The controls and assurance activities families

This section provides the security and privacy controls and activities descriptions.

Organization-defined parameters (ODPs) used in the base control or activity also apply to the enhancements associated with those. The implementation of the control or activity is assessed for effectiveness against the completed control or activity statement. When present in a control or activity statement, the square brackets indicate that there is an ODP that needs to be inserted by the reader in order for an organization to tailor the control to their context. For example, the following enhancement statement “Support the management of system accounts using [Assignment: organization-defined automated mechanisms]” indicates the ODP within the square brackets. The reader must determine the variable that fits the statement best, based on their own circumstances and requirements.

In this section

• Access control

  • AC-01 Access control policy and procedures
  • AC-02 Account management
  • AC-03 Access enforcement
  • AC-04 Information flow enforcement
  • AC-05 Separation of duties
  • AC-06 Least privilege
  • AC-07 Unsuccessful logon attempts
  • AC-08 System use notification
  • AC-09 Previous logon notification
  • AC-10 Concurrent session control
  • AC-11 Device lock
  • AC-12 Session termination
  • AC-13 Supervision and review – access control
  • AC-14 Permitted actions without identification or authentication
  • AC-15 Automated marking
  • AC-16 Security and privacy attributes
  • AC-17 Remote access
  • AC-18 Wireless access
  • AC-19 Access control for mobile devices
  • AC-20 Use of external systems
  • AC-21 Information sharing
  • AC-22 Publicly accessible content
  • AC-23 Data mining protection
  • AC-24 Access control decisions
  • AC-25 Reference monitor
• Awareness and training

  • AT-01 Awareness and training policy and procedures
  • AT-02 Literacy training and awareness
  • AT-03 Role-based training
  • AT-04 Training records
  • AT-05 Contacts with security groups and associations
  • AT-06 Training feedback
• Audit and accountability

  • AU-01 Audit and accountability policy and procedures
  • AU-02 Event logging
  • AU-03 Content of audit records
  • AU-04 Audit log storage capacity
  • AU-05 Response to audit logging process failures
  • AU-06 Audit record review, analysis, and reporting
  • AU-07 Audit record reduction and report generation
  • AU-08 Time stamps
  • AU-09 Protection of audit information
  • AU-10 Non-repudiation
  • AU-11 Audit record retention
  • AU-12 Audit record generation
  • AU-13 Monitoring for information disclosure
  • AU-14 Session audit
  • AU-15 Alternate audit logging capability
  • AU-16 Cross-organizational audit logging
• Assessment, authorization, and monitoring

  • CA-01 Assessment, authorization and monitoring policy and procedure
  • CA-02 Control assessment
  • CA-03 Information exchange
  • CA-04 Security certification
  • CA-05 Plan of action and milestones
  • CA-06 Authorization
  • CA-07 Continuous monitoring
  • CA-08 Penetration testing
  • CA-09 Internal system connections
• Configuration management

  • CM-01 Configuration management policy and procedures
  • CM-02 Baseline configuration
  • CM-03 Configuration change control
  • CM-04 Impact analyses
  • CM-05 Access restrictions for change
  • CM-06 Configuration Settings
  • CM-07 Least functionality
  • CM-08 System component inventory
  • CM-09 Configuration management plan
  • CM-10 Software use restrictions
  • CM-11 User-installed software
  • CM-12 Information location
  • CM-13 Data action mapping
  • CM-14 Signed components
• Contingency planning

  • CP-01 Contingency planning policy and procedures
  • CP-02 Contingency plan
  • CP-03 Contingency training
  • CP-04 Contingency plan testing
  • CP-05 Contingency plan update
  • CP-06 Alternate storage site
  • CP-07 Alternate processing site
  • CP-08 Telecommunications services
  • CP-09 System backup
  • CP-10 System recovery and reconstitution
  • CP-11 Alternate communications protocols
  • CP-12 Safe mode
  • CP-13 Alternative security mechanisms
• Identification and authentication

  • IA-01 Identification and authentication policy and procedures
  • IA-02 Identification and authentication (organizational users)
  • IA-03 Device identification and authentication
  • IA-04 Identifier management
  • IA-05 Authenticator management
  • IA-06 Authentication feedback
  • IA-07 Cryptographic module authentication
  • IA-08 Identification and authentication (non-organizational users)
  • IA-09 Service identification and authentication
  • IA-10 Adaptive authentication
  • IA-11 Re-authentication
  • IA-12 Identity proofing
  • IA-13 Identity providers and authorization servers
• Incident response

  • IR-01 Incident response policy and procedures
  • IR-02 Incident response training
  • IR-03 Incident response testing
  • IR-04 Incident handling
  • IR-05 Incident monitoring
  • IR-06 Incident reporting
  • IR-07 Incident response assistance
  • IR-08 Incident response plan
  • IR-09 Information spillage response
  • IR-10 Integrated information security analysis team
• Maintenance

  • MA-01 Maintenance policy and procedures
  • MA-02 Controlled maintenance
  • MA-03 Maintenance tools
  • MA-04 Non-local maintenance
  • MA-05 Maintenance personnel
  • MA-06 Timely maintenance
  • MA-07 Field maintenance
• Media protection

  • MP-01 Media protection policy and procedures
  • MP-02 Media access
  • MP-03 Media marking
  • MP-04 Media storage
  • MP-05 Media transport
  • MP-06 Media sanitization
  • MP-07 Media use
  • MP-08 Media downgrading
• Physical and environmental protection

  • PE-01 Physical and environmental protection policy and procedures
  • PE-02 Physical access authorizations
  • PE-03 Physical access control
  • PE-04 Access control for transmission
  • PE-05 Access control for output devices
  • PE-06 Monitoring physical access
  • PE-07 Visitor control
  • PE-08 Visitor access records
  • PE-09 Power equipment and cabling
  • PE-10 Emergency shutoff
  • PE-11 Emergency power
  • PE-12 Emergency lighting
  • PE-13 Fire protection
  • PE-14 Environmental controls
  • PE-15 Water damage protection
  • PE-16 Delivery and removal
  • PE-17 Alternate work site
  • PE-18 Location of system components
  • PE-19 Information leakage
  • PE-20 Asset monitoring and tracking
  • PE-21 Electromagnetic pulse protection
  • PE-22 Component marking
  • PE-23 Facility location
  • PE-400 Remote and telework environments
  • PE-401 Security operations centre
• Planning

  • PL-01 Planning policy and procedures
  • PL-02 System security and privacy plans
  • PL-03 System security plan update
  • PL-04 Rules of behaviour
  • PL-05 Privacy impact assessment
  • PL-06 Security-related activity planning
  • PL-07 Concept of operations
  • PL-08 Security and privacy architecture
  • PL-09 Central management
  • PL-10 Baseline selection
  • PL-11 Baseline tailoring
• Program management

  • PM-01 Information security program plan
  • PM-02 Information security program leadership role
  • PM-03 Information security and privacy resources
  • PM-04 Plan of action and milestones process
  • PM-05 System and program inventory
  • PM-06 Measures of performance
  • PM-07 Enterprise architecture
  • PM-08 Critical infrastructure plan
  • PM-09 Risk management strategy
  • PM-10 Authorization process
  • PM-11 Mission and business process definition
  • PM-12 Insider threat program
  • PM-13 Security and privacy workforce
  • PM-14 Testing, training, and monitoring
  • PM-15 Security and privacy groups and associations
  • PM-16 Threat awareness program
  • PM-17 Protecting controlled information on outsourced external systems
  • PM-18 Privacy program plan
  • PM-19 Privacy program leadership role
  • PM-20 Communication of key privacy services
  • PM-21 Maintain a record of disclosures
  • PM-22 Personal information quality management
  • PM-23 Data governance committee
  • PM-24 Data integrity board
  • PM-25 Minimization of personal information used in testing, training, and research
  • PM-26 Complaint management
  • PM-27 Privacy reporting
  • PM-28 Risk framing
  • PM-29 Risk management program leadership roles
  • PM-30 Supply chain risk management strategy
  • PM-31 Continuous monitoring strategy
  • PM-32 Purposing
• Personnel security

  • PS-01 Personnel security policy and procedures
  • PS-02 Position security analysis
  • PS-03 Personnel screening
  • PS-04 Personnel termination
  • PS-05 Personnel transfer
  • PS-06 Access agreements
  • PS-07 External personnel security
  • PS-08 Personnel sanctions
  • PS-09 Position descriptions
• Personal information handling and transparency

  • PT-01 Personal information handling and transparency policy and procedures
  • PT-02 Authority to collect and use personal information
  • PT-03 Personal information handling uses and disclosures
  • PT-04 Consent
  • PT-05 Privacy notice
  • PT-06 Personal information banks
  • PT-07 Particularly sensitive personal information
  • PT-08 Data matching requirements
• Risk assessment

  • RA-01 Risk assessment policy and procedures
  • RA-02 Security categorization
  • RA-03 Risk assessment
  • RA-04 Risk assessment update
  • RA-05 Vulnerability monitoring and scanning
  • RA-06 Technical surveillance countermeasures survey
  • RA-07 Risk response
  • RA-08 Privacy impact assessments
  • RA-09 Criticality analysis
  • RA-10 Threat hunting
• System and services acquisition

  • SA-01 System and services acquisition policy and procedures
  • SA-02 Allocation of resources
  • SA-03 System development lifecycle
  • SA-04 Acquisition process
  • SA-05 System documentation
  • SA-06 Software usage restrictions
  • SA-07 User-installed software
  • SA-08 Security and privacy engineering principles
  • SA-09 External system services
  • SA-10 Developer configuration management
  • SA-11 Developer testing and evaluation
  • SA-12 Supply chain protection
  • SA-13 Trustworthiness
  • SA-14 Criticality analysis
  • SA-15 Development process, standards, and tools
  • SA-16 Developer-provided training
  • SA-17 Developer security and privacy architecture and design
  • SA-18 Tamper resistance and detection
  • SA-19 Component authenticity
  • SA-20 Customized development of critical components
  • SA-21 Developer screening
  • SA-22 Unsupported system components
  • SA-23 Specialization
  • SA-400 Sovereignty and jurisdiction
• System and communications protection

  • SC-01 System and communications protection policy and procedures
  • SC-02 Separation of system and user functionality
  • SC-03 Security function isolation
  • SC-04 Information in shared system resources
  • SC-05 Denial-of-service protection
  • SC-06 Resource availability
  • SC-07 Boundary protection
  • SC-08 Transmission confidentiality and integrity
  • SC-09 Transmission confidentiality
  • SC-10 Network disconnect
  • SC-11 Trusted path
  • SC-12 Cryptographic key establishment and management
  • SC-13 Cryptographic protection
  • SC-14 Public access protections
  • SC-15 Collaborative computing devices and applications
  • SC-16 Transmission of security and privacy attributes
  • SC-17 Public key infrastructure certificates
  • SC-18 Mobile code
  • SC-19 Voice over Internet protocol
  • SC-20 Secure name/address resolution service (authoritative source)
  • SC-21 Secure name/address resolution service (recursive or caching resolver)
  • SC-22 Architecture and provisioning for name/address resolution service
  • SC-23 Session authenticity
  • SC-24 Fail in known state
  • SC-25 Thin nodes
  • SC-26 Decoys
  • SC-27 Platform-independent applications
  • SC-28 Protection of information at rest
  • SC-29 Heterogeneity
  • SC-30 Concealment and misdirection
  • SC-31 Covert channel analysis
  • SC-32 System partitioning
  • SC-33 Transmission preparation integrity
  • SC-34 Non-modifiable executable programs
  • SC-35 External malicious code identification
  • SC-36 Distributed processing and storage
  • SC-37 Out-of-band channels
  • SC-38 Operations security
  • SC-39 Process isolation
  • SC-40 Wireless link protection
  • SC-41 Port and input/output device access
  • SC-42 Sensor capability and data
  • SC-43 Usage restrictions
  • SC-44 Detonation chambers
  • SC-45 System time synchronization
  • SC-46 Cross-domain policy enforcement
  • SC-47 Alternate communications paths
  • SC-48 Sensor relocation
  • SC-49 Hardware-enforced separation and policy enforcement
  • SC-50 Software-enforced separation and policy enforcement
  • SC-51 Hardware-based protection
  • SC-400 Entity source authentication
  • SC-401 Unclassified telecommunications in secure facilities
• System and information integrity

  • SI-01 System and information integrity policy and procedures
  • SI-02 Flaw remediation
  • SI-03 Malicious code protection
  • SI-04 System monitoring
  • SI-05 Security alerts, advisories, and directives
  • SI-06 Security and privacy function verification
  • SI-07 Software, firmware, and information integrity
  • SI-08 Spam protection
  • SI-09 Information input restrictions
  • SI-10 Information input validation
  • SI-11 Error handling
  • SI-12 Information management and retention
  • SI-13 Predictable failure prevention
  • SI-14 Non-persistence
  • SI-15 Information output filtering
  • SI-16 Memory protection
  • SI-17 Fail-safe procedures
  • SI-18 Personal information quality operations
  • SI-19 De-identification
  • SI-20 Tainting
  • SI-21 Information refresh
  • SI-22 Information diversity
  • SI-23 Information fragmentation
  • SI-400 Dedicated administration workstation
• Supply chain risk management

  • SR-01 Supply chain risk management policy and procedures
  • SR-02 Supply chain risk management plan
  • SR-03 Supply chain controls and processes
  • SR-04 Provenance
  • SR-05 Acquisition strategies, tools, and methods
  • SR-06 Supplier assessments and reviews
  • SR-07 Supply chain operations security
  • SR-08 Notification agreements
  • SR-09 Tamper resistance and detection
  • SR-10 Inspection of systems or components
  • SR-11 Component authenticity
  • SR-12 Component disposal