The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:

Similar documents
MINIMUM SECURITY CONTROLS SUMMARY

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

ACHIEVING COMPLIANCE WITH NIST SP REV. 4:

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

Evolving Cybersecurity Strategies

New Guidance on Privacy Controls for the Federal Government

Security Control Mapping of CJIS Security Policy Version 5.3 Requirements to NIST Special Publication Revision 4 4/1/2015

Ransomware. How to protect yourself?

CloudCheckr NIST Audit and Accountability

WRITTEN INFORMATION SECURITY PROGRAM (WISP) ACME Business Consulting, Inc.

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3

SAC PA Security Frameworks - FISMA and NIST

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

NIST Compliance Controls

Using Metrics to Gain Management Support for Cyber Security Initiatives

Four Deadly Traps of Using Frameworks NIST Examples

Recommended Security Controls for Federal Information Systems and Organizations

NIST SP , Revision 1 CNSS Instruction 1253

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

The Common Controls Framework BY ADOBE

Altius IT Policy Collection Compliance and Standards Matrix

Because Security Gives Us Freedom

Altius IT Policy Collection Compliance and Standards Matrix

Security Standards Compliance NIST SP Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.1

NIST Special Publication

Building Secure Systems

Attachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Mapping of ITSG-33 Security Controls to SP Revision 4 Security Controls

FISMA Compliance. with O365 Manager Plus.

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

MIS Week 9 Host Hardening

SYSTEMS ASSET MANAGEMENT POLICY

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

IT Security Risk Management: A Lifecycle Approach

READ ME for the Agency ATO Review Template

INFORMATION ASSURANCE DIRECTORATE

Information Security Policy

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Checklist: Credit Union Information Security and Privacy Policies

Catalog of Control Systems Security: Recommendations for Standards Developers. September 2009

ENTS 650 Network Security. Dr. Edward Schneider

Rev.1 Solution Brief

Executive Order 13556

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

IASM Support for FISMA

HIPAA Security and Privacy Policies & Procedures

FISMA-NIST SP Rev.4 Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD FISMA NIST SP

ISO based Written Information Security Program (WISP) (a)(1)(i) & (a)(3)(i) & (ii) & (A) (A)(5)(ii) & (ii)(a)

INFORMATION ASSURANCE DIRECTORATE

PT-BSC. PT-BSC version 0.3. Primechain Technologies Blockchain Security Controls. Version 0.4 dated 21 st October, 2017

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

SECURITY & PRIVACY DOCUMENTATION

The New Security Heroes. Alan Paller

INFORMATION ASSURANCE DIRECTORATE

Continuous Monitoring Strategy & Guide

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

NIST Risk Management Framework (RMF)

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

NIST Cybersecurity Framework Based Written Information Security Program (WISP)

The Cybersecurity Risk Management Framework Applied to Enterprise Risk Management

CSAM Support for C&A Transformation

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

INFORMATION ASSURANCE DIRECTORATE

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

NIST SP Controls

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management

AWS alignment with Motion Picture of America Association (MPAA) Content Security Best Practices Application in the Cloud

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

TEL2813/IS2820 Security Management

Security+ SY0-501 Study Guide Table of Contents

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Risk-Based Cyber Security for the 21 st Century

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

The Future of Cyber Security NIST Special Publication , Revision 4

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Interagency Advisory Board Meeting Agenda, December 7, 2009

NW NATURAL CYBER SECURITY 2016.JUNE.16

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Security analysis and assessment of threats in European signalling systems?

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

ISACA Arizona May 2016 Chapter Meeting

Objectives of the Security Policy Project for the University of Cyprus

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Advent IM Ltd ISO/IEC 27001:2013 vs

Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation

Transcription:

Major Enhancements to NIST SP 800-53 Revision 4 BD Pro The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP 800-53 states: "The proposed changes included in Revision 4 are directly linked to the current state of the threat space (i.e., capabilities, intentions, and targeting activities of adversaries) and the attack data collected and analyzed over a substantial time period. In particular, the major changes in Revision 4 include: New security controls and control enhancements; Clarification of security control requirements and specification language; New tailoring guidance including the introduction of overlays; Additional supplemental guidance for security controls and enhancements; New privacy controls and implementation guidance; Updated security control baselines; New summary tables for security controls to facilitate ease-of-use; and Revised minimum assurance requirements and designated assurance controls. Many of the changes were driven by particular cyber security issues and challenges requiring greater attention including, for example, insider threat, mobile and cloud computing, application security, firmware integrity, supply chain risk, and the advanced persistent threat (APT)." With the introduction of Revision 4, the total number of controls in SP 800-53 has increased by about 22%. The earlier August 2009 SP 800-53 Revision 3 set of security controls has been leveraged in various third party security guidance documents such as the following: - SANS Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines (CAG) Version 3.1, Oct 11. (The SANS 20 critical control areas (and 179 detailed security controls) are mapped to SP 800-53 Rev 3 "Priority 1" security controls); - CSEC Guide to Managing Security Risks from Using Information Systems, Security Control Catalogue, ITSG-33 Annex 3, final draft, 31 Mar 11. (The ITSG-33 catalogue includes all SP 800-53 Rev 3 security controls plus another 20 CSEC unique controls in the AC, CP, IA, IR, PE, SA and SC control areas. Annex 4 includes profiles and guidance for selecting these controls for Protected-A, Protected-B and Secret system implementations); - Cloud Security Alliance, Cloud Controls Matrix (CCM) Release 1.2. (The CCM controls are mapped to SP 800-53 Rev 3 security controls); - US Federal Risk and Authorization Management Program (FedRAMP) Security Controls Baseline, Version 1.1. (The FedRAMP Security Controls Baseline for Cloud Computing uses controls selected from SP 800-53 Rev 3); - Security Categorization and Control Selection for National Security Systems, Version 2, CNNSI No 1253, 13 March 2012. (This document provides guidance for selecting security controls from SP 800-53 Rev 3 for securiing classified systems.) - Others... Until such third party guidance documents have been updated to leverage the Revision 4 set of security controls, security analysts should also consider using relevant control improvements introduced in Revision 4 to help mitigate security risks to critical assets. To assist in such security risk analysis, the following table summarizes the major changes which have been introduced in Revision 4 with respect to the SP 800-53 Revision 3 security controls catalogue (and the Revision 3 based ITSG-33 security controls catalogue). AC-2 AC-2 (8) AC-2 (9) AC-2 (10) AC-2 (11) AC-2 (12) AC-2 (13) AC-2 (14) AC-2 (15) AC-3 Technical / Access Control / Account Management Technical / Access Control / Account Management / Dynamic Account Creation Technical / Access Control / Account Management / Restrictions on Use of Shared Groups - Accounts Technical / Access Control / Account Management / Group Account Requests - Appovals Technical / Access Control / Account Management / Group Account Credential Renewals Technical / Access Control / Account Management / Usage Conditions Technical / Access Control / Account Management / Account Reviews Technical / Access Control / Account Management / Account Monitoring - Atypical Usage Technical / Access Control / Account Management / Disable Accounts for High-Risk Individuals Technical / Access Control / Access Enforcement AC-2 and AU-8 incorporates r3 AC-13 AC-2(8) new in AC-2(9) new in AC-2(10) new in AC-2(11) new in AC-2(12) new in AC-2(13) new in AC-2(14) new in AC-2(15) new in AC-3 incorporates r3 AC-17(7)

AC-3 (7) AC-3 (8) AC-3 (9) AC-3 (10) AC-4 (18) AC-4 (19) AC-4 (20) AC-4 (21) AC-6 (7) AC-6 (8) AC-9 (4) AC-14 AC-16 (6) AC-16 (7) AC-16 (8) AC-16 (9) AC-16 (10) AC-16 (11) AC-16 (12) AC-17 AC-17 (9) AC-18 AC-19 (5) AC-19 (6) AC-19 (7) AC-19 (8) AC-19 (9) AC-20 (3) AC-20 (4) AC-21 (2) AC-23 AC-24 AC-24 (1) AC-24 (2) AC-25 AT-2 (2) AT-3 (3) Technical / Access Control / Access Enforcement / Mandatory Access Control Technical / Access Control / Access Enforcement / Role Based Access Control Technical / Access Control / Access Enforcement / Revocation of Access Authorizations Technical / Access Control / Access Enforcement / Network Access Security-Related Functions Technical / Access Control / Information Flow Enforcement / Security Attribute Bindind Technical / Access Control / Information Flow Enforcement / Protection of Metadata Technical / Access Control / Information Flow Enforcement / Classified Information Technical / Access Control / Information Flow Enforcement / Logical Separation of Information Flows Technical / Access Control / Least Privilege / Review of User Privileges Technical / Access Control / Least Privilege / Privilege Levels for Code Execution Technical / Access Control / Previous Logon (Access) Notification / Additional Logon Information Technical / Access Control / Permitted Actions without Identification or Authentication Technical / Access Control / Security Attributes / Maintenance of Attribute Association by Organization Technical / Access Control / Security Attributes / Consistent Attribute Interpretation Technical / Access Control / Security Attributes / Association Techniques - Technologies Technical / Access Control / Security Attributes / Attribute Reassignment Technical / Access Control / Security Attributes / Attribute Configuration by Authorized Individuals Technical / Access Control / Security Attributes / Permitted Attributes for Specified Information Systems Technical / Access Control / Security Attributes / Permitted Values and Ranges for Attributes Technical / Access Control / Remote Access Technical / Access Control / Remote Access / Disconnect - Disable Access Technical / Access Control / Wireless Access Technical / Access Control / Mobile Devices / Personally Owned Devices Technical / Access Control / Mobile Devices / Full Disk Encryption Technical / Access Control / Mobile Devices / Central Management of Mobile Devices Technical / Access Control / Mobile Devices / Remote Purging of Information Technical / Access Control / Mobile Devices / Tamper Detection Technical / Access Control / Use of External Information Systems / Personally Owned Information Systems - Devices Technical / Access Control / Use of External Information Systems / Network Accessible Storage Devices Technical / Access Control / Collaboration and Information Sharing / Information Search and Retrieval Technical / Access Control / Data Mining Protection Technical / Access Control / Access Control Decisions Technical / Access Control / Access Control Decisions / Transmit Access Authorization Information Technical / Access Control / Access Control Decisions / No User or Process Identity Technical / Access Control / Reference Monitor Function Operational / Awareness and Training / Security Awareness / Insider Threat Operational / Awareness and Training / Security Training / Practical Exercises Page 2 AC-3(7) new in AC-3(8) new in AC-3(9) new in AC-3(10) new in AC-4(18) new in AC-4(19) new in AC-4(20) new in AC-4(21) new in AC-6(7) new in AC-6(8) new in AC-9(4) new in AC-14 incorporates r3 AC-14(1) AC-16(6) new in AC-16(7) new in AC-16(8) new in AC-16(9) new in AC-16(10) new in AC-16(11) new in AC-16(12) new in AC-17 incorporates r3 AC-17(5) AC-17(9) new in AC-18 incorporates r3 AC-18(2) AC-19(5) new in AC-19(6) new in AC-19(7) new in AC-19(8) new in AC-19(9) new in AC-20(3) new in AC-20(4) new in AC-21(2) new in AC-23 new in AC-24 new in AC-24(1) new in AC-24(2) new in AC-25 new in AT-2(2) new in AT-3(3) new in

AU-4 (1) AU-6 AU-7 (2) AU-8 AU-8 (2) AU-9 (5) AU-9 (6) AU-12 AU-12 (3) AU-15 AU-16 AU-16 (1) AU-16 (2) CA-2 (3) CA-3 (3) CA-7 CM-7 CM-7 (4) CM-7 (5) CM-10 CM-11 CM-11 (1) CP-2 (7) CP-2 (8) CP-7 CP-7 (6) CP-8 (5) CP-9 CP-9 (7) CP-11 CP-11 (1) Technical / Audit and Accountability / Audit Storage Capacity / Transfer to Alternate Storage Technical / Audit and Accountability / Audit Review, Analysis and Reporting Technical / Audit and Accountability / Audit Reduction and Report Generation / Automatic Sorting Technical / Audit and Accountability / Time Stamps Technical / Audit and Accountability / Time Stamps / Secondary Authoritative Time Source Technical / Audit and Accountability / Protection of Audit Information / Dual Authorization Technical / Audit and Accountability / Protection of Audit Information / Read Only Access Technical / Audit and Accountability / Audit Generation Technical / Audit and Accountability / Audit Generation / Changes by Authorized Individuals Technical / Audit and Accountability / Alternate Audit Capability Technical / Audit and Accountability / Cross-Organizational Auditing Technical / Audit and Accountability / Cross-Organizational Auditing / Identity Preservation Technical / Audit and Accountability / Cross-Organizational Auditing / Sharing of Audit Information Management / Security Assessment and Authorization / Security Assessments / External Organizations Management / Security Assessment and Authorization / Prohibit Connections to Public Networks Management / Security Assessment and Authorization / Continuous Monitoring Operational / Configuration Management / Least Functionality Operational / Configuration Management / Least Functionality / Unauthorized Software Operational / Configuration Management / Least Functionality / Authorized Software Operational / Configuration Management / Software Usage Restrictions Operational / Configuration Management / User Installed Software Operational / Configuration Management / User Installed Software / Automated Alerts for Unauthorized Installations Operational / Contingency Planning / Contingency Plan / Coordinate with External Service Providers Operational / Contingency Planning / Contingency Plan / Identify Critical Assets Operational / Contingency Planning / Alternate Processing Site Operational / Contingency Planning / Alternate Processing Site / Inability to Return to Primary Site Operational / Contingency Planning / Telecommunications Services / Alternate Telecommunication Service Testing Operational / Contingency Planning / Information System Backup Operational / Contingency Planning / Information System Backup / Two-person Rule Operational / Contingency Planning / Predictable Failure Prevention Operational / Contingency Planning / Predictable Failure Prevention / Transferring Component Responsibilities Page 3 AU-4(1) new in AU-6 incorporates r3 AU-6(7) AU-7(2) new in AC-2 and AU-8 incorporates r3 AC-13 AU-8(2) new in AU-8(5) new in AU-9(6) new in AU-12 incorporates r3 AU-2(1) and AU-2(2) AU-12(3) new in AU-15 new in AU-16 new in AU-16(1) new in AU-16(2) new in CA-2(3) new in CA-3(3) new in CA-7 incorporates r3 CM-6(4) CM-7 incorporates r3 AC-17(8) CM-7(4) new in CM-7(5) new in CM-10 new in CM-11 new in CM-11(1) new in CP-2(7) new in CP-2(8) new in CP-7 incorporates r3 CM-2(4), CM-3(5) and CP-7(5) CP-7 (6 new in CP-8(5) new in CP-9 incorporates r3 CP-9(4) CP-9 (7) new in CP-11 new in CP-11(1) new in

CP-11 (2) CP-11 (3) CP-11 (4) CP-12 CP-13 IA-2 (10) IA-3 IA-4 (6) IA-5 (9) IA-5 (10) IA-5 (11) IA-5 (12) IA-9 IA-9 (1) IA-9 (2) IA-10 IA-11 IA-12 IR-3 (2) IR-4 (6) IR-4 (7) IR-4 (8) IR-4 (9) IR-4 (10) IR-6 (3) IR-9 IR-9 (1) IR-9 (2) IR-9 (3) IR-9 (4) MP-3 MP-4(2) MP-6 (7) MP-7 MP-7 (1) MP-7 (1) MP-8 Operational / Contingency Planning / Predictable Failure Prevention / Time Limit on Process Execution without Supervision Operational / Contingency Planning / Predictable Failure Prevention / Manual Transfer Between Components Operational / Contingency Planning / Predictable Failure Prevention / Standby Component Installation - Notification Operational / Contingency Planning / Alternate Communications Protocols Operational / Contingency Planning / Safe Mode Technical / Identification and Authentication / Organizational Users / Single Sign-on Technical / Identification and Authentication / Device to Device Technical / Identification and Authentication / Identifier Management / Cross-organization Management Technical / Identification and Authentication / Authenticator Management / Cross-organization Management Technical / Identification and Authentication / Authenticator Management / Dynamic Authenticator Association Technical / Identification and Authentication / Authenticator Management / Hardware Token-based Authentication Technical / Identification and Authentication / Authenticator Management / Biometric Authentication Technical / Identification and Authentication / Service I&A Technical / Identification and Authentication / Service I&A / Information Exchange Technical / Identification and Authentication / Service I&A / Transmission of Decisions Technical / Identification and Authentication / Alternative Authentication Technical / Identification and Authentication / Adaptive I&A Technical / Identification and Authentication / Reauthentication Operational / Incident Response / Testing / Coordination with Related Plans Operational / Incident Response / Incident Handling / Insider Threats - Specific Capabilities Operational / Incident Response / Incident Handling / Insider Threats - Intra-organization Coordination Operational / Incident Response / Incident Handling / Correlation with External Organizations Operational / Incident Response / Incident Handling / Dynamic Response Capability Operational / Incident Response / Incident Handling / Supply Chain Coordination Operational / Incident Response / Reporting / Coordination with Supply Chain Operational / Incident Response / Information Spillage Response Operational / Incident Response / Information Spillage Response / Responsible Personnel Operational / Incident Response / Information Spillage Response / Training Operational / Incident Response / Information Spillage Response / Post-spill Operations Operational / Incident Response / Information Spillage Response / Exposure to Unauthorized Personnel Operational / Media Protection / Media Marking Operational / Media Protection / Media Storage / Off-line Storage Operational / Media Protection / Media Sanitation / Two-person Rule Operational / Media Protection / Media Use Operational / Media Protection / Media Use / Organizational Restrictions Operational / Media Protection / Media Use / Prohibition of Use without Owner Operational / Media Protection / Media Downgrading Page 4 CP-11(2) new in CP-11(3) new in CP-11(4) new in CP-12 new in CP-13 new in IA-2(10) new in IA-3 incorporates r3 IA-3(2) IA-4(6) new in IA-5(9) new in IA-5(10) new in IA-5(11) new in IA-5(12) new in IA-9 new in IA-9(1) new in IA-9(2) new in IA-10 new in IA-11 new in IA-12 new in IR-3(2) new in IR-4(6) new in IR-4(7) new in IR-4(8) new in IR-4(9) new in IR-4(10) new in IR-6(3) new in IR-9 new in IR-9(1) new in IR-9(2) new in IR-9(3) new in IR-9(4) new in MP-3 incorporates r3 AC-15 MP-4(2) new in MP-6(7) new in MP-7 incorporates r3 AC-19(1), AC-19(2) and AC-19(3) MP-7(1) new in MP-7(2) new in MP-8 new in

MP-8 (1) MP-8 (2) MP-8 (3) MP-8 (4) PE-5 (1) PE-6 (3) PE-20 PL-2 (3) PL-7 PL-8 PM-12 PM-13 PM-14 PM-15 PS-3 (3) PS-3 (4) PS-4 (1) PS-4 (2) PS-7 (1) PS-8 (1) RA-5 (10) SA-4 (8) SA-5 (6) SA-9 (2) SA-9 (3) SA-9 (4) SA-9 (5) SA-10 (3) SA-11 (4) SA-11 (5) SA-11 (6) SA-11 (7) SA-11 (8) Operational / Media Protection / Media Downgrading / Tracking - Documenting Operational / Media Protection / Media Downgrading / Equipment Testing Operational / Media Protection / Media Downgrading / Controlled Unclassified Information Operational / Media Protection / Media Downgrading / Classified Information Operational / Physical and Environmental Protection / Access Control for Output Devices / Automated Access Control - Identity Linkage Operational / Physical and Environmental Protection / Monitoring Physical Access / Video Surveillance Operational / Physical and Environmental Protection / Port and I/O Device Access Management / Planning / System Security Plan / Plan - Coordinate with other Organizational Entities Management / Planning / Security Concept of Operations Management / Planning / Security Architecture Management / Program Management / Insider Threat Program Management / Program Management / Information Security Workforce Management / Program Management / Operations Security Program Management / Program Management / Testing, Training and Monitoring Operational / Personnel Security / Personnel Screening / Additional Screening Criteria Operational / Personnel Security / Personnel Screening / Information with Special Protection Measures Operational / Personnel Security / Personnel Termination / Post-Employment Requirements Operational / Personnel Security / Personnel Termination / Automated Notification Operational / Personnel Security / Third party Personnel Security / Notifications Operational / Personnel Security / Personnel Sanctions / Notifications Management / Risk Assessment / Vulnerability Scanning / Correlate Scanning Information Technical / System and Services Acquisition / Acquisition Process / Continuous Monitoring Plan Technical / System and Services Acquisition / Information System Documentation / Functions - Ports - Protocols - Services in Use Technical / System and Services Acquisition / External Information System Services / Identification of Functions - Ports - Protocols - Services Technical / System and Services Acquisition / External Information System Services / Establish - Maintain Chain of Trust with Providers Technical / System and Services Acquisition / External Information System Services / Consistent Interests of Consumers and Providers Technical / System and Services Acquisition / External Information System Services / Processing, Storage, and Service Location Technical / System and Services Acquisition / Developer Configuration Management / Hardware Integrity Verification Technical / System and Services Acquisition / Developer Security Testing / Manual Code Reviews Technical / System and Services Acquisition / Developer Security Testing / Penetration Testing Technical / System and Services Acquisition / Developer Security Testing / Unit - Integration - Regression Testing Technical / System and Services Acquisition / Developer Security Testing / Attack Surface Reviews Technical / System and Services Acquisition / Developer Security Testing / Verify Scope of Testing Page 5 MP-8(1) new in MP-8(2) new in MP-8(3) new in MP-8(4) new in PE-5(1) new in PE-6(3) new in PE-20 new in PL-2(3) new in PL-7 new in PL-8 new in and incorporates r3 PL-2(2) PM-12 new in PM-13 new in PM-14 new in PM-15 new in PS-3(3) new in PS-3(4) new in PS-4(1) new in PS-4(2) new in PS-7(1) new in PS-8(1) new in RA-5(10) new in SA-4(8) new in SA-5(6) new in SA-9(2) new in SA-9(3) new in SA-9(4) new in SA-9(5) new in SA-10(3) new in SA-11(4) new in SA-11(5) new in SA-11(6) new in SA-11(7) new in SA-11(8) new in

SA-12 (8) SA-12 (9) SA-12 (10) SA-12 (11) SA-12 (12) SA-12 (13) SA-12 (14) SA-12 (15) SA-15 SA-15 (1) SA-15 (2) SA-15 (3) SA-15 (4) SA-15 (5) SA-15 (6) SA-15 (7) SA-15 (8) SA-16 SA-17 SA-17 (1) SA-17 (2) SA-17 (3) SA-18 SA-18 (1) SA-19 SC-3 (6) SC-3 (7) SC-4 SC-4 (2) SC-5 (3) Technical / System and Services Acquisition / Supply Chain Protection / Use of All-source Intelligence Technical / System and Services Acquisition / Supply Chain Protection / Operations Security Technical / System and Services Acquisition / Supply Chain Protection / Unauthorized Modifications Technical / System and Services Acquisition / Supply Chain Protection / Validate as Genuine and not Altered Technical / System and Services Acquisition / Supply Chain Protection / Penetration Testing - Analysis of Supply Chain Elements Technical / System and Services Acquisition / Supply Chain Protection / Inter-ogranizational Agreements Technical / System and Services Acquisition / Supply Chain Protection / Critical Information System Components Technical / System and Services Acquisition / Supply Chain Protection / Critical Information System Components Tools Tools / Quality Metrics Tools / Security Tracking Tools Tools / Criticality Analysis Tools / Threat Modeling - Vulnerability Analysis Tools / Attack Surface Reduction Tools / Continuous Improvement Tools / Automated Vulnerability Analysis Tools / Reuse of Threat - Vulnerability Information Technical / System and Services Acquisition / Developer-provided Training Technical / System and Services Acquisition / Developer Security Architecture and Design Technical / System and Services Acquisition / Developer Security Architecture and Design / Former Policy Model Technical / System and Services Acquisition / Developer Security Architecture and Design / Security-relevant Components Technical / System and Services Acquisition / Developer Security Architecture and Design / Formal Correspondence Technical / System and Services Acquisition / Tamper Resistance and Detection Technical / System and Services Acquisition / Tamper Resistance and Detection / Multiple Phases of SDLC Technical / System and Services Acquisition / Anti-Counterfeit Technical / System and Communications Protection / Secuirty Function Isolation / Protection Mechanisms Technical / System and Communications Protection / Secuirty Function Isolation / Module Cohesion Technical / System and Communications Protection / Information in Shared Resources Technical / System and Communications Protection / Information in Shared Resources / Classification Levels - Security Categories Technical / System and Communications Protection / Denial of Serivce Protection / Detection - Monitoring Page 6 SA-12(8) new in SA-12(9) new in SA-12(10) new in SA-12(11) new in SA-12(12) new in SA-12(13) new in SA-12(14) new in SA-12(15) new in SA-15 new in SA-15(1)new in SA-15(2) new in SA-15(3)new in SA-15(4) new in SA-15(5) new in SA-15(6) new in SA-15(7) new in SA-15(8) new in SA-16 new in SA-17 new in SA-17(1) new in SA-17(2) new in SA-17(3) new in SA-18 new in SA-18(1) new in SA-19 new in SC-3(6) new in SC-3(7) new in SC-4 incorporates r3 SC-4(1) SC-4(2) new in SC-5(3) new in

SC-7 SC-7 (19) SC-7 (20) SC-8 SC-9 (3) SC-9 (4) SC-10 SC-12 SC-15 (4) SC-18 (5) SC-20 (2) SC-23 (5) SC-29 (1) SC-30 (3) SC-30 (4) SC-30 (5) SC-31 (2) SC-31 (3) SC-35 SC-36 SC-37 SC-37 (1) SC-37 (2) SC-38 SC-39 SC-39 (1) SC-40 SC-41 SC-41 (1) SC-42 Technical / System and Communications Protection / Boundary Protection Technical / System and Communications Protection / Boundary Protection / Blocking Inbound - Outbound Communications Traffic Technical / System and Communications Protection / Boundary Protection / Dynamic Isolation - Segregation Technical / System and Communications Protection / Transmission Integrity Technical / System and Communications Protection / Transmission Confidentiality / Cryptographic Protection for Message Externals Technical / System and Communications Protection / Transmission Confidentiality / Conceal - Randomize Communications Technical / System and Communications Protection / Network Disconnect Technical / System and Communications Protection / Cryptographic Key Establishment and Management Technical / System and Communications Protection / Collaborative Computing Devices / Explicitly Indicate Current Participants Technical / System and Communications Protection / Mobile Code / Allow Execution in Only Confined Environments Technical / System and Communications Protection / Secure Name-Address Resolution Serivce (Authoritive Source) / Data Origin - Integrity Technical / System and Communications Protection / Session Authenticity / Allowed Certificate Authorities Technical / System and Communications Protection / Heterogeneity / Virtualization Techniques Technical / System and Communications Protection / Concealment and Misdirection / Change Processing - Storage Locations Technical / System and Communications Protection / Concealment and Misdirection / Misleading Information Technical / System and Communications Protection / Concealment and Misdirection / Concealment and Misdirection of System Components Technical / System and Communications Protection / Covert Channel Analysis / Maximum Bandwith Technical / System and Communications Protection / Covert Channel Analysis / Measure Bandwidth in Operational Environments Technical / System and Communications Protection / Technical Surveillance Countermeasures Technical / System and Communications Protection / Honeyclients Technical / System and Communications Protection / Distributed Processing and Storage Technical / System and Communications Protection / Distributed Processing and Storage / Diversity of Implementation Technical / System and Communications Protection / Distributed Processing and Storage / Polling Techniques Technical / System and Communications Protection / Malware Analysis Technical / System and Communications Protection / Out-of-bounds Channels Technical / System and Communications Protection / Out-of-bounds Channels / Ensure Delivery - Transmission Technical / System and Communications Protection / Operations Security Technical / System and Communications Protection / Process Isolation Technical / System and Communications Protection / Process Isolation / Hardware Separation Technical / System and Communications Protection / Wireless Link Protection Page 7 SC-7 incorporates r3 SC-7(2) and SC-15(2) SC-7(19) new in SC-7(20) new in SC-8 incorporates r3 SC-33 SC-9(3) new in SC-9(4) new in SC-10 incorporates r3 AC-12 SC-12 incorporates r3 SC-12(4) and SC-12(5) SC-15(4) new in SC-18(5) new in SC-20(2) new in SC-23(5) new in SC-29(1) new in SC-30(3) new in SC-30(4) new in SC-30(5) new in SC-31(2) new in SC-31(3) new in SC-35 new in SC-36 new in SC-37 new in SC-37(1) new in SC-37(2) new in SC-37 new in SC-39 new in SC-39(1) new in SC-40 new in SC-41 new in SC-41(1) new in SC-42 new in

SC-42 (1) SC-42 (2) SC-42 (3) SC-42 (4) SI-3 (7) SI-3 (8) SI-4 SI-4 (18) SI-4 (19) SI-4 (20) SI-4 (21) SI-4 (22) SI-4 (23) SI-7 SI-7 (5) SI-7 (6) SI-7 (7) SI-7 (8) SI-7 (9) SI-7 (10) SI-7 (11) SI-7 (12) SI-7 (13) SI-7 (14) SI-7 (15) SI-8 (3) SI-9 (1) SI-9 (2) Technical / System and Communications Protection / Wireless Link Protection / Electromagnetic Interference Technical / System and Communications Protection / Wireless Link Protection / Reduce Detection Potential Technical / System and Communications Protection / Wireless Link Protection / Imitative or Manipulative Communications Deception Technical / System and Communications Protection / Wireless Link Protection / Signal Parameter Identification Operational / System and Information Integrity / Malicious Code Protection / Non Signature-based Detection Operational / System and Information Integrity / Malicious Code Protection / Detect Unauthorized Commands Operational / System and Information Integrity / Information System Monitoring Analyze Traffic - Covert Exfiltration Individuals Posing Greater Risk Privileged User Probationary Periods Unauthorized Network Services Host-based Devices Integrity Integrity / Automated Response to Integrity Violations Integrity / Cryptographic Protection Integrity / Hardware-based Protection Integrity / Integration of Detection and Response Integrity / Auditing Capability for Significant Events Integrity / Verify Boot Process Integrity / Protection of Boot Firmware Integrity / Confined Environments with Limited Privileges Integrity / Integrity Verification Integrity / Code Execution in Protected Environments Integrity / Binary or Machine Executable Code Operational / System and Information Integrity / Spam Protection / Continuous Learning Capability Operational / System and Information Integrity / Information Input Restrictions / Protect Remote Commands Operational / System and Information Integrity / Information Input Restrictions / Detect Unauthorized Commands Page 8 SC-42(1) new in SC-42(2) new in SC-42(3) new in SC-42(4) new in SI-3(7) new in SI-3(8) new in SI-4 incorporates r3 AU-6(2) SI-4(18) new in SI-4(19) new in SI-4(20) new in SI-4(21) new in SI-4(22) new in SI-4(23) new in SI-7 incorporates r3 CM-5(7), CM-6(3), SA-6 and SA-7 SI-7(5) new in SI-7(6) new in SI-7(7) new in SI-7(8) new in SI-7(9) new in SI-7(10) new in SI-7(11) new in SI-7(12) new in SI-7(13) new in SI-7(14) new in SI-7(15) new in SI-8(3) new in SI-9(1) new in SI-9(2) new in

SI-10 (1) SI-10 (2) SI-10 (3) SI-10 (4) SI-14 AP-1 AP-2 AR-2 AR-2 AR-3 AR-4 AR-5 AR-6 AR-7 AR-8 DI-1 DI-1 (1) DI-1 (12) DI-2 DM-1 DM-1 (1) DM-2 DM-2 (1) DM-3 DM-3 (1) IP-1 IP-1 (1) IP-2 IP-3 Operational / System and Information Integrity / Information Input Validation / Manual Override Capability Operational / System and Information Integrity / Information Input Validation / Review - Resolution of Errors Operational / System and Information Integrity / Information Input Validation / Predictable Behavior Operational / System and Information Integrity / Information Input Validation / Timing Interactions Operational / System and Information Integrity / Non-Persistence Privacy / Authority and Purpose / Authority to Collect Privacy / Authority and Purpose / Purpose Specification Privacy / Accountabilty, Audit and Risk Management / Governance and Privacy Program Privacy / Accountabilty, Audit and Risk Management / Privacy Impact and Risk Assessment Privacy / Accountabilty, Audit and Risk Management / Privacy Requirements for Contracts and Service Providers Privacy / Accountabilty, Audit and Risk Management / Privacy Monitoring and Auditing Privacy / Accountabilty, Audit and Risk Management / Privacy Awareness and Training Privacy / Accountabilty, Audit and Risk Management / Privacy Reporting Privacy / Accountabilty, Audit and Risk Management / Privacy-enhanced System Design and Development Privacy / Accountabilty, Audit and Risk Management / Accounting of Disclosures Privacy / Data Quality and Integrity / Data Quality Privacy / Data Quality and Integrity / Data Quality / Validate PII Privacy / Data Quality and Integrity / Data Quality / Re-Validate PII Privacy / Data Quality and Integrity / Data Integrity and Data Integrity Board Privacy / Data Minimization and Retention / Minimization of Personally Identifiable Information Privacy / Data Minimization and Retention / Minimization of Personally Identifiable Information / Locate - Remove - Redact - Anonymize PII Privacy / Data Minimization and Retention / Data Retention and Disposal Privacy / Data Minimization and Retention / Data Retention and Disposal / System Configuration Privacy / Data Minimization and Retention / Minimization of PII Used in Testing, Training, and Research Privacy / Data Minimization and Retention / Minimization of PII Used in Testing, Training, and Research / Risk Minimization Techniques Privacy / Individual Participation and Redress / Consent Privacy / Individual Participation and Redress / Consent / Mechanisms Supporting Itemized or Tiered Consent Privacy / Individual Participation and Redress / Individual Access Privacy / Individual Participation and Redress / Redress Page 9 SI-10(1) new in SI-10(2) new in SI-10(3) new in SI-10(4)new in SI-14 new in Privacy AP-1 new in Privacy AP-2 new in Privacy AR-1 new in Privacy AR-2 new in Privacy AR-3 new in Privacy AR-4 new in Privacy AR-5 new in Privacy AR-6 new in Privacy AR-7 new in Privacy AR-8 new in Privacy DI-1 new in Privacy DI-1(1) new in Privacy DI-1(2) new in Privacy DI-2 new in Privacy DM-1 new in Privacy DM-1(1) new in Privacy DM-2 new in Privacy DM-2(1) new in Privacy DM-3 new in Privacy DM-3(1) new in Privacy IP-1 new in Privacy IP-1(1) new in Privacy IP-2 new in Privacy IP-3 new in

IP-4 IP-4 (1) SE-1 SE-2 TR-1 TR-1 (1) TR-2 TR-2 (1) TR-3 UL-1 UL-2 Privacy / Individual Participation and Redress / Complaint Management Privacy / Individual Participation and Redress / Complaint Management / Response Times Privacy / Security / Inventory of Personally Identifiable Information Privacy / Security / Privacy Incident Response Privacy / Transparency / Privacy Notice Privacy / Transparency / Privacy Notice / Real-time or Layered Notice Privacy / Transparency / System of Records Notices and Privary Act Statements Privacy / Transparency / System of Records Notices and Privary Act Statements / Public Web Site Publication Privacy / Transparency / Dissemination of Privacy Program Information Privacy / Use Limitation / Internal Use Privacy / Use Limitation / Information Sharing with Third Parties Page 10 Privacy IP-4 new in Privacy IP-4(1) new in Privacy SE-1 new in Privacy SE-2 new in Privacy TR-1 new in Privacy TR-1(1) new in Privacy TR-2 new in Privacy TR-2(1) new in Privacy TR-3 new in Privacy UL-1 new in Privacy UL-2 new in

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback