Organizational Controls
- Access Control
- AC-1 Access Control Policy And Procedures (Class 0)
- AC-2 Account Management (Class 0)
- AC-3 Access Enforcement (Class 0)
- AC-4 Information Flow Enforcement (Class 0)
- AC-5 Separation Of Duties (Class 0)
- AC-6 Least Privilege (Class 0)
- AC-7 Unsuccessful Logon Attempts (Class 0)
- AC-8 System Use Notification (Class 0)
- AC-10 Concurrent Session Control (Class 0)
- AC-11 Session Lock (Class 0)
- AC-12 Session Termination (Class 0)
- AC-14 Permitted Actions Without Identification Or Authentication (Class 0)
- AC-17 Remote Access (Class 0)
- AC-19 Access Control For Mobile Devices (Class 0)
- AC-20 Use Of External Information Systems (Class 0)
- AC-21 Information Sharing (Class 0)
- AC-22 Publicly Accessible Content (Class 0)
- Audit and Accountability
- AU-1 Audit And Accountability Policy And Procedures (Class 0)
- AU-2 Audit Events (Class 0)
- AU-4 Audit Storage Capacity (Class 0)
- AU-6 Audit Review, Analysis, And Reporting (Class 0)
- AU-10 Non-repudiation (Class 0)
- AU-11 Audit Record Retention (Class 0)
- Awareness and Training
- AT-1 Security Awareness And Training Policy And Procedures (Class 0)
- AT-2 Security Awareness Training (Class 0)
- AT-3 Role-based Security Training (Class 0)
- AT-4 Security Training Records (Class 0)
- Configuration Management
- CM-1 Configuration Management Policy And Procedures (Class 0)
- CM-2 Baseline Configuration (Class 0)
- CM-3 Configuration Change Control (Class 0)
- CM-4 Security Impact Analysis (Class 0)
- CM-5 Access Restrictions For Change (Class 0)
- CM-6 Configuration Settings (Class 0)
- CM-7 Least Functionality (Class 0)
- CM-8 Information System Component Inventory (Class 0)
- CM-9 Configuration Management Plan (Class 0)
- CM-10 Software Usage Restrictions (Class 0)
- CM-11 User-installed Software (Class 0)
- Contingency Planning
- CP-1 Contingency Planning Policy And Procedures (Class 0)
- CP-2 Contingency Plan (Class 0)
- CP-3 Contingency Training (Class 0)
- CP-4 Contingency Plan Testing (Class 0)
- CP-9 Information System Backup (Class 0)
- CP-10 Information System Recovery And Reconstitution (Class 0)
- Identification and Authentication
- IA-1 Identification And Authentication Policy And Procedures (Class 0)
- IA-2 Identification And Authentication (organizational Users) (Class 0)
- IA-4 Identifier Management (Class 0)
- IA-5 Authenticator Management (Class 0)
- IA-7 Cryptographic Module Authentication (Class 0)
- IA-9 Service Identification And Authentication (Class 0)
- Incident Response
- IR-1 Incident Response Policy And Procedures (Class 0)
- IR-2 Incident Response Training (Class 0)
- IR-3 Incident Response Testing (Class 0)
- IR-4 Incident Handling (Class 0)
- IR-5 Incident Monitoring (Class 0)
- IR-6 Incident Reporting (Class 0)
- IR-7 Incident Response Assistance (Class 0)
- IR-8 Incident Response Plan (Class 0)
- Maintenance
- MA-1 System Maintenance Policy And Procedures (Class 0)
- MA-2 Controlled Maintenance (Class 0)
- MA-3 Maintenance Tools (Class 0)
- MA-4 Nonlocal Maintenance (Class 0)
- MA-5 Maintenance Personnel (Class 0)
- MA-6 Timely Maintenance (Class 0)
- Media Protection
- MP-1 Media Protection Policy And Procedures (Class 0)
- MP-2 Media Access (Class 0)
- MP-3 Media Marking (Class 0)
- MP-4 Media Storage (Class 0)
- MP-5 Media Transport (Class 0)
- MP-6 Media Sanitization (Class 0)
- MP-7 Media Use (Class 0)
- Personnel Security
- PS-1 Personnel Security Policy And Procedures (Class 0)
- PS-2 Position Risk Designation (Class 0)
- PS-3 Personnel Screening (Class 0)
- PS-4 Personnel Termination (Class 0)
- PS-5 Personnel Transfer (Class 0)
- PS-6 Access Agreements (Class 0)
- PS-7 Third-party Personnel Security (Class 0)
- PS-8 Personnel Sanctions (Class 0)
- Physical and Environmental Protection
- PE-1 Physical And Environmental Protection Policy And Procedures (Class 0)
- PE-2 Physical Access Authorizations (Class 0)
- PE-3 Physical Access Control (Class 0)
- PE-4 Access Control For Transmission Medium (Class 0)
- PE-5 Access Control For Output Devices (Class 0)
- PE-6 Monitoring Physical Access (Class 0)
- PE-8 Visitor Access Records (Class 0)
- PE-9 Power Equipment And Cabling (Class 0)
- PE-10 Emergency Shutoff (Class 0)
- PE-11 Emergency Power (Class 0)
- PE-12 Emergency Lighting (Class 0)
- PE-13 Fire Protection (Class 0)
- PE-14 Temperature And Humidity Controls (Class 0)
- PE-15 Water Damage Protection (Class 0)
- PE-16 Delivery And Removal (Class 0)
- PE-17 Alternate Work Site (Class 0)
- PE-18 Location Of Information System Components (Class 0)
- Planning
- PL-1 Security Planning Policy And Procedures (Class 0)
- PL-2 System Security Plan (Class 0)
- PL-4 Rules Of Behavior (Class 0)
- PL-8 Information Security Architecture (Class 0)
- Risk Assessment
- RA-1 Risk Assessment Policy And Procedures (Class 0)
- RA-2 Security Categorization (Class 0)
- RA-3 Risk Assessment (Class 0)
- RA-5 Vulnerability Scanning (Class 0)
- RA-6 Technical Surveillance Countermeasures Survey (Class 0)
- Security Assessment and Authorization
- CA-1 Security Assessment And Authorization Policy And Procedures (Class 0)
- CA-2 Security Assessments (Class 0)
- CA-3 System Interconnections (Class 0)
- CA-5 Plan Of Action And Milestones (Class 0)
- CA-6 Security Authorization (Class 0)
- CA-7 Continuous Monitoring (Class 0)
- CA-8 Penetration Testing (Class 0)
- CA-9 Internal System Connections (Class 0)
- System and Communications Protection
- SC-1 System And Communications Protection Policy And Procedures (Class 0)
- SC-3 Security Function Isolation (Class 0)
- SC-4 Information In Shared Resources (Class 0)
- SC-5 Denial Of Service Protection (Class 0)
- SC-7 Boundary Protection (Class 0)
- SC-17 Public Key Infrastructure Certificates (Class 0)
- SC-18 Mobile Code (Class 0)
- SC-19 Voice Over Internet Protocol (Class 0)
- SC-24 Fail In Known State (Class 0)
- SC-38 Operations Security (Class 0)
- SC-41 Port And I/o Device Access (Class 0)
- System and Information Integrity
- SI-1 System And Information Integrity Policy And Procedures (Class 0)
- SI-2 Flaw Remediation (Class 0)
- SI-3 Malicious Code Protection (Class 0)
- SI-4 Information System Monitoring (Class 0)
- SI-5 Security Alerts, Advisories, And Directives (Class 0)
- SI-6 Security Function Verification (Class 0)
- SI-12 Information Handling And Retention (Class 0)
- SI-16 Memory Protection (Class 0)
- SI-17 Fail-safe Procedures (Class 0)
- System and Services Acquisition
- SA-1 System And Services Acquisition Policy And Procedures (Class 0)
- SA-2 Allocation Of Resources (Class 0)
- SA-3 System Development Life Cycle (Class 0)
- SA-4 Acquisition Process (Class 0)
- SA-5 Information System Documentation (Class 0)
- SA-8 Security Engineering Principles (Class 0)
- SA-9 External Information System Services (Class 0)
- SA-10 Developer Configuration Management (Class 0)
- SA-12 Supply Chain Protection (Class 0)
- SA-15 Development Process, Standards, And Tools (Class 0)
- SA-16 Developer-provided Training (Class 0)
- SA-17 Developer Security Architecture And Design (Class 0)
- SA-18 Tamper Resistance And Detection (Class 0)
- SA-19 Component Authenticity (Class 0)