testing, Training and Monitoring Operational / Personnel Security / Personnel Screening / Additional Screening Criteria Operational / Personnel Security / Personnel Screening / Information with Special Protection Measures Operational / Personnel Security / Personnel Termination / Post-Employment Requirements Operational / Personnel Security / Personnel Termination / Automated Notification Operational / Personnel Security / Third party Personnel Security / Notifications Operational / Personnel Security / Personnel Sanctions / Notifications Management / Risk Assessment / Vulnerability Scanning / Correlate Scanning Information Technical / System and Services Acquisition / Acquisition Process / Continuous Monitoring Plan Technical / System and Services Acquisition / Information System Documentation / Functions - Ports - Protocols - Services in Use Technical / System and Services Acquisition / External Information System Services / Identification of Functions - Ports - Protocols - Services Technical / System and Services Acquisition / External Information System Services / Establish - Maintain Chain of Trust with Providers Technical / System and Services Acquisition / External Information System Services / Consistent Interests of Consumers and Providers Technical / System and Services Acquisition / External Information System Services / Processing, Storage, and Service Location Technical / System and Services Acquisition / Developer Configuration Management / Hardware Integrity Verification Technical / System and Services Acquisition / Developer Security Testing / Manual Code Reviews Technical / System and Services Acquisition / Developer Security Testing / Penetration Testing Technical / System and Services Acquisition / Developer Security Testing / Unit - Integration - Regression Testing Technical / System and Services Acquisition / Developer Security Testing / Attack Surface Reviews Technical / System and Services Acquisition / Developer Security Testing / Verify Scope of Testing Page 5 MP-8(1) new in MP-8(2) new in MP-8(3) new in MP-8(4) new in PE-5(1) new in PE-6(3) new in PE-20 new in PL-2(3) new in PL-7 new in PL-8 new in and incorporates r3 PL-2(2) PM-12 new in PM-13 new in PM-14 new in PM-15 new in PS-3(3) new in PS-3(4) new in PS-4(1) new in PS-4(2) new in PS-7(1) new in PS-8(1) new in RA-5(10) new in SA-4(8) new in SA-5(6) new in SA-9(2) new in SA-9(3) new in SA-9(4) new in SA-9(5) new in SA-10(3) new in SA-11(4) new in SA-11(5) new in SA-11(6) new in SA-11(7) new in SA-11(8) new in

6 SA-12 (8) SA-12 (9) SA-12 (10) SA-12 (11) SA-12 (12) SA-12 (13) SA-12 (14) SA-12 (15) SA-15 SA-15 (1) SA-15 (2) SA-15 (3) SA-15 (4) SA-15 (5) SA-15 (6) SA-15 (7) SA-15 (8) SA-16 SA-17 SA-17 (1) SA-17 (2) SA-17 (3) SA-18 SA-18 (1) SA-19 SC-3 (6) SC-3 (7) SC-4 SC-4 (2) SC-5 (3) Technical / System and Services Acquisition / Supply Chain Protection / Use of All-source Intelligence Technical / System and Services Acquisition / Supply Chain Protection / Operations Security Technical / System and Services Acquisition / Supply Chain Protection / Unauthorized Modifications Technical / System and Services Acquisition / Supply Chain Protection / Validate as Genuine and not Altered Technical / System and Services Acquisition / Supply Chain Protection / Penetration Testing - Analysis of Supply Chain Elements Technical / System and Services Acquisition / Supply Chain Protection / Inter-ogranizational Agreements Technical / System and Services Acquisition / Supply Chain Protection / Critical Information System Components Technical / System and Services Acquisition / Supply Chain Protection / Critical Information System Components Tools Tools / Quality Metrics Tools / Security Tracking Tools Tools / Criticality Analysis Tools / Threat Modeling - Vulnerability Analysis Tools / Attack Surface Reduction Tools / Continuous Improvement Tools / Automated Vulnerability Analysis Tools / Reuse of Threat - Vulnerability Information Technical / System and Services Acquisition / Developer-provided Training Technical / System and Services Acquisition / Developer Security Architecture and Design Technical / System and Services Acquisition / Developer Security Architecture and Design / Former Policy Model Technical / System and Services Acquisition / Developer Security Architecture and Design / Security-relevant Components Technical / System and Services Acquisition / Developer Security Architecture and Design / Formal Correspondence Technical / System and Services Acquisition / Tamper Resistance and Detection Technical / System and Services Acquisition / Tamper Resistance and Detection / Multiple Phases of SDLC Technical / System and Services Acquisition / Anti-Counterfeit Technical / System and Communications Protection / Secuirty Function Isolation / Protection Mechanisms Technical / System and Communications Protection / Secuirty Function Isolation / Module Cohesion Technical / System and Communications Protection / Information in Shared Resources Technical / System and Communications Protection / Information in Shared Resources / Classification Levels - Security Categories Technical / System and Communications Protection / Denial of Serivce Protection / Detection - Monitoring Page 6 SA-12(8) new in SA-12(9) new in SA-12(10) new in SA-12(11) new in SA-12(12) new in SA-12(13) new in SA-12(14) new in SA-12(15) new in SA-15 new in SA-15(1)new in SA-15(2) new in SA-15(3)new in SA-15(4) new in SA-15(5) new in SA-15(6) new in SA-15(7) new in SA-15(8) new in SA-16 new in SA-17 new in SA-17(1) new in SA-17(2) new in SA-17(3) new in SA-18 new in SA-18(1) new in SA-19 new in SC-3(6) new in SC-3(7) new in SC-4 incorporates r3 SC-4(1) SC-4(2) new in SC-5(3) new in

7 SC-7 SC-7 (19) SC-7 (20) SC-8 SC-9 (3) SC-9 (4) SC-10 SC-12 SC-15 (4) SC-18 (5) SC-20 (2) SC-23 (5) SC-29 (1) SC-30 (3) SC-30 (4) SC-30 (5) SC-31 (2) SC-31 (3) SC-35 SC-36 SC-37 SC-37 (1) SC-37 (2) SC-38 SC-39 SC-39 (1) SC-40 SC-41 SC-41 (1) SC-42 Technical / System and Communications Protection / Boundary Protection Technical / System and Communications Protection / Boundary Protection / Blocking Inbound - Outbound Communications Traffic Technical / System and Communications Protection / Boundary Protection / Dynamic Isolation - Segregation Technical / System and Communications Protection / Transmission Integrity Technical / System and Communications Protection / Transmission Confidentiality / Cryptographic Protection for Message Externals Technical / System and Communications Protection / Transmission Confidentiality / Conceal - Randomize Communications Technical / System and Communications Protection / Network Disconnect Technical / System and Communications Protection / Cryptographic Key Establishment and Management Technical / System and Communications Protection / Collaborative Computing Devices / Explicitly Indicate Current Participants Technical / System and Communications Protection / Mobile Code / Allow Execution in Only Confined Environments Technical / System and Communications Protection / Secure Name-Address Resolution Serivce (Authoritive Source) / Data Origin - Integrity Technical / System and Communications Protection / Session Authenticity / Allowed Certificate Authorities Technical / System and Communications Protection / Heterogeneity / Virtualization Techniques Technical / System and Communications Protection / Concealment and Misdirection / Change Processing - Storage Locations Technical / System and Communications Protection / Concealment and Misdirection / Misleading Information Technical / System and Communications Protection / Concealment and Misdirection / Concealment and Misdirection of System Components Technical / System and Communications Protection / Covert Channel Analysis / Maximum Bandwith Technical / System and Communications Protection / Covert Channel Analysis / Measure Bandwidth in Operational Environments Technical / System and Communications Protection / Technical Surveillance Countermeasures Technical / System and Communications Protection / Honeyclients Technical / System and Communications Protection / Distributed Processing and Storage Technical / System and Communications Protection / Distributed Processing and Storage / Diversity of Implementation Technical / System and Communications Protection / Distributed Processing and Storage / Polling Techniques Technical / System and Communications Protection / Malware Analysis Technical / System and Communications Protection / Out-of-bounds Channels Technical / System and Communications Protection / Out-of-bounds Channels / Ensure Delivery - Transmission Technical / System and Communications Protection / Operations Security Technical / System and Communications Protection / Process Isolation Technical / System and Communications Protection / Process Isolation / Hardware Separation Technical / System and Communications Protection / Wireless Link Protection Page 7 SC-7 incorporates r3 SC-7(2) and SC-15(2) SC-7(19) new in SC-7(20) new in SC-8 incorporates r3 SC-33 SC-9(3) new in SC-9(4) new in SC-10 incorporates r3 AC-12 SC-12 incorporates r3 SC-12(4) and SC-12(5) SC-15(4) new in SC-18(5) new in SC-20(2) new in SC-23(5) new in SC-29(1) new in SC-30(3) new in SC-30(4) new in SC-30(5) new in SC-31(2) new in SC-31(3) new in SC-35 new in SC-36 new in SC-37 new in SC-37(1) new in SC-37(2) new in SC-37 new in SC-39 new in SC-39(1) new in SC-40 new in SC-41 new in SC-41(1) new in SC-42 new in

8 SC-42 (1) SC-42 (2) SC-42 (3) SC-42 (4) SI-3 (7) SI-3 (8) SI-4 SI-4 (18) SI-4 (19) SI-4 (20) SI-4 (21) SI-4 (22) SI-4 (23) SI-7 SI-7 (5) SI-7 (6) SI-7 (7) SI-7 (8) SI-7 (9) SI-7 (10) SI-7 (11) SI-7 (12) SI-7 (13) SI-7 (14) SI-7 (15) SI-8 (3) SI-9 (1) SI-9 (2) Technical / System and Communications Protection / Wireless Link Protection / Electromagnetic Interference Technical / System and Communications Protection / Wireless Link Protection / Reduce Detection Potential Technical / System and Communications Protection / Wireless Link Protection / Imitative or Manipulative Communications Deception Technical / System and Communications Protection / Wireless Link Protection / Signal Parameter Identification Operational / System and Information Integrity / Malicious Code Protection / Non Signature-based Detection Operational / System and Information Integrity / Malicious Code Protection / Detect Unauthorized Commands Operational / System and Information Integrity / Information System Monitoring Analyze Traffic - Covert Exfiltration Individuals Posing Greater Risk Privileged User Probationary Periods Unauthorized Network Services Host-based Devices Integrity Integrity / Automated Response to Integrity Violations Integrity / Cryptographic Protection Integrity / Hardware-based Protection Integrity / Integration of Detection and Response Integrity / Auditing Capability for Significant Events Integrity / Verify Boot Process Integrity / Protection of Boot Firmware Integrity / Confined Environments with Limited Privileges Integrity / Integrity Verification Integrity / Code Execution in Protected Environments Integrity / Binary or Machine Executable Code Operational / System and Information Integrity / Spam Protection / Continuous Learning Capability Operational / System and Information Integrity / Information Input Restrictions / Protect Remote Commands Operational / System and Information Integrity / Information Input Restrictions / Detect Unauthorized Commands Page 8 SC-42(1) new in SC-42(2) new in SC-42(3) new in SC-42(4) new in SI-3(7) new in SI-3(8) new in SI-4 incorporates r3 AU-6(2) SI-4(18) new in SI-4(19) new in SI-4(20) new in SI-4(21) new in SI-4(22) new in SI-4(23) new in SI-7 incorporates r3 CM-5(7), CM-6(3), SA-6 and SA-7 SI-7(5) new in SI-7(6) new in SI-7(7) new in SI-7(8) new in SI-7(9) new in SI-7(10) new in SI-7(11) new in SI-7(12) new in SI-7(13) new in SI-7(14) new in SI-7(15) new in SI-8(3) new in SI-9(1) new in SI-9(2) new in

9 SI-10 (1) SI-10 (2) SI-10 (3) SI-10 (4) SI-14 AP-1 AP-2 AR-2 AR-2 AR-3 AR-4 AR-5 AR-6 AR-7 AR-8 DI-1 DI-1 (1) DI-1 (12) DI-2 DM-1 DM-1 (1) DM-2 DM-2 (1) DM-3 DM-3 (1) IP-1 IP-1 (1) IP-2 IP-3 Operational / System and Information Integrity / Information Input Validation / Manual Override Capability Operational / System and Information Integrity / Information Input Validation / Review - Resolution of Errors Operational / System and Information Integrity / Information Input Validation / Predictable Behavior Operational / System and Information Integrity / Information Input Validation / Timing Interactions Operational / System and Information Integrity / Non-Persistence Privacy / Authority and Purpose / Authority to Collect Privacy / Authority and Purpose / Purpose Specification Privacy / Accountabilty, Audit and Risk Management / Governance and Privacy Program Privacy / Accountabilty, Audit and Risk Management / Privacy Impact and Risk Assessment Privacy / Accountabilty, Audit and Risk Management / Privacy Requirements for Contracts and Service Providers Privacy / Accountabilty, Audit and Risk Management / Privacy Monitoring and Auditing Privacy / Accountabilty, Audit and Risk Management / Privacy Awareness and Training Privacy / Accountabilty, Audit and Risk Management / Privacy Reporting Privacy / Accountabilty, Audit and Risk Management / Privacy-enhanced System Design and Development Privacy / Accountabilty, Audit and Risk Management / Accounting of Disclosures Privacy / Data Quality and Integrity / Data Quality Privacy / Data Quality and Integrity / Data Quality / Validate PII Privacy / Data Quality and Integrity / Data Quality / Re-Validate PII Privacy / Data Quality and Integrity / Data Integrity and Data Integrity Board Privacy / Data Minimization and Retention / Minimization of Personally Identifiable Information Privacy / Data Minimization and Retention / Minimization of Personally Identifiable Information / Locate - Remove - Redact - Anonymize PII Privacy / Data Minimization and Retention / Data Retention and Disposal Privacy / Data Minimization and Retention / Data Retention and Disposal / System Configuration Privacy / Data Minimization and Retention / Minimization of PII Used in Testing, Training, and Research Privacy / Data Minimization and Retention / Minimization of PII Used in Testing, Training, and Research / Risk Minimization Techniques Privacy / Individual Participation and Redress / Consent Privacy / Individual Participation and Redress / Consent / Mechanisms Supporting Itemized or Tiered Consent Privacy / Individual Participation and Redress / Individual Access Privacy / Individual Participation and Redress / Redress Page 9 SI-10(1) new in SI-10(2) new in SI-10(3) new in SI-10(4)new in SI-14 new in Privacy AP-1 new in Privacy AP-2 new in Privacy AR-1 new in Privacy AR-2 new in Privacy AR-3 new in Privacy AR-4 new in Privacy AR-5 new in Privacy AR-6 new in Privacy AR-7 new in Privacy AR-8 new in Privacy DI-1 new in Privacy DI-1(1) new in Privacy DI-1(2) new in Privacy DI-2 new in Privacy DM-1 new in Privacy DM-1(1) new in Privacy DM-2 new in Privacy DM-2(1) new in Privacy DM-3 new in Privacy DM-3(1) new in Privacy IP-1 new in Privacy IP-1(1) new in Privacy IP-2 new in Privacy IP-3 new in

10 IP-4 IP-4 (1) SE-1 SE-2 TR-1 TR-1 (1) TR-2 TR-2 (1) TR-3 UL-1 UL-2 Privacy / Individual Participation and Redress / Complaint Management Privacy / Individual Participation and Redress / Complaint Management / Response Times Privacy / Security / Inventory of Personally Identifiable Information Privacy / Security / Privacy Incident Response Privacy / Transparency / Privacy Notice Privacy / Transparency / Privacy Notice / Real-time or Layered Notice Privacy / Transparency / System of Records Notices and Privary Act Statements Privacy / Transparency / System of Records Notices and Privary Act Statements / Public Web Site Publication Privacy / Transparency / Dissemination of Privacy Program Information Privacy / Use Limitation / Internal Use Privacy / Use Limitation / Information Sharing with Third Parties Page 10 Privacy IP-4 new in Privacy IP-4(1) new in Privacy SE-1 new in Privacy SE-2 new in Privacy TR-1 new in Privacy TR-1(1) new in Privacy TR-2 new in Privacy TR-2(1) new in Privacy TR-3 new in Privacy UL-1 new in Privacy UL-2 new in