Cybersecurity Controls Compliance

Harvey Newstrom ensures compliance to cybersecurity controls extracted from NIST, 800-53, 800-53A, and 800-53B

Management
CA - Assessment, Authorization, and Monitoring
CA-1 - Policy and Procedures
Control:...
[For baselines: Low, Moderate, High, Privacy]
CA-1a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
CA-1a.1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] assessment, authorization, and monitoring policy that:
CA-1a.1.(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
CA-1a.1.(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
CA-1a.2. Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;
CA-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and
CA-1c. Review and update the current assessment, authorization, and monitoring:
CA-1c.1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
CA-1c.2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Discussion:...

Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

References: SP 800-100 IR 8062 SP 800-137A SP 800-137 SP 800-37 SP 800-39 SP 800-30 SP 800-53A SP 800-12 OMB A-130
SP 800-100 Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007.
IR 8062 Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062.
SP 800-137A Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A.
SP 800-137 Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137.
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
SP 800-53A Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014.
SP 800-12 Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: PM-9 PS-8 SI-12
CA-2 - Control Assessments
Control:...
[For baselines: Low, Moderate, High, Privacy]
CA-2a. Select the appropriate assessor or assessment team for the type of assessment to be conducted;
CA-2b. Develop a control assessment plan that describes the scope of the assessment including:
CA-2b.1. Controls and control enhancements under assessment;
CA-2b.2. Assessment procedures to be used to determine control effectiveness; and
CA-2b.3. Assessment environment, assessment team, and assessment roles and responsibilities;
CA-2c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
CA-2d. Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;
CA-2e. Produce a control assessment report that document the results of the assessment; and
CA-2f. Provide the results of the control assessment to [Assignment: organization-defined individuals or roles].
CA-2(1). Independent Assessors.
Employ independent assessors or assessment teams to conduct control assessments.
CA-2(2). Specialized Assessments.
Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]].
CA-2(3). Leveraging Results From External Organizations.
Leverage the results of control assessments performed by [Assignment: organization-defined external organization] on [Assignment: organization-defined system] when the assessment meets [Assignment: organization-defined requirements].
Discussion:...

Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.

Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.

Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.

Organizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.

To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of CA-2.

References: IR 8062 SP 800-137 IR 8011-1 SP 800-37 SP 800-39 SP 800-53A FIPS 199 OMB A-130 SP 800-115 SP 800-18
IR 8062 Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062.
SP 800-137 Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137.
IR 8011-1 Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1.
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-53A Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014.
FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-115 Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115.
SP 800-18 Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1.
Related: AC-20 CA-5 CA-6 CA-7 PM-9 RA-5 RA-10 SA-11 SC-38 SI-3 SI-12 SR-2 SR-3 PE-3 SI-2 SA-4
CA-3 - Information Exchange
Control:...
[For baselines: Low, Moderate, High]
CA-3a. Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement]];
CA-3b. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and
CA-3c. Review and update the agreements [Assignment: organization-defined frequency].
CA-3(1). Unclassified National Security System Connections.
[Withdrawn: Moved to SC-7(25)].
CA-3(2). Classified National Security System Connections.
[Withdrawn: Moved to SC-7(26)].
CA-3(3). Unclassified Non-National Security System Connections.
[Withdrawn: Moved to SC-7(27)].
CA-3(4). Connections To Public Networks.
[Withdrawn: Moved to SC-7(28)].
CA-3(5). Restrictions On External System Connections.
[Withdrawn: Moved to SC-7(5)].
CA-3(6). Transfer Authorizations.
Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.
CA-3(7). Transitive Information Exchanges.
Identify transitive (downstream) information exchanges with other systems through the systems identified in CA-3a; and
Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated.
CA-3(7)(a). .
Identify transitive (downstream) information exchanges with other systems through the systems identified in CA-3a; and
Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated.
Discussion:...

System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in CA-6(1) or CA-6(2), may help to communicate and reduce risk.

Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks.

References: SP 800-47 FIPS 199 OMB A-130
SP 800-47 Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47.
FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: AC-4 AC-20 AU-16 CA-6 IA-3 IR-4 PL-2 PT-7 RA-3 SA-9 SC-7 SI-12 AC-2 AC-3 AC-4 SC-7
CA-4 - Security Certification
Control:...
[For baselines: ]
Discussion:...
Related:
CA-5 - Plan Of Action and Milestones
Control:...
[For baselines: Low, Moderate, High, Privacy]
CA-5a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and
CA-5b. Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.
CA-5(1). Automation Support For Accuracy and Currency.
Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using [Assignment: organization-defined automated mechanisms].
Discussion:...

Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB.

References: SP 800-37 OMB A-130
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: CA-2 CA-7 PM-4 PM-9 RA-7 SI-2 SI-12
CA-6 - Authorization
Control:...
[For baselines: Low, Moderate, High, Privacy]
CA-6a. Assign a senior official as the authorizing official for the system;
CA-6b. Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;
CA-6c. Ensure that the authorizing official for the system, before commencing operations:
CA-6c.1. Accepts the use of common controls inherited by the system; and
CA-6c.2. Authorizes the system to operate;
CA-6d. Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
CA-6e. Update the authorizations [Assignment: organization-defined frequency].
CA-6(1). Joint Authorization — Intra-Organization.
Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization.
CA-6(2). Joint Authorization — Inter-Organization.
Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization.
Discussion:...

Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.

Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.

References: SP 800-137 SP 800-37 OMB A-130
SP 800-137 Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137.
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: CA-2 CA-3 CA-7 PM-9 PM-10 RA-3 SA-10 SI-12 AC-6 AC-6
CA-7 - Continuous Monitoring
Control:...
[For baselines: Low, Moderate, High, Privacy]
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:
CA-7a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics];
CA-7b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;
CA-7c. Ongoing control assessments in accordance with the continuous monitoring strategy;
CA-7d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
CA-7e. Correlation and analysis of information generated by control assessments and monitoring;
CA-7f. Response actions to address results of the analysis of control assessment and monitoring information; and
CA-7g. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
CA-7(1). Independent Assessment.
Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.
CA-7(2). Types Of Assessments.
[Withdrawn: Incorporated into CA-2].
CA-7(3). Trend Analyses.
Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data.
CA-7(4). Risk Monitoring.
Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:
Effectiveness monitoring;
Compliance monitoring; and
Change monitoring.
CA-7(4)(a). .
Effectiveness monitoring;
Compliance monitoring; and
Change monitoring.
CA-7(5). Consistency Analysis.
Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: [Assignment: organization-defined actions].
CA-7(6). Automation Support For Monitoring.
Ensure the accuracy, currency, and availability of monitoring results for the system using [Assignment: organization-defined automated mechanisms].
Discussion:...

Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.

Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b, and SI-4.

References: IR 8062 SP 800-137 IR 8011-1 SP 800-37 SP 800-39 SP 800-53A OMB A-130 SP 800-115
IR 8062 Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062.
SP 800-137 Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137.
IR 8011-1 Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1.
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-53A Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-115 Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115.
Related: AC-2 AC-6 AC-17 AT-4 AU-6 AU-13 CA-2 CA-5 CA-6 CM-3 CM-4 CM-6 CM-11 IA-5 IR-5 MA-2 MA-3 MA-4 PE-3 PE-6 PE-14 PE-16 PE-20 PL-2 PM-4 PM-6 PM-9 PM-10 PM-12 PM-14 PM-23 PM-28 PM-31 PS-7 PT-7 RA-3 RA-5 RA-7 RA-10 SA-8 SA-9 SA-11 SC-5 SC-7 SC-18 SC-38 SC-43 SI-3 SI-4 SI-12 SR-6
AC-2 - Account Management
AC-6 - Least Privilege
AC-17 - Remote Access
AT-4 - Training Records
AU-6 - Audit Record Review, Analysis, and Reporting
AU-13 - Monitoring For Information Disclosure
CA-2 - Control Assessments
CA-5 - Plan Of Action and Milestones
CA-6 - Authorization
CM-3 - Configuration Change Control
CM-4 - Impact Analyses
CM-6 - Configuration Settings
CM-11 - User-Installed Software
IA-5 - Authenticator Management
IR-5 - Incident Monitoring
MA-2 - Controlled Maintenance
MA-3 - Maintenance Tools
MA-4 - Nonlocal Maintenance
PE-3 - Physical Access Control
PE-6 - Monitoring Physical Access
PE-14 - Environmental Controls
PE-16 - Delivery and Removal
PE-20 - Asset Monitoring and Tracking
PL-2 - System Security and Privacy Plans
PM-4 - Plan Of Action and Milestones Process
PM-6 - Measures Of Performance
PM-9 - Risk Management Strategy
PM-10 - Authorization Process
PM-12 - Insider Threat Program
PM-14 - Testing, Training, and Monitoring
PM-23 - Data Governance Body
PM-28 - Risk Framing
PM-31 - Continuous Monitoring Strategy
PS-7 - External Personnel Security
PT-7 - Specific Categories Of Personally Identifiable Information
RA-3 - Risk Assessment
RA-5 - Vulnerability Monitoring and Scanning
RA-7 - Risk Response
RA-10 - Threat Hunting
SA-8 - Security and Privacy Engineering Principles
SA-9 - External System Services
SA-11 - Developer Testing and Evaluation
SC-5 - Denial-Of-Service Protection
SC-7 - Boundary Protection
SC-18 - Mobile Code
SC-38 - Operations Security
SC-43 - Usage Restrictions
SI-3 - Malicious Code Protection
SI-4 - System Monitoring
SI-12 - Information Management and Retention
SR-6 - Supplier Assessments and Reviews
CA-8 - Penetration Testing
Control:...
[For baselines: High]
Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined systems or system components].
CA-8(1). Independent Penetration Testing Agent Or Team.
Employ an independent penetration testing agent or team to perform penetration testing on the system or system components.
CA-8(2). Red Team Exercises.
Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: [Assignment: organization-defined red team exercises].
CA-8(3). Facility Penetration Testing.
Employ a penetration testing process that includes [Assignment: organization-defined frequency] [Selection: announced; unannounced] attempts to bypass or circumvent controls associated with physical access points to the facility.
Discussion:...

Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).

Organizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing.

Related: RA-5 RA-10 SA-11 SR-5 SR-6 CA-2 CA-2 PE-3
CA-9 - Internal System Connections
Control:...
[For baselines: Low, Moderate, High]
CA-9a. Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system;
CA-9b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;
CA-9c. Terminate internal system connections after [Assignment: organization-defined conditions]; and
CA-9d. Review [Assignment: organization-defined frequency] the continued need for each internal connection.
CA-9(1). Compliance Checks.
Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection.
Discussion:...

Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.

References: IR 8023 SP 800-124
IR 8023 Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023.
SP 800-124 Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1.
Related: AC-3 AC-4 AC-18 AC-19 CM-2 IA-3 SC-7 SI-12 CM-6
PL - Planning
PL-1 - Policy and Procedures
Control:...
[For baselines: Low, Moderate, High, Privacy]
PL-1a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
PL-1a.1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] planning policy that:
PL-1a.1.(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
PL-1a.1.(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
PL-1a.2. Procedures to facilitate the implementation of the planning policy and the associated planning controls;
PL-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the planning policy and procedures; and
PL-1c. Review and update the current planning:
PL-1c.1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
PL-1c.2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Discussion:...

Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

References: SP 800-100 SP 800-39 SP 800-30 SP 800-12 OMB A-130 SP 800-18
SP 800-100 Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
SP 800-12 Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-18 Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1.
Related: PM-9 PS-8 SI-12
PL-2 - System Security and Privacy Plans
Control:...
[For baselines: Low, Moderate, High, Privacy]
PL-2a. Develop security and privacy plans for the system that:
PL-2a.1. Are consistent with the organization’s enterprise architecture;
PL-2a.2. Explicitly define the constituent system components;
PL-2a.3. Describe the operational context of the system in terms of mission and business processes;
PL-2a.4. Identify the individuals that fulfill system roles and responsibilities;
PL-2a.5. Identify the information types processed, stored, and transmitted by the system;
PL-2a.6. Provide the security categorization of the system, including supporting rationale;
PL-2a.7. Describe any specific threats to the system that are of concern to the organization;
PL-2a.8. Provide the results of a privacy risk assessment for systems processing personally identifiable information;
PL-2a.9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components;
PL-2a.10. Provide an overview of the security and privacy requirements for the system;
PL-2a.11. Identify any relevant control baselines or overlays, if applicable;
PL-2a.12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;
PL-2a.13. Include risk determinations for security and privacy architecture and design decisions;
PL-2a.14. Include security- and privacy-related activities affecting the system that require planning and coordination with [Assignment: organization-defined individuals or groups]; and
PL-2a.15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.
PL-2b. Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles];
PL-2c. Review the plans [Assignment: organization-defined frequency];
PL-2d. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and
PL-2e. Protect the plans from unauthorized disclosure and modification.
PL-2(1). Concept Of Operations.
[Withdrawn: Incorporated into PL-7].
PL-2(2). Functional Architecture.
[Withdrawn: Incorporated into PL-8].
PL-2(3). Plan and Coordinate With Other Organizational Entities.
[Withdrawn: Incorporated into PL-2].
Discussion:...

System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.

Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.

Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.

Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate.

References: SP 800-37 OMB A-130 SP 800-160-1 SP 800-160-2 SP 800-18
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
SP 800-160-2 Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2.
SP 800-18 Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1.
Related: AC-2 AC-6 AC-14 AC-17 AC-20 CA-2 CA-3 CA-7 CM-9 CM-13 CP-2 CP-4 IR-4 IR-8 MA-4 MA-5 MP-4 MP-5 PL-7 PL-8 PL-10 PL-11 PM-1 PM-7 PM-8 PM-9 PM-10 PM-11 RA-3 RA-8 RA-9 SA-5 SA-17 SA-22 SI-12 SR-2 SR-4
AC-2 - Account Management
AC-6 - Least Privilege
AC-14 - Permitted Actions Without Identification Or Authentication
AC-17 - Remote Access
AC-20 - Use Of External Systems
CA-2 - Control Assessments
CA-3 - Information Exchange
CA-7 - Continuous Monitoring
CM-9 - Configuration Management Plan
CM-13 - Data Action Mapping
CP-2 - Contingency Plan
CP-4 - Contingency Plan Testing
IR-4 - Incident Handling
IR-8 - Incident Response Plan
MA-4 - Nonlocal Maintenance
MA-5 - Maintenance Personnel
MP-4 - Media Storage
MP-5 - Media Transport
PL-7 - Concept Of Operations
PL-8 - Security and Privacy Architectures
PL-10 - Baseline Selection
PL-11 - Baseline Tailoring
PM-1 - Information Security Program Plan
PM-7 - Enterprise Architecture
PM-8 - Critical Infrastructure Plan
PM-9 - Risk Management Strategy
PM-10 - Authorization Process
PM-11 - Mission and Business Process Definition
RA-3 - Risk Assessment
RA-8 - Privacy Impact Assessments
RA-9 - Criticality Analysis
SA-5 - System Documentation
SA-17 - Developer Security and Privacy Architecture and Design
SA-22 - Unsupported System Components
SI-12 - Information Management and Retention
SR-2 - Supply Chain Risk Management Plan
SR-4 - Provenance
PL-3 - System Security Plan Update
Control:...
[For baselines: ]
Discussion:...
Related:
PL-4 - Rules Of Behavior
Control:...
[For baselines: Low, Moderate, High, Privacy]
PL-4a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;
PL-4b. Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;
PL-4c. Review and update the rules of behavior [Assignment: organization-defined frequency]; and
PL-4d. Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [Selection (one or more): [Assignment: organization-defined frequency]; when the rules are revised or updated].
PL-4(1). Social Media and External Site/Application Usage Restrictions.
Include in the rules of behavior, restrictions on:
Use of social media, social networking sites, and external sites/applications;
Posting organizational information on public websites; and
Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.
PL-4(1)(a). .
Use of social media, social networking sites, and external sites/applications;
Posting organizational information on public websites; and
Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.
Discussion:...

Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons.

References: OMB A-130 SP 800-18
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-18 Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1.
Related: AC-2 AC-6 AC-8 AC-9 AC-17 AC-18 AC-19 AC-20 AT-2 AT-3 CM-11 IA-2 IA-4 IA-5 MP-7 PS-6 PS-8 SA-5 SI-12 AC-22 AU-13
PL-5 - Privacy Impact Assessment
Control:...
[For baselines: ]
Discussion:...
Related:
PL-6 - Security-Related Activity Planning
Control:...
[For baselines: ]
Discussion:...
Related:
PL-7 - Concept Of Operations
Control:...
[For baselines: Not Selected]
PL-7a. Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and
PL-7b. Review and update the CONOPS [Assignment: organization-defined frequency].
Discussion:...

The CONOPS may be included in the security or privacy plans for the system or in other system development life cycle documents. The CONOPS is a living document that requires updating throughout the system development life cycle. For example, during system design reviews, the concept of operations is checked to ensure that it remains consistent with the design for controls, the system architecture, and the operational procedures. Changes to the CONOPS are reflected in ongoing updates to the security and privacy plans, security and privacy architectures, and other organizational documents, such as procurement specifications, system development life cycle documents, and systems engineering documents.

References: OMB A-130
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: PL-2 SA-2 SI-12
PL-8 - Security and Privacy Architectures
Control:...
[For baselines: Moderate, High, Privacy]
PL-8a. Develop security and privacy architectures for the system that:
PL-8a.1. Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;
PL-8a.2. Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;
PL-8a.3. Describe how the architectures are integrated into and support the enterprise architecture; and
PL-8a.4. Describe any assumptions about, and dependencies on, external systems and services;
PL-8b. Review and update the architectures [Assignment: organization-defined frequency] to reflect changes in the enterprise architecture; and
PL-8c. Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.
PL-8(1). Defense In Depth.
Design the security and privacy architectures for the system using a defense-in-depth approach that:
Allocates [Assignment: organization-defined controls] to [Assignment: organization-defined locations and architectural layers]; and
Ensures that the allocated controls operate in a coordinated and mutually reinforcing manner.
PL-8(1)(a). .
Allocates [Assignment: organization-defined controls] to [Assignment: organization-defined locations and architectural layers]; and
Ensures that the allocated controls operate in a coordinated and mutually reinforcing manner.
PL-8(2). Supplier Diversity.
Require that [Assignment: organization-defined controls] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers.
Discussion:...

The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in PM-7, which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.

SP 800-160-1 provides guidance on the use of security architectures as part of the system development life cycle process. OMB M-19-03 requires the use of the systems security engineering concepts described in SP 800-160-1 for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).

In today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.

PL-8 is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17, which is complementary to PL-8, is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures.

References: OMB A-130 SP 800-160-1 SP 800-160-2
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
SP 800-160-2 Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2.
Related: CM-2 CM-6 PL-2 PL-7 PL-9 PM-5 PM-7 RA-9 SA-3 SA-5 SA-8 SA-17 SC-7 SC-2 SC-3 SC-29 SC-36 SC-29 SR-3
PL-9 - Central Management
Control:...
[For baselines: Not Selected, Privacy]
Centrally manage [Assignment: organization-defined controls and related processes].
Discussion:...

Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes. As the central management of controls is generally associated with the concept of common (inherited) controls, such management promotes and facilitates standardization of control implementations and management and the judicious use of organizational resources. Centrally managed controls and processes may also meet independence requirements for assessments in support of initial and ongoing authorizations to operate and as part of organizational continuous monitoring.

Automated tools (e.g., security information and event management tools or enterprise security monitoring and management tools) can improve the accuracy, consistency, and availability of information associated with centrally managed controls and processes. Automation can also provide data aggregation and data correlation capabilities; alerting mechanisms; and dashboards to support risk-based decision-making within the organization.

As part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities. It is not always possible to centrally manage every aspect of a control. In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level. The controls and control enhancements that are candidates for full or partial central management include but are not limited to: AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-4(all), AC-17(1), AC-17(2), AC-17(3), AC-17(9), AC-18(1), AC-18(3), AC-18(4), AC-18(5), AC-19(4), AC-22, AC-23, AT-2(1), AT-2(2), AT-3(1), AT-3(2), AT-3(3), AT-4, AU-3, AU-6(1), AU-6(3), AU-6(5), AU-6(6), AU-6(9), AU-7(1), AU-7(2), AU-11, AU-13, AU-16, CA-2(1), CA-2(2), CA-2(3), CA-3(1), CA-3(2), CA-3(3), CA-7(1), CA-9, CM-2(2), CM-3(1), CM-3(4), CM-4, CM-6, CM-6(1), CM-7(2), CM-7(4), CM-7(5), CM-8(all), CM-9(1), CM-10, CM-11, CP-7(all), CP-8(all), SC-43, SI-2, SI-3, SI-4(all), SI-7, SI-8.

References: SP 800-37 OMB A-130
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: PL-8 PM-9
PL-10 - Baseline Selection
Control:...
[For baselines: Low, Moderate, High]
Select a control baseline for the system.
Discussion:...

Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11). Federal control baselines are provided in SP 800-53B. The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in SP 800-53B are based on the requirements from FISMA and PRIVACT. The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. CNSSI 1253 provides guidance on control baselines for national security systems.

References: CNSSI 1253 SP 800-37 SP 800-53B SP 800-39 SP 800-30 FIPS 199 FIPS 200 SP 800-160-1 SP 800-60-1 SP 800-60-2
CNSSI 1253 Committee on National Security Systems Instruction No. 1253, Security Categorization and Control Selection for National Security Systems, March 2014.
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-53B Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
FIPS 200 National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
SP 800-60-1 Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1.
SP 800-60-2 Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1.
Related: PL-2 PL-11 RA-2 RA-3 SA-8
PL-11 - Baseline Tailoring
Control:...
[For baselines: Low, Moderate, High]
Tailor the selected control baseline by applying specified tailoring actions.
Discussion:...

The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in SP 800-53B. Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in SP 800-53B can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in SP 800-53B in accordance with the security and privacy requirements from FISMA, PRIVACT, and OMB A-130. Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in SP 800-53B to specialize or customize the controls that represent the specific needs and concerns of those entities.

References: CNSSI 1253 SP 800-37 SP 800-53B SP 800-39 SP 800-30 FIPS 199 FIPS 200 SP 800-160-1 SP 800-60-1 SP 800-60-2
CNSSI 1253 Committee on National Security Systems Instruction No. 1253, Security Categorization and Control Selection for National Security Systems, March 2014.
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-53B Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
FIPS 200 National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
SP 800-60-1 Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1.
SP 800-60-2 Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1.
Related: PL-10 RA-2 RA-3 RA-9 SA-8
PM - Program Management
PM-1 - Information Security Program Plan
Control:...
[For baselines: Not Selected]
PM-1a. Develop and disseminate an organization-wide information security program plan that:
PM-1a.1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
PM-1a.2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
PM-1a.3. Reflects the coordination among organizational entities responsible for information security; and
PM-1a.4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
PM-1b. Review and update the organization-wide information security program plan [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
PM-1c. Protect the information security program plan from unauthorized disclosure and modification.
Discussion:...

An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. An information security program plan can be represented in a single document or compilations of documents. Privacy program plans and supply chain risk management plans are addressed separately in PM-18 and SR-2, respectively.

An information security program plan documents implementation details about program management and common controls. The plan provides sufficient information about the controls (including specification of parameters for assignment and selection operations, explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended. Updates to information security program plans include organizational changes and problems identified during plan implementation or control assessments.

Program management controls may be implemented at the organization level or the mission or business process level, and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular system. Together, the individual system security plans and the organization-wide information security program plan provide complete coverage for the security controls employed within the organization.

Common controls available for inheritance by organizational systems are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls.

Events that may precipitate an update to the information security program plan include, but are not limited to, organization-wide assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines.

References: FISMA SP 800-37 SP 800-39 OMB A-130
FISMA Federal Information Security Modernization Act (P.L. 113-283), December 2014.
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: PL-2 PM-18 PM-30 RA-9 SI-12 SR-2
PM-2 - Information Security Program Leadership Role
Control:...
[For baselines: Not Selected]
Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.
Discussion:...

The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer.

References: SP 800-37 SP 800-39 OMB M-17-25 SP 800-181
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
OMB M-17-25 Office of Management and Budget Memorandum M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, May 2017.
SP 800-181 Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1.
Related:
PM-3 - Information Security and Privacy Resources
Control:...
[For baselines: Not Selected, Privacy]
PM-3a. Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;
PM-3b. Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and
PM-3c. Make available for expenditure, the planned information security and privacy resources.
Discussion:...

Organizations consider establishing champions for information security and privacy and, as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process.

References: OMB A-130
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: PM-4 SA-2
PM-4 - Plan Of Action and Milestones Process
Control:...
[For baselines: Not Selected, Privacy]
PM-4a. Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems:
PM-4a.1. Are developed and maintained;
PM-4a.2. Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
PM-4a.3. Are reported in accordance with established reporting requirements.
PM-4b. Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
Discussion:...

The plan of action and milestones is a key organizational document and is subject to reporting requirements established by the Office of Management and Budget. Organizations develop plans of action and milestones with an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple plans of action and milestones corresponding to the information system level, mission/business process level, and organizational/governance level. While plans of action and milestones are required for federal organizations, other types of organizations can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones at the system level is provided in CA-5.

References: SP 800-37 OMB A-130 PRIVACT
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
PRIVACT Privacy Act (P.L. 93-579), December 1974.
Related: CA-5 CA-7 PM-3 RA-7 SI-12
PM-5 - System Inventory
Control:...
[For baselines: Not Selected]
Develop and update [Assignment: organization-defined frequency] an inventory of organizational systems.
PM-5(1). Inventory Of Personally Identifiable Information.
Establish, maintain, and update [Assignment: organization-defined frequency] an inventory of all systems, applications, and projects that process personally identifiable information.
Discussion:...

OMB A-130 provides guidance on developing systems inventories and associated reporting requirements. System inventory refers to an organization-wide inventory of systems, not system components as described in CM-8.

References: IR 8062 OMB A-130
IR 8062 Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: AC-3 CM-8 CM-12 CM-13 PL-8 PM-22 PT-3 PT-5 SI-12 SI-18
PM-6 - Measures Of Performance
Control:...
[For baselines: Not Selected, Privacy]
Develop, monitor, and report on the results of information security and privacy measures of performance.
Discussion:...

Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program. To facilitate security and privacy risk management, organizations consider aligning measures of performance with the organizational risk tolerance as defined in the risk management strategy.

References: SP 800-55 SP 800-137 SP 800-37 SP 800-39 OMB A-130
SP 800-55 Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1.
SP 800-137 Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137.
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: CA-7 PM-9
PM-7 - Enterprise Architecture
Control:...
[For baselines: Not Selected, Privacy]
Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.
PM-7(1). Offloading.
Offload [Assignment: organization-defined non-essential functions or services] to other systems, system components, or an external provider.
Discussion:...

The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture and the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8, the security and privacy architectures are developed at a level that represents an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework SP 800-37 and supporting security standards and guidelines.

References: SP 800-37 SP 800-39 OMB A-130 SP 800-160-1 SP 800-160-2
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
SP 800-160-2 Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2.
Related: AU-6 PL-2 PL-8 PM-11 RA-2 SA-3 SA-8 SA-17 SA-8
PM-8 - Critical Infrastructure Plan
Control:...
[For baselines: Not Selected, Privacy]
Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.
Discussion:...

Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

References: DHS NIPP EO 13636 HSPD 7 OMB A-130
DHS NIPP Department of Homeland Security, National Infrastructure Protection Plan (NIPP), 2009.
EO 13636 Executive Order 13636, Improving Critical Infrastructure Cybersecurity, February 2013.
HSPD 7 Homeland Security Presidential Directive 7, Critical Infrastructure Identification, Prioritization, and Protection, December 2003.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: CP-2 CP-4 PE-18 PL-2 PM-9 PM-11 PM-18 RA-3 SI-12
PM-9 - Risk Management Strategy
Control:...
[For baselines: Not Selected, Privacy]
PM-9a. Develops a comprehensive strategy to manage:
PM-9a.1. Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and
PM-9a.2. Privacy risk to individuals resulting from the authorized processing of personally identifiable information;
PM-9b. Implement the risk management strategy consistently across the organization; and
PM-9c. Review and update the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.
Discussion:...

An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization, security and privacy risk mitigation strategies, acceptable risk assessment methodologies, a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure that the strategy is broad-based and comprehensive. The supply chain risk management strategy described in PM-30 can also provide useful inputs to the organization-wide risk management strategy.

References: SP 800-161 IR 8023 SP 800-37 SP 800-39 SP 800-30 OMB A-130
SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
IR 8023 Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023.
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: AC-1 AT-1 AU-1 CA-1 CA-2 CA-5 CA-6 CA-7 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PE-1 PL-1 PL-2 PM-2 PM-8 PM-18 PM-28 PM-30 PS-1 PT-1 PT-2 PT-3 RA-1 RA-3 RA-9 SA-1 SA-4 SC-1 SC-38 SI-1 SI-12 SR-1 SR-2
AC-1 - Policy and Procedures
AT-1 - Policy and Procedures
AU-1 - Policy and Procedures
CA-1 - Policy and Procedures
CA-2 - Control Assessments
CA-5 - Plan Of Action and Milestones
CA-6 - Authorization
CA-7 - Continuous Monitoring
CM-1 - Policy and Procedures
CP-1 - Policy and Procedures
IA-1 - Policy and Procedures
IR-1 - Policy and Procedures
MA-1 - Policy and Procedures
MP-1 - Policy and Procedures
PE-1 - Policy and Procedures
PL-1 - Policy and Procedures
PL-2 - System Security and Privacy Plans
PM-2 - Information Security Program Leadership Role
PM-8 - Critical Infrastructure Plan
PM-18 - Privacy Program Plan
PM-28 - Risk Framing
PM-30 - Supply Chain Risk Management Strategy
PS-1 - Policy and Procedures
PT-1 - Policy and Procedures
PT-2 - Authority To Process Personally Identifiable Information
PT-3 - Personally Identifiable Information Processing Purposes
RA-1 - Policy and Procedures
RA-3 - Risk Assessment
RA-9 - Criticality Analysis
SA-1 - Policy and Procedures
SA-4 - Acquisition Process
SC-1 - Policy and Procedures
SC-38 - Operations Security
SI-1 - Policy and Procedures
SI-12 - Information Management and Retention
SR-1 - Policy and Procedures
SR-2 - Supply Chain Risk Management Plan
PM-10 - Authorization Process
Control:...
[For baselines: Not Selected, Privacy]
PM-10a. Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;
PM-10b. Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
PM-10c. Integrate the authorization processes into an organization-wide risk management program.
Discussion:...

Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The authorization processes for the organization are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation.

References: SP 800-37 SP 800-39 SP 800-181
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-181 Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1.
Related: CA-6 CA-7 PL-2
PM-11 - Mission and Business Process Definition
Control:...
[For baselines: Not Selected, Privacy]
PM-11a. Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and
PM-11b. Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and
PM-11c. Review and revise the mission and business processes [Assignment: organization-defined frequency].
Discussion:...

Protection needs are technology-independent capabilities that are required to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by organizational stakeholders, the mission and business processes designed to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent to defining protection and personally identifiable information processing needs is an understanding of the adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of the processing of personally identifiable information at any stage of the information life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policies and procedures.

References: SP 800-39 FIPS 199 OMB A-130 SP 800-160-1 SP 800-60-1 SP 800-60-2
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
SP 800-60-1 Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1.
SP 800-60-2 Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1.
Related: CP-2 PL-2 PM-7 PM-8 RA-2 RA-3 RA-9 SA-2
PM-12 - Insider Threat Program
Control:...
[For baselines: Not Selected]
Implement an insider threat program that includes a cross-discipline insider threat incident handling team.
Discussion:...

Organizations that handle classified information are required, under Executive Order 13587 EO 13587 and the National Insider Threat Policy ODNI NITP, to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and nontechnical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans, conduct host-based user monitoring of individual employee activities on government-owned classified computers, provide insider threat awareness training to employees, receive access to information from offices in the department or agency for insider threat analysis, and conduct self-assessments of department or agency insider threat posture.

Insider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

References: EO 13587 ODNI NITP NITP12
EO 13587 Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, October 2011.
ODNI NITP Office of the Director National Intelligence, National Insider Threat Policy
NITP12 Presidential Memorandum for the Heads of Executive Departments and Agencies, National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs, November 2012.
Related: AC-6 AT-2 AU-6 AU-7 AU-10 AU-12 AU-13 CA-7 IA-4 IR-4 MP-7 PE-2 PM-14 PM-16 PS-3 PS-4 PS-5 PS-7 PS-8 SC-7 SC-38 SI-4
PM-13 - Security and Privacy Workforce
Control:...
[For baselines: Not Selected, Privacy]
Establish a security and privacy workforce development and improvement program.
Discussion:...

Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals.

References: OMB A-130 SP 800-181
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-181 Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1.
Related: AT-2 AT-3
PM-14 - Testing, Training, and Monitoring
Control:...
[For baselines: Not Selected, Privacy]
PM-14a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:
PM-14a.1. Are developed and maintained; and
PM-14a.2. Continue to be executed; and
PM-14b. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
Discussion:...

A process for organization-wide security and privacy testing, training, and monitoring helps ensure that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments.

References: SP 800-137 SP 800-37 SP 800-39 SP 800-53A OMB A-130 SP 800-115
SP 800-137 Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137.
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-53A Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-115 Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115.
Related: AT-2 AT-3 CA-7 CP-4 IR-3 PM-12 SI-4
PM-15 - Security and Privacy Groups and Associations
Control:...
[For baselines: Not Selected]
Establish and institutionalize contact with selected groups and associations within the security and privacy communities:
PM-15a. To facilitate ongoing security and privacy education and training for organizational personnel;
PM-15b. To maintain currency with recommended security and privacy practices, techniques, and technologies; and
PM-15c. To share current security and privacy information, including threats, vulnerabilities, and incidents.
Discussion:...

Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on mission and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

References: OMB A-130
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: SA-11 SI-5
PM-16 - Threat Awareness Program
Control:...
[For baselines: Not Selected]
Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.
PM-16(1). Automated Means For Sharing Threat Intelligence.
Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information.
Discussion:...

Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information, including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced, mitigations that organizations have found are effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may require special agreements and protection, or it may be freely shared.

Related: IR-4 PM-12
PM-17 - Protecting Controlled Unclassified Information On External Systems
Control:...
[For baselines: Not Selected, Privacy]
PM-17a. Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and
PM-17b. Review and update the policy and procedures [Assignment: organization-defined frequency].
Discussion:...

Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in 32 CFR 2002 and, specifically for systems external to the federal organization, 32 CFR 2002.14h. The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes.

References: 32 CFR 2002 NARA CUI SP 800-171 SP 800-172
32 CFR 2002 Code of Federal Regulations, Title 32, Controlled Unclassified Information (32 C.F.R. 2002).
NARA CUI National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry.
SP 800-171 Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2.
SP 800-172 Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172.
Related: CA-6 PM-10
PM-18 - Privacy Program Plan
Control:...
[For baselines: Not Selected, Privacy]
PM-18a. Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:
PM-18a.1. Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;
PM-18a.2. Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;
PM-18a.3. Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;
PM-18a.4. Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;
PM-18a.5. Reflects coordination among organizational entities responsible for the different aspects of privacy; and
PM-18a.6. Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and
PM-18b. Update the plan [Assignment: organization-defined frequency] and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments.
Discussion:...

A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program, the resources dedicated to the privacy program, the role of the senior agency official for privacy and other privacy officials and staff, the strategic goals and objectives of the privacy program, and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents.

The senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection operations explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended.

Program management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. Together, the privacy plans for individual systems and the organization-wide privacy program plan provide complete coverage for the privacy controls employed within the organization.

Common controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls.

References: OMB A-130 PRIVACT
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
PRIVACT Privacy Act (P.L. 93-579), December 1974.
Related: PM-8 PM-9 PM-19
PM-19 - Privacy Program Leadership Role
Control:...
[For baselines: Not Selected, Privacy]
Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program.
Discussion:...

The privacy officer is an organizational official. For federal agencies—as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines—this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has roles on the data management board (see PM-23) and the data integrity board (see PM-24).

References: OMB A-130
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: PM-18 PM-20 PM-23 PM-24 PM-27
PM-20 - Dissemination Of Privacy Program Information
Control:...
[For baselines: Not Selected, Privacy]
Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:
PM-20a. Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;
PM-20b. Ensures that organizational privacy practices and reports are publicly available; and
PM-20c. Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.
PM-20(1). Privacy Policies On Websites, Applications, and Digital Services.
Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that:
Are written in plain language and organized in a way that is easy to understand and navigate;
Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and
Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes.
PM-20(1)(a). .
Are written in plain language and organized in a way that is easy to understand and navigate;
Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and
Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes.
Discussion:...

For federal agencies, the webpage is located at www.[agency].gov/privacy. Federal agencies include public privacy impact assessments, system of records notices, computer matching notices and agreements, PRIVACT exemption and implementation rules, privacy reports, privacy policies, instructions for individuals making an access or amendment request, email addresses for questions/complaints, blogs, and periodic publications.

References: OMB A-130 OMB M-17-06 PRIVACT
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
OMB M-17-06 Office of Management and Budget Memorandum M-17-06, Policies for Federal Agency Public Websites and Digital Services, November 2016.
PRIVACT Privacy Act (P.L. 93-579), December 1974.
Related: AC-3 PM-19 PT-5 PT-6 PT-7 RA-8
PM-21 - Accounting Of Disclosures
Control:...
[For baselines: Not Selected, Privacy]
PM-21a. Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:
PM-21a.1. Date, nature, and purpose of each disclosure; and
PM-21a.2. Name and address, or other contact information of the individual or organization to which the disclosure was made;
PM-21b. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and
PM-21c. Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request.
Discussion:...

The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed, to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information, and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the PRIVACT; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.

Organizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services that provide notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing the disclosure or dissemination of information and dissemination restrictions.

References: OMB A-130 PRIVACT
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
PRIVACT Privacy Act (P.L. 93-579), December 1974.
Related: AC-3 AU-2 PT-2
PM-22 - Personally Identifiable Information Quality Management
Control:...
[For baselines: Not Selected, Privacy]
Develop and document organization-wide policies and procedures for:
PM-22a. Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;
PM-22b. Correcting or deleting inaccurate or outdated personally identifiable information;
PM-22c. Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and
PM-22d. Appeals of adverse decisions on correction or deletion requests.
Discussion:...

Personally identifiable information quality management includes steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information.

The senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations.

Organizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to the complexity of data flows and storage, other entities may need to be informed of the correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem.

References: SP 800-188 OMB A-130 OMB M-19-15
SP 800-188 Garfinkel S (2016) De-Identifying Government Datasets. (National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
OMB M-19-15 Office of Management and Budget Memorandum M-19-15, Improving Implementation of the Information Quality Act, April 2019.
Related: PM-23 SI-18
PM-23 - Data Governance Body
Control:...
[For baselines: Not Selected]
Establish a Data Governance Body consisting of [Assignment: organization-defined roles] with [Assignment: organization-defined responsibilities].
Discussion:...

A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines that support data modeling, quality, integrity, and the de-identification needs of personally identifiable information across the information life cycle as well as reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the EVIDACT and policies set forth under OMB M-19-23.

References: EVIDACT SP 800-188 OMB A-130 OMB M-19-23
EVIDACT Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019.
SP 800-188 Garfinkel S (2016) De-Identifying Government Datasets. (National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
OMB M-19-23 Office of Management and Budget Memorandum M-19-23, Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance, July 2019.
Related: AT-2 AT-3 PM-19 PM-22 PM-24 PT-7 SI-4 SI-19
PM-24 - Data Integrity Board
Control:...
[For baselines: Not Selected, Privacy]
Establish a Data Integrity Board to:
PM-24a. Review proposals to conduct or participate in a matching program; and
PM-24b. Conduct an annual review of all matching programs in which the agency has participated.
Discussion:...

A Data Integrity Board is the board of senior officials designated by the head of a federal agency and is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated PRIVACT systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy.

References: OMB A-108 OMB A-130 PRIVACT
OMB A-108 Office of Management and Budget Memorandum Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act, December 2016.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
PRIVACT Privacy Act (P.L. 93-579), December 1974.
Related: AC-4 PM-19 PM-23 PT-2 PT-8
PM-25 - Minimization Of Personally Identifiable Information Used In Testing, Training, and Research
Control:...
[For baselines: Not Selected, Privacy]
PM-25a. Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;
PM-25b. Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;
PM-25c. Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and
PM-25d. Review and update policies and procedures [Assignment: organization-defined frequency].
Discussion:...

The use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and/or legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research.

References: OMB A-130
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: PM-23 PT-3 SA-3 SA-8 SI-12
PM-26 - Complaint Management
Control:...
[For baselines: Not Selected, Privacy]
Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes:
PM-26a. Mechanisms that are easy to use and readily accessible by the public;
PM-26b. All information necessary for successfully filing complaints;
PM-26c. Tracking mechanisms to ensure all complaints received are reviewed and addressed within [Assignment: organization-defined time period];
PM-26d. Acknowledgement of receipt of complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]; and
PM-26e. Response to complaints, concerns, or questions from individuals within [Assignment: organization-defined time period].
Discussion:...

Complaints, concerns, and questions from individuals can serve as valuable sources of input to organizations and ultimately improve operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information which is handled in accordance with relevant policies and processes.

References: OMB A-130
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: IR-7 IR-9 PM-22 SI-18
PM-27 - Privacy Reporting
Control:...
[For baselines: Not Selected, Privacy]
PM-27a. Develop [Assignment: organization-defined privacy reports] and disseminate to:
PM-27a.1. [Assignment: organization-defined oversight bodies] to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and
PM-27a.2. [Assignment: organization-defined officials] and other personnel with responsibility for monitoring privacy program compliance; and
PM-27b. Review and update privacy reports [Assignment: organization-defined frequency].
Discussion:...

Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. For federal agencies, privacy reports include annual senior agency official for privacy reports to OMB, reports to Congress required by Implementing Regulations of the 9/11 Commission Act, and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements.

References: FISMA OMB A-108 OMB A-130
FISMA Federal Information Security Modernization Act (P.L. 113-283), December 2014.
OMB A-108 Office of Management and Budget Memorandum Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act, December 2016.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: IR-9 PM-19
PM-28 - Risk Framing
Control:...
[For baselines: Not Selected, Privacy]
PM-28a. Identify and document:
PM-28a.1. Assumptions affecting risk assessments, risk responses, and risk monitoring;
PM-28a.2. Constraints affecting risk assessments, risk responses, and risk monitoring;
PM-28a.3. Priorities and trade-offs considered by the organization for managing risk; and
PM-28a.4. Organizational risk tolerance;
PM-28b. Distribute the results of risk framing activities to [Assignment: organization-defined personnel]; and
PM-28c. Review and update risk framing considerations [Assignment: organization-defined frequency].
Discussion:...

Risk framing is most effective when conducted at the organization level and in consultation with stakeholders throughout the organization including mission, business, and system owners. The assumptions, constraints, risk tolerance, priorities, and trade-offs identified as part of the risk framing process inform the risk management strategy, which in turn informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel, including mission and business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management.

References: SP 800-39 OMB A-130
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: CA-7 PM-9 RA-3 RA-7
PM-29 - Risk Management Program Leadership Roles
Control:...
[For baselines: Not Selected]
PM-29a. Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and
PM-29b. Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization.
Discussion:...

The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities.

References: SP 800-37 SP 800-181
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-181 Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1.
Related: PM-2 PM-19
PM-30 - Supply Chain Risk Management Strategy
Control:...
[For baselines: Not Selected]
PM-30a. Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;
PM-30a.1. Implement the supply chain risk management strategy consistently across the organization; and
PM-30a.1.(a) Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency] or as required, to address organizational changes.
PM-30(1). Suppliers Of Critical Or Mission-Essential Items.
Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services.
Discussion:...

An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk appetite and tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of the security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform supply chain policies and system-level supply chain risk management plans. In addition, the use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organization and mission/business levels, whereas the supply chain risk management plan (see SR-2) is implemented at the system level.

References: 41 CFR 201 SP 800-161 CNSSD 505 EO 13873 ISO 20243 ISO 27036 OMB A-130 OMB M-17-06 IR 8272 PRIVACT FASC18
41 CFR 201
SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
CNSSD 505 Committee on National Security Systems Directive No. 505, Supply Chain Risk Management (SCRM), August 2017.
EO 13873 Executive Order 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain, May 2019.
ISO 20243 International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations, February 2018.
ISO 27036 International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts, April 2014.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
OMB M-17-06 Office of Management and Budget Memorandum M-17-06, Policies for Federal Agency Public Websites and Digital Services, November 2016.
IR 8272 Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272.
PRIVACT Privacy Act (P.L. 93-579), December 1974.
FASC18 Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018.
Related: CM-10 PM-9 SR-1 SR-2 SR-3 SR-4 SR-5 SR-6 SR-7 SR-8 SR-9 SR-11 RA-3 SR-6
PM-31 - Continuous Monitoring Strategy
Control:...
[For baselines: Not Selected, Privacy]
Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:
PM-31a. Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics];
PM-31b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;
PM-31c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;
PM-31d. Correlation and analysis of information generated by control assessments and monitoring;
PM-31e. Response actions to address results of the analysis of control assessment and monitoring information; and
PM-31f. Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
Discussion:...

Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective, timely, and informed risk management decisions, including ongoing authorization decisions. To further facilitate security and privacy risk management, organizations consider aligning organization-defined monitoring metrics with organizational risk tolerance as defined in the risk management strategy. Monitoring requirements, including the need for monitoring, may be referenced in other controls and control enhancements such as, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b, SI-4.

References: SP 800-137A SP 800-137 SP 800-37 SP 800-39
SP 800-137A Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A.
SP 800-137 Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137.
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
Related: AC-2 AC-6 AC-17 AT-4 AU-6 AU-13 CA-2 CA-5 CA-6 CA-7 CM-3 CM-4 CM-6 CM-11 IA-5 IR-5 MA-2 MA-3 MA-4 PE-3 PE-6 PE-14 PE-16 PE-20 PL-2 PM-4 PM-6 PM-9 PM-10 PM-12 PM-14 PM-23 PM-28 PS-7 PT-7 RA-3 RA-5 RA-7 SA-9 SA-11 SC-5 SC-7 SC-18 SC-38 SC-43 SI-3 SI-4 SI-12 SR-2 SR-4
AC-2 - Account Management
AC-6 - Least Privilege
AC-17 - Remote Access
AT-4 - Training Records
AU-6 - Audit Record Review, Analysis, and Reporting
AU-13 - Monitoring For Information Disclosure
CA-2 - Control Assessments
CA-5 - Plan Of Action and Milestones
CA-6 - Authorization
CA-7 - Continuous Monitoring
CM-3 - Configuration Change Control
CM-4 - Impact Analyses
CM-6 - Configuration Settings
CM-11 - User-Installed Software
IA-5 - Authenticator Management
IR-5 - Incident Monitoring
MA-2 - Controlled Maintenance
MA-3 - Maintenance Tools
MA-4 - Nonlocal Maintenance
PE-3 - Physical Access Control
PE-6 - Monitoring Physical Access
PE-14 - Environmental Controls
PE-16 - Delivery and Removal
PE-20 - Asset Monitoring and Tracking
PL-2 - System Security and Privacy Plans
PM-4 - Plan Of Action and Milestones Process
PM-6 - Measures Of Performance
PM-9 - Risk Management Strategy
PM-10 - Authorization Process
PM-12 - Insider Threat Program
PM-14 - Testing, Training, and Monitoring
PM-23 - Data Governance Body
PM-28 - Risk Framing
PS-7 - External Personnel Security
PT-7 - Specific Categories Of Personally Identifiable Information
RA-3 - Risk Assessment
RA-5 - Vulnerability Monitoring and Scanning
RA-7 - Risk Response
SA-9 - External System Services
SA-11 - Developer Testing and Evaluation
SC-5 - Denial-Of-Service Protection
SC-7 - Boundary Protection
SC-18 - Mobile Code
SC-38 - Operations Security
SC-43 - Usage Restrictions
SI-3 - Malicious Code Protection
SI-4 - System Monitoring
SI-12 - Information Management and Retention
SR-2 - Supply Chain Risk Management Plan
SR-4 - Provenance
PM-32 - Purposing
Control:...
[For baselines: Not Selected]
Analyze [Assignment: organization-defined systems or systems components] supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.
Discussion:...

Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside of the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are more vulnerable to compromise, which can ultimately impact the services and functions for which they were intended. This is especially impactful for mission-essential services and functions. By analyzing resource use, organizations can identify such potential exposures.

References: SP 800-160-1 SP 800-160-2
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
SP 800-160-2 Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2.
Related: CA-7 PL-2 RA-3 RA-9
RA - Risk Assessment
RA-1 - Policy and Procedures
Control:...
[For baselines: Low, Moderate, High, Privacy]
RA-1a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
RA-1a.1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] risk assessment policy that:
RA-1a.1.(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
RA-1a.1.(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
RA-1a.2. Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;
RA-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and
RA-1c. Review and update the current risk assessment:
RA-1c.1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
RA-1c.2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Discussion:...

Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

References: SP 800-100 SP 800-39 SP 800-30 SP 800-12 OMB A-130
SP 800-100 Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
SP 800-12 Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: PM-9 PS-8 SI-12
RA-2 - Security Categorization
Control:...
[For baselines: Low, Moderate, High]
RA-2a. Categorize the system and information it processes, stores, and transmits;
RA-2b. Document the security categorization results, including supporting rationale, in the security plan for the system; and
RA-2c. Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.
RA-2(1). Impact-Level Prioritization.
Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels.
Discussion:...

Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. CNSSI 1253 provides additional guidance on categorization for national security systems.

Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with USA PATRIOT and Homeland Security Presidential Directives, potential national-level adverse impacts.

Security categorization processes facilitate the development of inventories of information assets and, along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant.

References: CNSSI 1253 SP 800-37 SP 800-39 SP 800-30 NARA CUI FIPS 199 FIPS 200 SP 800-160-1 SP 800-60-1 SP 800-60-2
CNSSI 1253 Committee on National Security Systems Instruction No. 1253, Security Categorization and Control Selection for National Security Systems, March 2014.
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
NARA CUI National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry.
FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
FIPS 200 National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
SP 800-60-1 Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1.
SP 800-60-2 Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1.
Related: CM-8 MP-4 PL-2 PL-10 PL-11 PM-7 RA-3 RA-5 RA-7 RA-8 SA-8 SC-7 SC-38 SI-12
RA-3 - Risk Assessment
Control:...
[For baselines: Low, Moderate, High, Privacy]
RA-3a. Conduct a risk assessment, including:
RA-3a.1. Identifying threats to and vulnerabilities in the system;
RA-3a.2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
RA-3a.3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
RA-3b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;
RA-3c. Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]];
RA-3d. Review risk assessment results [Assignment: organization-defined frequency];
RA-3e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and
RA-3f. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.
RA-3(1). Supply Chain Risk Assessment.
Assess supply chain risks associated with [Assignment: organization-defined systems, system components, and system services]; and
Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.
RA-3(1)(a). .
Assess supply chain risks associated with [Assignment: organization-defined systems, system components, and system services]; and
Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.
RA-3(2). Use Of All-Source Intelligence.
Use all-source intelligence to assist in the analysis of risk.
RA-3(3). Dynamic Threat Awareness.
Determine the current cyber threat environment on an ongoing basis using [Assignment: organization-defined means].
RA-3(4). Predictive Cyber Analytics.
Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities].
Discussion:...

Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.

Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.

Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.

References: SP 800-161 IR 8062 IR 8023 SP 800-39 SP 800-30 OMB A-130 IR 8272
SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
IR 8062 Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062.
IR 8023 Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
IR 8272 Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272.
Related: CA-3 CA-6 CM-4 CM-13 CP-6 CP-7 IA-8 MA-5 PE-3 PE-8 PE-18 PL-2 PL-10 PL-11 PM-8 PM-9 PM-28 PT-2 PT-7 RA-2 RA-5 RA-7 SA-8 SA-9 SC-38 SI-12 PM-17 PM-30 RA-2 RA-9 SR-2 AT-2
CA-3 - Information Exchange
CA-6 - Authorization
CM-4 - Impact Analyses
CM-13 - Data Action Mapping
CP-6 - Alternate Storage Site
CP-7 - Alternate Processing Site
IA-8 - Identification and Authentication (Non-Organizational Users)
MA-5 - Maintenance Personnel
PE-3 - Physical Access Control
PE-8 - Visitor Access Records
PE-18 - Location Of System Components
PL-2 - System Security and Privacy Plans
PL-10 - Baseline Selection
PL-11 - Baseline Tailoring
PM-8 - Critical Infrastructure Plan
PM-9 - Risk Management Strategy
PM-28 - Risk Framing
PT-2 - Authority To Process Personally Identifiable Information
PT-7 - Specific Categories Of Personally Identifiable Information
RA-2 - Security Categorization
RA-5 - Vulnerability Monitoring and Scanning
RA-7 - Risk Response
SA-8 - Security and Privacy Engineering Principles
SA-9 - External System Services
SC-38 - Operations Security
SI-12 - Information Management and Retention
PM-17 - Protecting Controlled Unclassified Information On External Systems
PM-30 - Supply Chain Risk Management Strategy
RA-2 - Security Categorization
RA-9 - Criticality Analysis
SR-2 - Supply Chain Risk Management Plan
AT-2 - Literacy Training and Awareness
RA-4 - Risk Assessment Update
Control:...
[For baselines: ]
Discussion:...
Related:
RA-5 - Vulnerability Monitoring and Scanning
Control:...
[For baselines: Low, Moderate, High]
RA-5a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;
RA-5b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
RA-5b.1. Enumerating platforms, software flaws, and improper configurations;
RA-5b.2. Formatting checklists and test procedures; and
RA-5b.3. Measuring vulnerability impact;
RA-5c. Analyze vulnerability scan reports and results from vulnerability monitoring;
RA-5d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk;
RA-5e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and
RA-5f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
RA-5(1). Update Tool Capability.
[Withdrawn: Incorporated into RA-5].
RA-5(2). Update Vulnerabilities To Be Scanned.
Update the system vulnerabilities to be scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported].
RA-5(3). Breadth and Depth Of Coverage.
Define the breadth and depth of vulnerability scanning coverage.
RA-5(4). Discoverable Information.
Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions].
RA-5(5). Privileged Access.
Implement privileged access authorization to [Assignment: organization-defined system components] for [Assignment: organization-defined vulnerability scanning activities].
RA-5(6). Automated Trend Analyses.
Compare the results of multiple vulnerability scans using [Assignment: organization-defined automated mechanisms].
RA-5(7). Automated Detection and Notification Of Unauthorized Components.
[Withdrawn: Incorporated into CM-8].
RA-5(8). Review Historic Audit Logs.
Review historic audit logs to determine if a vulnerability identified in a [Assignment: organization-defined system] has been previously exploited within an [Assignment: organization-defined time period].
RA-5(9). Penetration Testing and Analyses.
[Withdrawn: Incorporated into CA-8].
RA-5(10). Correlate Scanning Information.
Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors.
RA-5(11). Public Disclosure Program.
Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.
Discussion:...

Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.

Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.

Organizations may also employ the use of financial incentives (also known as bug bounties) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.

References: IR 8023 IR 8011-4 ISO 29147 SP 800-53A SP 800-70 SP 800-115 IR 7788 SP 800-40 SP 800-126
IR 8023 Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023.
IR 8011-4 Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4.
ISO 29147 International Organization for Standardization/International Electrotechnical Commission 29147:2018, Information technology—Security techniques—Vulnerability disclosure, October 2018.
SP 800-53A Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014.
SP 800-70 Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4.
SP 800-115 Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115.
IR 7788 Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788.
SP 800-40 Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3.
SP 800-126 Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3.
Related: CA-2 CA-7 CA-8 CM-2 CM-4 CM-6 CM-8 RA-2 RA-3 SA-11 SA-15 SC-38 SI-2 SI-3 SI-4 SI-7 SR-11 SI-5 AU-13 SC-26 AU-6 AU-11
RA-6 - Technical Surveillance Countermeasures Survey
Control:...
[For baselines: Not Selected]
Employ a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection (one or more): [Assignment: organization-defined frequency]; when the following events or indicators occur: [Assignment: organization-defined events or indicators]].
Discussion:...

A technical surveillance countermeasures survey is a service provided by qualified personnel to detect the presence of technical surveillance devices and hazards and to identify technical security weaknesses that could be used in the conduct of a technical penetration of the surveyed facility. Technical surveillance countermeasures surveys also provide evaluations of the technical security posture of organizations and facilities and include visual, electronic, and physical examinations of surveyed facilities, internally and externally. The surveys also provide useful input for risk assessments and information regarding organizational exposure to potential adversaries.

Related:
RA-7 - Risk Response
Control:...
[For baselines: Low, Moderate, High, Privacy]
Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.
Discussion:...

Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated.

References: SP 800-37 SP 800-39 SP 800-30 FIPS 199 FIPS 200 SP 800-160-1
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
FIPS 200 National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
Related: CA-5 IR-9 PM-4 PM-28 RA-2 RA-3 SR-2
RA-8 - Privacy Impact Assessments
Control:...
[For baselines: Not Selected, Privacy]
Conduct privacy impact assessments for systems, programs, or other activities before:
RA-8a. Developing or procuring information technology that processes personally identifiable information; and
RA-8b. Initiating a new collection of personally identifiable information that:
RA-8b.1. Will be processed using information technology; and
RA-8b.2. Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.
Discussion:...

A privacy impact assessment is an analysis of how personally identifiable information is handled to ensure that handling conforms to applicable privacy requirements, determine the privacy risks associated with an information system or activity, and evaluate ways to mitigate privacy risks. A privacy impact assessment is both an analysis and a formal document that details the process and the outcome of the analysis.

Organizations conduct and develop a privacy impact assessment with sufficient clarity and specificity to demonstrate that the organization fully considered privacy and incorporated appropriate privacy protections from the earliest stages of the organization’s activity and throughout the information life cycle. In order to conduct a meaningful privacy impact assessment, the organization’s senior agency official for privacy works closely with program managers, system owners, information technology experts, security officials, counsel, and other relevant organization personnel. Moreover, a privacy impact assessment is not a time-restricted activity that is limited to a particular milestone or stage of the information system or personally identifiable information life cycles. Rather, the privacy analysis continues throughout the system and personally identifiable information life cycles. Accordingly, a privacy impact assessment is a living document that organizations update whenever changes to the information technology, changes to the organization’s practices, or other factors alter the privacy risks associated with the use of such information technology.

To conduct the privacy impact assessment, organizations can use security and privacy risk assessments. Organizations may also use other related processes that may have different names, including privacy threshold analyses. A privacy impact assessment can also serve as notice to the public regarding the organization’s practices with respect to privacy. Although conducting and publishing privacy impact assessments may be required by law, organizations may develop such policies in the absence of applicable laws. For federal agencies, privacy impact assessments may be required by EGOV; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.

References: EGOV OMB A-130 https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2003/m03_22.pdf" title="Office of Management and Budget Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 2003.https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2003/m03_22.pdf">OMB M-03-22
EGOV E-Government Act [includes FISMA] (P.L. 107-347), December 2002.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
OMB M-03-22 Office of Management and Budget Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 2003.https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2003/m03_22.pdf
Related: CM-4 CM-9 CM-13 PT-2 PT-3 PT-5 RA-1 RA-2 RA-3 RA-7
RA-9 - Criticality Analysis
Control:...
[For baselines: Moderate, High]
Identify critical system components and functions by performing a criticality analysis for [Assignment: organization-defined systems, system components, or system services] at [Assignment: organization-defined decision points in the system development life cycle].
Discussion:...

Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.

The operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system that contains the components and functions.

Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.

References: IR 8179
IR 8179 Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179.
Related: CP-2 PL-2 PL-8 PL-11 PM-1 PM-11 RA-2 SA-8 SA-15 SA-20 SR-5
RA-10 - Threat Hunting
Control:...
[For baselines: Not Selected]
RA-10a. Establish and maintain a cyber threat hunting capability to:
RA-10a.1. Search for indicators of compromise in organizational systems; and
RA-10a.2. Detect, track, and disrupt threats that evade existing controls; and
RA-10b. Employ the threat hunting capability [Assignment: organization-defined frequency].
Discussion:...

Threat hunting is an active means of cyber defense in contrast to traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indications of compromise include unusual network traffic, unusual file changes, and the presence of malicious code. Threat hunting teams leverage existing threat intelligence and may create new threat intelligence, which is shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies.

References: SP 800-30
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
Related: CA-2 CA-7 CA-8 RA-3 RA-5 RA-6 SI-4
SA - System and Services Acquisition
SA-1 - Policy and Procedures
Control:...
[For baselines: Low, Moderate, High, Privacy]
SA-1a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
SA-1a.1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and services acquisition policy that:
SA-1a.1.(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
SA-1a.1.(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
SA-1a.2. Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;
SA-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and
SA-1c. Review and update the current system and services acquisition:
SA-1c.1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
SA-1c.2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Discussion:...

System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

References: SP 800-100 SP 800-39 SP 800-30 SP 800-12 OMB A-130 SP 800-160-1
SP 800-100 Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
SP 800-12 Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
Related: PM-9 PS-8 SA-8 SI-12
SA-2 - Allocation Of Resources
Control:...
[For baselines: Low, Moderate, High, Privacy]
SA-2a. Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;
SA-2b. Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and
SA-2c. Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.
Discussion:...

Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle.

References: SP 800-37 OMB A-130 SP 800-160-1
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
Related: PL-7 PM-3 PM-11 SA-9 SR-3 SR-5
SA-3 - System Development Life Cycle
Control:...
[For baselines: Low, Moderate, High, Privacy]
SA-3a. Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations;
SA-3b. Define and document information security and privacy roles and responsibilities throughout the system development life cycle;
SA-3c. Identify individuals having information security and privacy roles and responsibilities; and
SA-3d. Integrate the organizational information security and privacy risk management process into system development life cycle activities.
SA-3(1). Manage Preproduction Environment.
Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service.
SA-3(2). Use Of Live Or Operational Data.
Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and
Protect preproduction environments for the system, system component, or system service at the same impact or classification level as any live data in use within the preproduction environments.
SA-3(2)(a). .
Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and
Protect preproduction environments for the system, system component, or system service at the same impact or classification level as any live data in use within the preproduction environments.
SA-3(3). Technology Refresh.
Plan for and implement a technology refresh schedule for the system throughout the system development life cycle.
Discussion:...

A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.

The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle.

References: SP 800-37 SP 800-30 OMB A-130 SP 800-160-1 SP 800-171 SP 800-172
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
SP 800-171 Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2.
SP 800-172 Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172.
Related: AT-3 PL-8 PM-7 SA-4 SA-5 SA-8 SA-11 SA-15 SA-17 SA-22 SR-3 SR-4 SR-5 SR-9 CM-2 CM-4 RA-3 RA-9 SA-4 PM-25 RA-3 MA-6
AT-3 - Role-Based Training
PL-8 - Security and Privacy Architectures
PM-7 - Enterprise Architecture
SA-4 - Acquisition Process
SA-5 - System Documentation
SA-8 - Security and Privacy Engineering Principles
SA-11 - Developer Testing and Evaluation
SA-15 - Development Process, Standards, and Tools
SA-17 - Developer Security and Privacy Architecture and Design
SA-22 - Unsupported System Components
SR-3 - Supply Chain Controls and Processes
SR-4 - Provenance
SR-5 - Acquisition Strategies, Tools, and Methods
SR-9 - Tamper Resistance and Detection
CM-2 - Baseline Configuration
CM-4 - Impact Analyses
RA-3 - Risk Assessment
RA-9 - Criticality Analysis
SA-4 - Acquisition Process
PM-25 - Minimization Of Personally Identifiable Information Used In Testing, Training, and Research
RA-3 - Risk Assessment
MA-6 - Timely Maintenance
SA-4 - Acquisition Process
Control:...
[For baselines: Low, Moderate, High, Privacy]
Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service:
SA-4a. Security and privacy functional requirements;
SA-4b. Strength of mechanism requirements;
SA-4c. Security and privacy assurance requirements;
SA-4d. Controls needed to satisfy the security and privacy requirements.
SA-4e. Security and privacy documentation requirements;
SA-4f. Requirements for protecting security and privacy documentation;
SA-4g. Description of the system development environment and environment in which the system is intended to operate;
SA-4h. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and
SA-4i. Acceptance criteria.
SA-4(1). Functional Properties Of Controls.
Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.
SA-4(2). Design and Implementation Information For Controls.
Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design and implementation information]] at [Assignment: organization-defined level of detail].
SA-4(3). Development Methods, Techniques, and Practices.
Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes:
[Assignment: organization-defined systems engineering methods];
[Assignment: organization-defined [Selection (one or more): systems security; privacy] engineering methods]; and
[Assignment: organization-defined software development methods; testing, evaluation, assessment, verification, and validation methods; and quality control processes].
SA-4(3)(a). .
[Assignment: organization-defined systems engineering methods];
[Assignment: organization-defined [Selection (one or more): systems security; privacy] engineering methods]; and
[Assignment: organization-defined software development methods; testing, evaluation, assessment, verification, and validation methods; and quality control processes].
SA-4(4). Assignment Of Components To Systems.
[Withdrawn: Incorporated into CM-8(9)].
SA-4(5). System, Component, and Service Configurations.
Require the developer of the system, system component, or system service to:
Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and
Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.
SA-4(5)(a). .
Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and
Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.
SA-4(6). Use Of Information Assurance Products.
Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and
Ensure that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.
SA-4(6)(a). .
Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and
Ensure that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.
SA-4(7). Niap-Approved Protection Profiles.
Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and
Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved.
SA-4(7)(a). .
Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and
Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved.
SA-4(8). Continuous Monitoring Plan For Controls.
Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization.
SA-4(9). Functions, Ports, Protocols, and Services In Use.
Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.
SA-4(10). Use Of Approved Piv Products.
Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.
SA-4(11). System Of Records.
Include [Assignment: organization-defined Privacy Act requirements] in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.
SA-4(12). Data Ownership.
Include organizational data ownership requirements in the acquisition contract; and
Require all data to be removed from the contractor’s system and returned to the organization within [Assignment: organization-defined time frame].
SA-4(12)(a). .
Include organizational data ownership requirements in the acquisition contract; and
Require all data to be removed from the contractor’s system and returned to the organization within [Assignment: organization-defined time frame].
Discussion:...

Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. SP 800-160-1 describes the process of requirements engineering as part of the system development life cycle.

Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.

Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement.

References: IR 7622 SP 800-161 IR 8062 IR 7676 IR 7870 SP 800-73-4 IR 7539 SP 800-137 SP 800-35 ISO 15408-1 ISO 15408-2 ISO 15408-3 ISO 29148 SP 800-37 NIAP CCEVS FIPS 201-2 FIPS 140-3 NSA CSFC OMB A-130 PRIVACT SP 800-70 SP 800-160-1
IR 7622 Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622.
SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
IR 8062 Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062.
IR 7676 Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676.
IR 7870 Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870.
SP 800-73-4 Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016.
IR 7539 Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539.
SP 800-137 Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137.
SP 800-35 Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35.
ISO 15408-1 International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model, April 2017.
ISO 15408-2 International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements, April 2017.
ISO 15408-3 International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements, April 2017.
ISO 29148 International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, Systems and software engineering—Life cycle processes—Requirements engineering, November 2018.
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
NIAP CCEVS National Information Assurance Partnership, Common Criteria Evaluation and Validation Scheme.
FIPS 201-2 National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2.
FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
NSA CSFC National Security Agency, Commercial Solutions for Classified Program (CSfC).
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
PRIVACT Privacy Act (P.L. 93-579), December 1974.
SP 800-70 Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
Related: CM-6 CM-8 PS-7 SA-3 SA-5 SA-8 SA-11 SA-15 SA-16 SA-17 SA-21 SR-3 SR-5 SC-8 SC-12 SC-13 IA-7 SC-12 SC-13 CA-7 CM-7 SA-9 IA-2 IA-8 PM-9 PT-6
CM-6 - Configuration Settings
CM-8 - System Component Inventory
PS-7 - External Personnel Security
SA-3 - System Development Life Cycle
SA-5 - System Documentation
SA-8 - Security and Privacy Engineering Principles
SA-11 - Developer Testing and Evaluation
SA-15 - Development Process, Standards, and Tools
SA-16 - Developer-Provided Training
SA-17 - Developer Security and Privacy Architecture and Design
SA-21 - Developer Screening
SR-3 - Supply Chain Controls and Processes
SR-5 - Acquisition Strategies, Tools, and Methods
SC-8 - Transmission Confidentiality and Integrity
SC-12 - Cryptographic Key Establishment and Management
SC-13 - Cryptographic Protection
IA-7 - Cryptographic Module Authentication
SC-12 - Cryptographic Key Establishment and Management
SC-13 - Cryptographic Protection
CA-7 - Continuous Monitoring
CM-7 - Least Functionality
SA-9 - External System Services
IA-2 - Identification and Authentication (Organizational Users)
IA-8 - Identification and Authentication (Non-Organizational Users)
PM-9 - Risk Management Strategy
PT-6 - System Of Records Notice
SA-5 - System Documentation
Control:...
[For baselines: Low, Moderate, High]
SA-5a. Obtain or develop administrator documentation for the system, system component, or system service that describes:
SA-5a.1. Secure configuration, installation, and operation of the system, component, or service;
SA-5a.2. Effective use and maintenance of security and privacy functions and mechanisms; and
SA-5a.3. Known vulnerabilities regarding configuration and use of administrative or privileged functions;
SA-5b. Obtain or develop user documentation for the system, system component, or system service that describes:
SA-5b.1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;
SA-5b.2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and
SA-5b.3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;
SA-5c. Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take [Assignment: organization-defined actions] in response; and
SA-5d. Distribute documentation to [Assignment: organization-defined personnel or roles].
SA-5(1). Functional Properties Of Security Controls.
[Withdrawn: Incorporated into SA-4(1)].
SA-5(2). Security-Relevant External System Interfaces.
[Withdrawn: Incorporated into SA-4(2)].
SA-5(3). High-Level Design.
[Withdrawn: Incorporated into SA-4(2)].
SA-5(4). Low-Level Design.
[Withdrawn: Incorporated into SA-4(2)].
SA-5(5). Source Code.
[Withdrawn: Incorporated into SA-4(2)].
Discussion:...

System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.

References: SP 800-160-1
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
Related: CM-4 CM-6 CM-7 CM-8 PL-2 PL-4 PL-8 PS-2 SA-3 SA-4 SA-8 SA-9 SA-10 SA-11 SA-15 SA-16 SA-17 SI-12 SR-3
SA-6 - Software Usage Restrictions
Control:...
[For baselines: ]
Discussion:...
Related:
SA-7 - User-Installed Software
Control:...
[For baselines: ]
Discussion:...
Related:
SA-8 - Security and Privacy Engineering Principles
Control:...
[For baselines: Low, Moderate, High]
Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [Assignment: organization-defined systems security and privacy engineering principles].
SA-8(1). Clear Abstractions.
Implement the security design principle of clear abstractions.
SA-8(2). Least Common Mechanism.
Implement the security design principle of least common mechanism in [Assignment: organization-defined systems or system components].
SA-8(3). Modularity and Layering.
Implement the security design principles of modularity and layering in [Assignment: organization-defined systems or system components].
SA-8(4). Partially Ordered Dependencies.
Implement the security design principle of partially ordered dependencies in [Assignment: organization-defined systems or system components].
SA-8(5). Efficiently Mediated Access.
Implement the security design principle of efficiently mediated access in [Assignment: organization-defined systems or system components].
SA-8(6). Minimized Sharing.
Implement the security design principle of minimized sharing in [Assignment: organization-defined systems or system components].
SA-8(7). Reduced Complexity.
Implement the security design principle of reduced complexity in [Assignment: organization-defined systems or system components].
SA-8(8). Secure Evolvability.
Implement the security design principle of secure evolvability in [Assignment: organization-defined systems or system components].
SA-8(9). Trusted Components.
Implement the security design principle of trusted components in [Assignment: organization-defined systems or system components].
SA-8(10). Hierarchical Trust.
Implement the security design principle of hierarchical trust in [Assignment: organization-defined systems or system components].
SA-8(11). Inverse Modification Threshold.
Implement the security design principle of inverse modification threshold in [Assignment: organization-defined systems or system components].
SA-8(12). Hierarchical Protection.
Implement the security design principle of hierarchical protection in [Assignment: organization-defined systems or system components].
SA-8(13). Minimized Security Elements.
Implement the security design principle of minimized security elements in [Assignment: organization-defined systems or system components].
SA-8(14). Least Privilege.
Implement the security design principle of least privilege in [Assignment: organization-defined systems or system components].
SA-8(15). Predicate Permission.
Implement the security design principle of predicate permission in [Assignment: organization-defined systems or system components].
SA-8(16). Self-Reliant Trustworthiness.
Implement the security design principle of self-reliant trustworthiness in [Assignment: organization-defined systems or system components].
SA-8(17). Secure Distributed Composition.
Implement the security design principle of secure distributed composition in [Assignment: organization-defined systems or system components].
SA-8(18). Trusted Communications Channels.
Implement the security design principle of trusted communications channels in [Assignment: organization-defined systems or system components].
SA-8(19). Continuous Protection.
Implement the security design principle of continuous protection in [Assignment: organization-defined systems or system components].
SA-8(20). Secure Metadata Management.
Implement the security design principle of secure metadata management in [Assignment: organization-defined systems or system components].
SA-8(21). Self-Analysis.
Implement the security design principle of self-analysis in [Assignment: organization-defined systems or system components].
SA-8(22). Accountability and Traceability.
Implement the security design principle of accountability and traceability in [Assignment: organization-defined systems or system components].
SA-8(23). Secure Defaults.
Implement the security design principle of secure defaults in [Assignment: organization-defined systems or system components].
SA-8(24). Secure Failure and Recovery.
Implement the security design principle of secure failure and recovery in [Assignment: organization-defined systems or system components].
SA-8(25). Economic Security.
Implement the security design principle of economic security in [Assignment: organization-defined systems or system components].
SA-8(26). Performance Security.
Implement the security design principle of performance security in [Assignment: organization-defined systems or system components].
SA-8(27). Human Factored Security.
Implement the security design principle of human factored security in [Assignment: organization-defined systems or system components].
SA-8(28). Acceptable Security.
Implement the security design principle of acceptable security in [Assignment: organization-defined systems or system components].
SA-8(29). Repeatable and Documented Procedures.
Implement the security design principle of repeatable and documented procedures in [Assignment: organization-defined systems or system components].
SA-8(30). Procedural Rigor.
Implement the security design principle of procedural rigor in [Assignment: organization-defined systems or system components].
SA-8(31). Secure System Modification.
Implement the security design principle of secure system modification in [Assignment: organization-defined systems or system components].
SA-8(32). Sufficient Documentation.
Implement the security design principle of sufficient documentation in [Assignment: organization-defined systems or system components].
SA-8(33). Minimization.
Implement the privacy principle of minimization using [Assignment: organization-defined processes].
Discussion:...

Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.

The application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.

Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design.

References: IR 8062 SP 800-37 SP 800-53A FIPS 199 FIPS 200 OMB A-130 PRIVACT SP 800-160-1 SP 800-60-1 SP 800-60-2
IR 8062 Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062.
SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
SP 800-53A Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014.
FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
FIPS 200 National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
PRIVACT Privacy Act (P.L. 93-579), December 1974.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
SP 800-60-1 Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1.
SP 800-60-2 Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1.
Related: PL-8 PM-7 RA-2 RA-3 RA-9 SA-3 SA-4 SA-15 SA-17 SA-20 SC-2 SC-3 SC-32 SC-39 SR-2 SR-3 SR-4 SR-5 SC-2 SC-3 AC-25 SC-31 CM-3 AC-6 CM-7 AC-5 SC-8 SC-12 SC-13 AC-25 CA-7 AC-6 AU-2 AU-3 AU-6 AU-9 AU-10 AU-12 IA-2 IR-4 CM-2 CM-6 SA-4 CP-10 CP-12 SC-7 SC-8 SC-24 SI-13 RA-3 SC-12 SC-13 SI-2 SI-7 CM-1 SA-1 SA-10 SA-11 SA-15 SA-17 SC-1 SI-1 CM-3 CM-4 AT-2 AT-3 SA-5 PE-8 PM-25 SC-42 SI-12
PL-8 - Security and Privacy Architectures
PM-7 - Enterprise Architecture
RA-2 - Security Categorization
RA-3 - Risk Assessment
RA-9 - Criticality Analysis
SA-3 - System Development Life Cycle
SA-4 - Acquisition Process
SA-15 - Development Process, Standards, and Tools
SA-17 - Developer Security and Privacy Architecture and Design
SA-20 - Customized Development Of Critical Components
SC-2 - Separation Of System and User Functionality
SC-3 - Security Function Isolation
SC-32 - System Partitioning
SC-39 - Process Isolation
SR-2 - Supply Chain Risk Management Plan
SR-3 - Supply Chain Controls and Processes
SR-4 - Provenance
SR-5 - Acquisition Strategies, Tools, and Methods
SC-2 - Separation Of System and User Functionality
SC-3 - Security Function Isolation
AC-25 - Reference Monitor
SC-31 - Covert Channel Analysis
CM-3 - Configuration Change Control
AC-6 - Least Privilege
CM-7 - Least Functionality
AC-5 - Separation Of Duties
SC-8 - Transmission Confidentiality and Integrity
SC-12 - Cryptographic Key Establishment and Management
SC-13 - Cryptographic Protection
AC-25 - Reference Monitor
CA-7 - Continuous Monitoring
AC-6 - Least Privilege
AU-2 - Event Logging
AU-3 - Content Of Audit Records
AU-6 - Audit Record Review, Analysis, and Reporting
AU-9 - Protection Of Audit Information
AU-10 - Non-Repudiation
AU-12 - Audit Record Generation
IA-2 - Identification and Authentication (Organizational Users)
IR-4 - Incident Handling
CM-2 - Baseline Configuration
CM-6 - Configuration Settings
SA-4 - Acquisition Process
CP-10 - System Recovery and Reconstitution
CP-12 - Safe Mode
SC-7 - Boundary Protection
SC-8 - Transmission Confidentiality and Integrity
SC-24 - Fail In Known State
SI-13 - Predictable Failure Prevention
RA-3 - Risk Assessment
SC-12 - Cryptographic Key Establishment and Management
SC-13 - Cryptographic Protection
SI-2 - Flaw Remediation
SI-7 - Software, Firmware, and Information Integrity
CM-1 - Policy and Procedures
SA-1 - Policy and Procedures
SA-10 - Developer Configuration Management
SA-11 - Developer Testing and Evaluation
SA-15 - Development Process, Standards, and Tools
SA-17 - Developer Security and Privacy Architecture and Design
SC-1 - Policy and Procedures
SI-1 - Policy and Procedures
CM-3 - Configuration Change Control
CM-4 - Impact Analyses
AT-2 - Literacy Training and Awareness
AT-3 - Role-Based Training
SA-5 - System Documentation
PE-8 - Visitor Access Records
PM-25 - Minimization Of Personally Identifiable Information Used In Testing, Training, and Research
SC-42 - Sensor Capability and Data
SI-12 - Information Management and Retention
SA-9 - External System Services
Control:...
[For baselines: Low, Moderate, High, Privacy]
SA-9a. Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls];
SA-9b. Define and document organizational oversight and user roles and responsibilities with regard to external system services; and
SA-9c. Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [Assignment: organization-defined processes, methods, and techniques].
SA-9(1). Risk Assessments and Organizational Approvals.
Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and
Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
SA-9(1)(a). .
Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and
Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
SA-9(2). Identification Of Functions, Ports, Protocols, and Services.
Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [Assignment: organization-defined external system services].
SA-9(3). Establish and Maintain Trust Relationship With Providers.
Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: [Assignment: organization-defined security and privacy requirements, properties, factors, or conditions defining acceptable trust relationships].
SA-9(4). Consistent Interests Of Consumers and Providers.
Take the following actions to verify that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests: [Assignment: organization-defined actions].
SA-9(5). Processing, Storage, and Service Location.
Restrict the location of [Selection (one or more): information processing; information or data; system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions].
SA-9(6). Organization-Controlled Cryptographic Keys.
Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.
SA-9(7). Organization-Controlled Integrity Checking.
Provide the capability to check the integrity of information while it resides in the external system.
SA-9(8). Processing and Storage Location — U.S. Jurisdiction.
Restrict the geographic location of information processing and data storage to facilities located within in the legal jurisdictional boundary of the United States.
Discussion:...

External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.

References: SP 800-161 SP 800-35 OMB A-130 SP 800-160-1 SP 800-171
SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
SP 800-35 Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
SP 800-171 Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2.
Related: AC-20 CA-3 CP-2 IR-4 IR-7 PL-10 PL-11 PS-7 SA-2 SA-4 SR-3 SR-5 CA-6 RA-3 RA-8 CM-6 CM-7 SR-2 SA-5 SR-4 SC-12 SC-13 SI-4 SI-7 SA-5 SR-4
AC-20 - Use Of External Systems
CA-3 - Information Exchange
CP-2 - Contingency Plan
IR-4 - Incident Handling
IR-7 - Incident Response Assistance
PL-10 - Baseline Selection
PL-11 - Baseline Tailoring
PS-7 - External Personnel Security
SA-2 - Allocation Of Resources
SA-4 - Acquisition Process
SR-3 - Supply Chain Controls and Processes
SR-5 - Acquisition Strategies, Tools, and Methods
CA-6 - Authorization
RA-3 - Risk Assessment
RA-8 - Privacy Impact Assessments
CM-6 - Configuration Settings
CM-7 - Least Functionality
SR-2 - Supply Chain Risk Management Plan
SA-5 - System Documentation
SR-4 - Provenance
SC-12 - Cryptographic Key Establishment and Management
SC-13 - Cryptographic Protection
SI-4 - System Monitoring
SI-7 - Software, Firmware, and Information Integrity
SA-5 - System Documentation
SR-4 - Provenance
SA-10 - Developer Configuration Management
Control:...
[For baselines: Moderate, High]
Require the developer of the system, system component, or system service to:
SA-10a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation; disposal];
SA-10b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
SA-10c. Implement only organization-approved changes to the system, component, or service;
SA-10d. Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and
SA-10e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].
SA-10(1). Software and Firmware Integrity Verification.
Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.
SA-10(2). Alternative Configuration Management Processes.
Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.
SA-10(3). Hardware Integrity Verification.
Require the developer of the system, system component, or system service to enable integrity verification of hardware components.
SA-10(4). Trusted Generation.
Require the developer of the system, system component, or system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions, source code, and object code with previous versions.
SA-10(5). Mapping Integrity For Version Control.
Require the developer of the system, system component, or system service to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.
SA-10(6). Trusted Distribution.
Require the developer of the system, system component, or system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.
SA-10(7). Security and Privacy Representatives.
Require [Assignment: organization-defined security and privacy representatives] to be included in the [Assignment: organization-defined configuration change management and control process].
Discussion:...

Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.

The configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle.

References: SP 800-128 FIPS 180-4 FIPS 202 FIPS 140-3 SP 800-160-1
SP 800-128 Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019.
FIPS 180-4 National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4.
FIPS 202 National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202.
FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
Related: CM-2 CM-3 CM-4 CM-7 CM-9 SA-4 SA-5 SA-8 SA-15 SI-2 SR-3 SR-4 SR-5 SR-6 SI-7 SR-11 SI-7
SA-11 - Developer Testing and Evaluation
Control:...
[For baselines: Moderate, High, Privacy]
Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:
SA-11a. Develop and implement a plan for ongoing security and privacy control assessments;
SA-11b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage];
SA-11c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;
SA-11d. Implement a verifiable flaw remediation process; and
SA-11e. Correct flaws identified during testing and evaluation.
SA-11(1). Static Code Analysis.
Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.
SA-11(2). Threat Modeling and Vulnerability Analyses.
Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that:
Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
Employs the following tools and methods: [Assignment: organization-defined tools and methods];
Conducts the modeling and analyses at the following level of rigor: [Assignment: organization-defined breadth and depth of modeling and analyses]; and
Produces evidence that meets the following acceptance criteria: [Assignment: organization-defined acceptance criteria].
SA-11(2)(a). .
Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
Employs the following tools and methods: [Assignment: organization-defined tools and methods];
Conducts the modeling and analyses at the following level of rigor: [Assignment: organization-defined breadth and depth of modeling and analyses]; and
Produces evidence that meets the following acceptance criteria: [Assignment: organization-defined acceptance criteria].
SA-11(3). Independent Verification Of Assessment Plans and Evidence.
Require an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and
Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.
SA-11(3)(a). .
Require an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and
Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.
SA-11(4). Manual Code Reviews.
Require the developer of the system, system component, or system service to perform a manual code review of [Assignment: organization-defined specific code] using the following processes, procedures, and/or techniques: [Assignment: organization-defined processes, procedures, and/or techniques].
SA-11(5). Penetration Testing.
Require the developer of the system, system component, or system service to perform penetration testing:
At the following level of rigor: [Assignment: organization-defined breadth and depth of testing]; and
Under the following constraints: [Assignment: organization-defined constraints].
SA-11(5)(a). .
At the following level of rigor: [Assignment: organization-defined breadth and depth of testing]; and
Under the following constraints: [Assignment: organization-defined constraints].
SA-11(6). Attack Surface Reviews.
Require the developer of the system, system component, or system service to perform attack surface reviews.
SA-11(7). Verify Scope Of Testing and Evaluation.
Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: [Assignment: organization-defined breadth and depth of testing and evaluation].
SA-11(8). Dynamic Code Analysis.
Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.
SA-11(9). Interactive Application Security Testing.
Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results.
Discussion:...

Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes—including upgrading or replacing applications, operating systems, and firmware—may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.

Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation.

References: ISO 15408-3 SP 800-30 SP 800-53A SP 800-160-1 SP 800-154
ISO 15408-3 International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements, April 2017.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
SP 800-53A Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
SP 800-154 Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154.
Related: CA-2 CA-7 CM-4 SA-3 SA-4 SA-5 SA-8 SA-15 SA-17 SI-2 SR-5 SR-6 SR-7 PM-15 RA-3 RA-5 AT-3 RA-5 CA-8 PM-14 PM-25 PT-2 SA-3 SI-2 SI-6 SA-15 SA-15
CA-2 - Control Assessments
CA-7 - Continuous Monitoring
CM-4 - Impact Analyses
SA-3 - System Development Life Cycle
SA-4 - Acquisition Process
SA-5 - System Documentation
SA-8 - Security and Privacy Engineering Principles
SA-15 - Development Process, Standards, and Tools
SA-17 - Developer Security and Privacy Architecture and Design
SI-2 - Flaw Remediation
SR-5 - Acquisition Strategies, Tools, and Methods
SR-6 - Supplier Assessments and Reviews
SR-7 - Supply Chain Operations Security
PM-15 - Security and Privacy Groups and Associations
RA-3 - Risk Assessment
RA-5 - Vulnerability Monitoring and Scanning
AT-3 - Role-Based Training
RA-5 - Vulnerability Monitoring and Scanning
CA-8 - Penetration Testing
PM-14 - Testing, Training, and Monitoring
PM-25 - Minimization Of Personally Identifiable Information Used In Testing, Training, and Research
PT-2 - Authority To Process Personally Identifiable Information
SA-3 - System Development Life Cycle
SI-2 - Flaw Remediation
SI-6 - Security and Privacy Function Verification
SA-15 - Development Process, Standards, and Tools
SA-15 - Development Process, Standards, and Tools
SA-12 - Supply Chain Protection
Control:...
[For baselines: ]
SA-12(1). Acquisition Strategies / Tools / Methods.
[Withdrawn: Moved to SR-5].
SA-12(2). Supplier Reviews.
[Withdrawn: Moved to SR-6].
SA-12(3). Trusted Shipping and Warehousing.
[Withdrawn: Incorporated into SR-3].
SA-12(4). Diversity Of Suppliers.
[Withdrawn: Moved to SR-3(1)].
SA-12(5). Limitation Of Harm.
[Withdrawn: Moved to SR-3(2)].
SA-12(6). Minimizing Procurement Time.
[Withdrawn: Incorporated into SR-5(1)].
SA-12(7). Assessments Prior To Selection / Acceptance / Update.
[Withdrawn: Moved to SR-5(2)].
SA-12(8). Use Of All-Source Intelligence.
[Withdrawn: Incorporated into RA-3(2)].
SA-12(9). Operations Security.
[Withdrawn: Moved to SR-7].
SA-12(10). Validate As Genuine and Not Altered.
[Withdrawn: Moved to SR-4(3)].
SA-12(11). Penetration Testing / Analysis Of Elements, Processes, and Actors.
[Withdrawn: Moved to SR-6(1)].
SA-12(12). Inter-Organizational Agreements.
[Withdrawn: Moved to SR-8].
SA-12(13). Critical Information System Components.
[Withdrawn: Incorporated into MA-6, RA-9].
SA-12(14). Identity and Traceability.
[Withdrawn: Incorporated into SR-4(1), SR-4(2)].
SA-12(15). Processes To Address Weaknesses Or Deficiencies.
[Withdrawn: Incorporated into SR-3].
Discussion:...
Related:
SA-13 - Trustworthiness
Control:...
[For baselines: ]
Discussion:...
Related:
SA-14 - Criticality Analysis
Control:...
[For baselines: ]
SA-14(1). Critical Components With No Viable Alternative Sourcing.
[Withdrawn: Incorporated into SA-20].
Discussion:...
Related:
SA-15 - Development Process, Standards, and Tools
Control:...
[For baselines: Moderate, High]
SA-15a. Require the developer of the system, system component, or system service to follow a documented development process that:
SA-15a.1. Explicitly addresses security and privacy requirements;
SA-15a.2. Identifies the standards and tools used in the development process;
SA-15a.3. Documents the specific tool options and tool configurations used in the development process; and
SA-15a.4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
SA-15b. Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements].
SA-15(1). Quality Metrics.
Require the developer of the system, system component, or system service to:
Define quality metrics at the beginning of the development process; and
Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery].
SA-15(1)(a). .
Define quality metrics at the beginning of the development process; and
Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery].
SA-15(2). Security and Privacy Tracking Tools.
Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process.
SA-15(3). Criticality Analysis.
Require the developer of the system, system component, or system service to perform a criticality analysis:
At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and
At the following level of rigor: [Assignment: organization-defined breadth and depth of criticality analysis].
SA-15(3)(a). .
At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and
At the following level of rigor: [Assignment: organization-defined breadth and depth of criticality analysis].
SA-15(4). Threat Modeling and Vulnerability Analysis.
[Withdrawn: Incorporated into SA-11(2)].
SA-15(5). Attack Surface Reduction.
Require the developer of the system, system component, or system service to reduce attack surfaces to [Assignment: organization-defined thresholds].
SA-15(6). Continuous Improvement.
Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process.
SA-15(7). Automated Vulnerability Analysis.
Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to:
Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
Determine the exploitation potential for discovered vulnerabilities;
Determine potential risk mitigations for delivered vulnerabilities; and
Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles].
SA-15(7)(a). .
Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
Determine the exploitation potential for discovered vulnerabilities;
Determine potential risk mitigations for delivered vulnerabilities; and
Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles].
SA-15(8). Reuse Of Threat and Vulnerability Information.
Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.
SA-15(9). Use Of Live Data.
[Withdrawn: Incorporated into SA-3(2)].
SA-15(10). Incident Response Plan.
Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan.
SA-15(11). Archive System Or Component.
Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review.
SA-15(12). Minimize Personally Identifiable Information.
Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.
Discussion:...

Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.

References: IR 8179 SP 800-160-1
IR 8179 Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
Related: MA-6 SA-3 SA-4 SA-8 SA-10 SA-11 SR-3 SR-4 SR-5 SR-6 SR-9 SA-11 RA-9 AC-6 CM-7 RA-3 SA-11 RA-5 SA-11 IR-8 CM-2 PM-25 SA-3 SA-8
MA-6 - Timely Maintenance
SA-3 - System Development Life Cycle
SA-4 - Acquisition Process
SA-8 - Security and Privacy Engineering Principles
SA-10 - Developer Configuration Management
SA-11 - Developer Testing and Evaluation
SR-3 - Supply Chain Controls and Processes
SR-4 - Provenance
SR-5 - Acquisition Strategies, Tools, and Methods
SR-6 - Supplier Assessments and Reviews
SR-9 - Tamper Resistance and Detection
SA-11 - Developer Testing and Evaluation
RA-9 - Criticality Analysis
AC-6 - Least Privilege
CM-7 - Least Functionality
RA-3 - Risk Assessment
SA-11 - Developer Testing and Evaluation
RA-5 - Vulnerability Monitoring and Scanning
SA-11 - Developer Testing and Evaluation
IR-8 - Incident Response Plan
CM-2 - Baseline Configuration
PM-25 - Minimization Of Personally Identifiable Information Used In Testing, Training, and Research
SA-3 - System Development Life Cycle
SA-8 - Security and Privacy Engineering Principles
SA-16 - Developer-Provided Training
Control:...
[For baselines: High]
Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: [Assignment: organization-defined training].
Discussion:...

Developer-provided training applies to external and internal (in-house) developers. Training personnel is essential to ensuring the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms.

Related: AT-2 AT-3 PE-3 SA-4 SA-5
SA-17 - Developer Security and Privacy Architecture and Design
Control:...
[For baselines: High]
Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that:
SA-17a. Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture;
SA-17b. Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and
SA-17c. Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection.
SA-17(1). Formal Policy Model.
Require the developer of the system, system component, or system service to:
Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security and privacy policy] to be enforced; and
Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security and privacy policy when implemented.
SA-17(1)(a). .
Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security and privacy policy] to be enforced; and
Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security and privacy policy when implemented.
SA-17(2). Security-Relevant Components.
Require the developer of the system, system component, or system service to:
Define security-relevant hardware, software, and firmware; and
Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.
SA-17(2)(a). .
Define security-relevant hardware, software, and firmware; and
Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.
SA-17(3). Formal Correspondence.
Require the developer of the system, system component, or system service to:
Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware.
SA-17(3)(a). .
Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware.
SA-17(4). Informal Correspondence.
Require the developer of the system, system component, or system service to:
Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
Show via [Selection: informal demonstration; convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware.
SA-17(4)(a). .
Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
Show via [Selection: informal demonstration; convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware.
SA-17(5). Conceptually Simple Design.
Require the developer of the system, system component, or system service to:
Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and
Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.
SA-17(5)(a). .
Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and
Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.
SA-17(6). Structure For Testing.
Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate testing.
SA-17(7). Structure For Least Privilege.
Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.
SA-17(8). Orchestration.
Design [Assignment: organization-defined critical systems or system components] with coordinated behavior to implement the following capabilities: [Assignment: organization-defined capabilities, by system or component].
SA-17(9). Design Diversity.
Use different designs for [Assignment: organization-defined critical systems or system components] to satisfy a common set of requirements or to provide equivalent functionality.
Discussion:...

Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, PL-8 is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture. The distinction between SA-17 and PL-8 is especially important when organizations outsource the development of systems, system components, or system services and when there is a requirement to demonstrate consistency with the enterprise architecture and security and privacy architecture of the organization. ISO 15408-2, ISO 15408-3, and SP 800-160-1 provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing.

References: ISO 15408-2 ISO 15408-3 SP 800-160-1
ISO 15408-2 International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements, April 2017.
ISO 15408-3 International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements, April 2017.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
Related: PL-2 PL-8 PM-7 SA-3 SA-4 SA-8 SC-7 AC-3 AC-4 AC-25 AC-25 SA-5 AC-3 AC-4 AC-25 SA-4 SA-5 AC-3 AC-4 AC-25 SA-4 SA-5 AC-25 SA-8 SC-3 SA-5 SA-11 AC-5 AC-6 SA-8
PL-2 - System Security and Privacy Plans
PL-8 - Security and Privacy Architectures
PM-7 - Enterprise Architecture
SA-3 - System Development Life Cycle
SA-4 - Acquisition Process
SA-8 - Security and Privacy Engineering Principles
SC-7 - Boundary Protection
AC-3 - Access Enforcement
AC-4 - Information Flow Enforcement
AC-25 - Reference Monitor
AC-25 - Reference Monitor
SA-5 - System Documentation
AC-3 - Access Enforcement
AC-4 - Information Flow Enforcement
AC-25 - Reference Monitor
SA-4 - Acquisition Process
SA-5 - System Documentation
AC-3 - Access Enforcement
AC-4 - Information Flow Enforcement
AC-25 - Reference Monitor
SA-4 - Acquisition Process
SA-5 - System Documentation
AC-25 - Reference Monitor
SA-8 - Security and Privacy Engineering Principles
SC-3 - Security Function Isolation
SA-5 - System Documentation
SA-11 - Developer Testing and Evaluation
AC-5 - Separation Of Duties
AC-6 - Least Privilege
SA-8 - Security and Privacy Engineering Principles
SA-18 - Tamper Resistance and Detection
Control:...
[For baselines: ]
SA-18(1). Multiple Phases Of System Development Life Cycle.
[Withdrawn: Moved to SR-9(1)].
SA-18(2). Inspection Of Systems Or Components.
[Withdrawn: Moved to SR-10].
Discussion:...
Related:
SA-19 - Component Authenticity
Control:...
[For baselines: ]
SA-19(1). Anti-Counterfeit Training.
[Withdrawn: Moved to SR-11(1)].
SA-19(2). Configuration Control For Component Service and Repair.
[Withdrawn: Moved to SR-11(2)].
SA-19(3). Component Disposal.
[Withdrawn: Moved to SR-12].
SA-19(4). Anti-Counterfeit Scanning.
[Withdrawn: Moved to SR-11(3)].
Discussion:...
Related:
SA-20 - Customized Development Of Critical Components
Control:...
[For baselines: Not Selected]
Reimplement or custom develop the following critical system components: [Assignment: organization-defined critical system components].
Discussion:...

Organizations determine that certain system components likely cannot be trusted due to specific threats to and vulnerabilities in those components for which there are no viable security controls to adequately mitigate risk. Reimplementation or custom development of such components may satisfy requirements for higher assurance and is carried out by initiating changes to system components (including hardware, software, and firmware) such that the standard attacks by adversaries are less likely to succeed. In situations where no alternative sourcing is available and organizations choose not to reimplement or custom develop critical system components, additional controls can be employed. Controls include enhanced auditing, restrictions on source code and system utility access, and protection from deletion of system and application files.

References: SP 800-160-1
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
Related: CP-2 RA-9 SA-8
SA-21 - Developer Screening
Control:...
[For baselines: High]
Require that the developer of [Assignment: organization-defined system, system component, or system service]:
SA-21a. Has appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and
SA-21b. Satisfies the following additional personnel screening criteria: [Assignment: organization-defined additional personnel screening criteria].
SA-21(1). Validation Of Screening.
[Withdrawn: Incorporated into SA-21].
Discussion:...

Developer screening is directed at external developers. Internal developer screening is addressed by PS-3. Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals who access the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships that the company has with entities that may potentially affect the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements.

Related: PS-2 PS-3 PS-6 PS-7 SA-4 SR-6
SA-22 - Unsupported System Components
Control:...
[For baselines: Low, Moderate, High]
SA-22a. Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or
SA-22b. Provide the following options for alternative sources for continued support for unsupported components [Selection (one or more): in-house support; [Assignment: organization-defined support from external providers]].
SA-22(1). Alternative Sources For Continued Support.
[Withdrawn: Incorporated into SA-22].
Discussion:...

Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.

Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation.

Related: PL-2 SA-3
SA-23 - Specialization
Control:...
[For baselines: Not Selected]
Employ [Selection (one or more): design; modification; augmentation; reconfiguration] on [Assignment: organization-defined systems or system components] supporting mission essential services or functions to increase the trustworthiness in those systems or components.
Discussion:...

It is often necessary for a system or system component that supports mission-essential services or functions to be enhanced to maximize the trustworthiness of the resource. Sometimes this enhancement is done at the design level. In other instances, it is done post-design, either through modifications of the system in question or by augmenting the system with additional components. For example, supplemental authentication or non-repudiation functions may be added to the system to enhance the identity of critical resources to other resources that depend on the organization-defined resources.

References: SP 800-160-1 SP 800-160-2
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
SP 800-160-2 Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2.
Related: RA-9 SA-8
SR - Supply Chain Risk Management
SR-1 - Policy and Procedures
Control:...
[For baselines: Low, Moderate, High]
SR-1a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
SR-1a.1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] supply chain risk management policy that:
SR-1a.1.(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
SR-1a.1.(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
SR-1a.2. Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;
SR-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and
SR-1c. Review and update the current supply chain risk management:
SR-1c.1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
SR-1c.2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Discussion:...

Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

References: 41 CFR 201 SP 800-100 SP 800-161 CNSSD 505 EO 13873 SP 800-39 SP 800-30 SP 800-12 FASC18
41 CFR 201
SP 800-100 Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007.
SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
CNSSD 505 Committee on National Security Systems Directive No. 505, Supply Chain Risk Management (SCRM), August 2017.
EO 13873 Executive Order 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain, May 2019.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
SP 800-12 Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1.
FASC18 Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018.
Related: PM-9 PM-30 PS-8 SI-12
SR-2 - Supply Chain Risk Management Plan
Control:...
[For baselines: Low, Moderate, High]
SR-2a. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: [Assignment: organization-defined systems, system components, or system services];
SR-2b. Review and update the supply chain risk management plan [Assignment: organization-defined frequency] or as required, to address threat, organizational or environmental changes; and
SR-2c. Protect the supply chain risk management plan from unauthorized disclosure and modification.
SR-2(1). Establish Scrm Team.
Establish a supply chain risk management team consisting of [Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: [Assignment: organization-defined supply chain risk management activities].
Discussion:...

The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.

Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8).

References: 41 CFR 201 IR 7622 SP 800-161 CNSSD 505 EO 13873 SP 800-39 SP 800-30 IR 8272 SP 800-181 SP 800-160-1 FASC18
41 CFR 201
IR 7622 Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622.
SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
CNSSD 505 Committee on National Security Systems Directive No. 505, Supply Chain Risk Management (SCRM), August 2017.
EO 13873 Executive Order 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain, May 2019.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
IR 8272 Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272.
SP 800-181 Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
FASC18 Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018.
Related: CA-2 CP-4 IR-4 MA-2 MA-6 PE-16 PL-2 PM-9 PM-30 RA-3 RA-7 SA-8 SI-4
SR-3 - Supply Chain Controls and Processes
Control:...
[For baselines: Low, Moderate, High]
SR-3a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel];
SR-3b. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and
SR-3c. Document the selected and implemented supply chain processes and controls in [Selection: security and privacy plans; supply chain risk management plan; [Assignment: organization-defined document]].
SR-3(1). Diverse Supply Base.
Employ a diverse set of sources for the following system components and services: [Assignment: organization-defined system components and services].
SR-3(2). Limitation Of Harm.
Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: [Assignment: organization-defined controls].
SR-3(3). Sub-Tier Flow Down.
Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.
Discussion:...

Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.

References: 41 CFR 201 IR 7622 SP 800-161 EO 13873 ISO 20243 SP 800-30 FASC18
41 CFR 201
IR 7622 Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622.
SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
EO 13873 Executive Order 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain, May 2019.
ISO 20243 International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations, February 2018.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
FASC18 Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018.
Related: CA-2 MA-2 MA-6 PE-3 PE-16 PL-8 PM-30 SA-2 SA-3 SA-4 SA-5 SA-8 SA-9 SA-10 SA-15 SC-7 SC-29 SC-30 SC-38 SI-7 SR-6 SR-9 SR-11 SR-5 SR-8
CA-2 - Control Assessments
MA-2 - Controlled Maintenance
MA-6 - Timely Maintenance
PE-3 - Physical Access Control
PE-16 - Delivery and Removal
PL-8 - Security and Privacy Architectures
PM-30 - Supply Chain Risk Management Strategy
SA-2 - Allocation Of Resources
SA-3 - System Development Life Cycle
SA-4 - Acquisition Process
SA-5 - System Documentation
SA-8 - Security and Privacy Engineering Principles
SA-9 - External System Services
SA-10 - Developer Configuration Management
SA-15 - Development Process, Standards, and Tools
SC-7 - Boundary Protection
SC-29 - Heterogeneity
SC-30 - Concealment and Misdirection
SC-38 - Operations Security
SI-7 - Software, Firmware, and Information Integrity
SR-6 - Supplier Assessments and Reviews
SR-9 - Tamper Resistance and Detection
SR-11 - Component Authenticity
SR-5 - Acquisition Strategies, Tools, and Methods
SR-8 - Notification Agreements
SR-4 - Provenance
Control:...
[For baselines: Not Selected]
Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: [Assignment: organization-defined systems, system components, and associated data].
SR-4(1). Identity.
Establish and maintain unique identification of the following supply chain elements, processes, and personnel associated with the identified system and critical system components: [Assignment: organization-defined supply chain elements, processes, and personnel associated with organization-defined systems and critical system components].
SR-4(2). Track and Trace.
Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: [Assignment: organization-defined systems and critical system components].
SR-4(3). Validate As Genuine and Not Altered.
Employ the following controls to validate that the system or system component received is genuine and has not been altered: [Assignment: organization-defined controls].
SR-4(4). Supply Chain Integrity — Pedigree.
Employ [Assignment: organization-defined controls] and conduct [Assignment: organization-defined analysis] to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services.
Discussion:...

Every system and system component has a point of origin and may be changed throughout its existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include personnel and processes used to interact with or make modifications to the system, component, or associated data. Organizations consider developing procedures (see SR-1) for allocating responsibilities for the creation, maintenance, and monitoring of provenance for systems and system components; transferring provenance documentation and responsibility between organizations; and preventing and monitoring for unauthorized changes to the provenance records. Organizations have methods to document, monitor, and maintain valid provenance baselines for systems, system components, and related data. These actions help track, assess, and document any changes to the provenance, including changes in supply chain elements or configuration, and help ensure non-repudiation of provenance information and the provenance change records. Provenance considerations are addressed throughout the system development life cycle and incorporated into contracts and other arrangements, as appropriate.

References: 41 CFR 201 IR 7622 SP 800-161 EO 13873 IR 8112 ISO 20243 ISO 27036 IR 8272 SP 800-160-1 FASC18
41 CFR 201
IR 7622 Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622.
SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
EO 13873 Executive Order 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain, May 2019.
IR 8112 Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112.
ISO 20243 International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations, February 2018.
ISO 27036 International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts, April 2014.
IR 8272 Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272.
SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
FASC18 Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018.
Related: CM-8 MA-2 MA-6 RA-9 SA-3 SA-8 SI-4 IA-2 IA-8 PE-16 IA-2 IA-8 PE-16 PL-2 AT-3 SR-9 SR-10 SR-11 RA-3
SR-5 - Acquisition Strategies, Tools, and Methods
Control:...
[For baselines: Low, Moderate, High]
Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods].
SR-5(1). Adequate Supply.
Employ the following controls to ensure an adequate supply of [Assignment: organization-defined critical system components]: [Assignment: organization-defined controls].
SR-5(2). Assessments Prior To Selection, Acceptance, Modification, Or Update.
Assess the system, system component, or system service prior to selection, acceptance, modification, or update.
Discussion:...

The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.

References: 41 CFR 201 IR 7622 SP 800-161 EO 13873 ISO 20243 ISO 27036 SP 800-30 IR 8272 FASC18
41 CFR 201
IR 7622 Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622.
SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
EO 13873 Executive Order 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain, May 2019.
ISO 20243 International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations, February 2018.
ISO 27036 International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts, April 2014.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
IR 8272 Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272.
FASC18 Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018.
Related: AT-3 SA-2 SA-3 SA-4 SA-5 SA-8 SA-9 SA-10 SA-15 SR-6 SR-9 SR-10 SR-11 RA-9 CA-8 RA-5 SA-11 SI-7
SR-6 - Supplier Assessments and Reviews
Control:...
[For baselines: Moderate, High]
Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [Assignment: organization-defined frequency].
SR-6(1). Testing and Analysis.
Employ [Selection (one or more): organizational analysis; independent third-party analysis; organizational testing; independent third-party testing] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [Assignment: organization-defined supply chain elements, processes, and actors].
Discussion:...

An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts.

References: 41 CFR 201 IR 7622 SP 800-161 EO 13873 ISO 20243 ISO 27036 SP 800-30 FIPS 186-4 FIPS 180-4 FIPS 202 FIPS 140-3 IR 8272 FASC18
41 CFR 201
IR 7622 Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622.
SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
EO 13873 Executive Order 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain, May 2019.
ISO 20243 International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations, February 2018.
ISO 27036 International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts, April 2014.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
FIPS 186-4 National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4.
FIPS 180-4 National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4.
FIPS 202 National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202.
FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
IR 8272 Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272.
FASC18 Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018.
Related: SR-3 SR-5 CA-8 SI-4
SR-7 - Supply Chain Operations Security
Control:...
[For baselines: Not Selected]
Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: [Assignment: organization-defined Operations Security (OPSEC) controls].
Discussion:...

Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is a process that includes identifying critical information, analyzing friendly actions related to operations and other activities to identify actions that can be observed by potential adversaries, determining indicators that potential adversaries might obtain that could be interpreted or pieced together to derive information in sufficient time to cause harm to organizations, implementing safeguards or countermeasures to eliminate or reduce exploitable vulnerabilities and risk to an acceptable level, and considering how aggregated information may expose users or specific uses of the supply chain. Supply chain information includes user identities; uses for systems, system components, and system services; supplier identities; security and privacy requirements; system and component configurations; supplier processes; design specifications; and testing and evaluation results. Supply chain OPSEC may require organizations to withhold mission or business information from suppliers and may include the use of intermediaries to hide the end use or users of systems, system components, or system services.

References: IR 7622 SP 800-161 EO 13873 ISO 27036 SP 800-30
IR 7622 Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622.
SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
EO 13873 Executive Order 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain, May 2019.
ISO 27036 International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts, April 2014.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
Related: SC-38
SR-8 - Notification Agreements
Control:...
[For baselines: Low, Moderate, High]
Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Selection (one or more): notification of supply chain compromises; results of assessments or audits; [Assignment: organization-defined information]].
Discussion:...

The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.

References: 41 CFR 201 IR 7622 SP 800-161 EO 13873 ISO 27036 SP 800-30 FASC18
41 CFR 201
IR 7622 Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622.
SP 800-161 Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161.
EO 13873 Executive Order 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain, May 2019.
ISO 27036 International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts, April 2014.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
FASC18 Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018.
Related: IR-4 IR-6 IR-8
SR-9 - Tamper Resistance and Detection
Control:...
[For baselines: High]
Implement a tamper protection program for the system, system component, or system service.
SR-9(1). Multiple Stages Of System Development Life Cycle.
Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle.
Discussion:...

Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system components, and services against many threats, including reverse engineering, modification, and substitution. Strong identification combined with tamper resistance and/or tamper detection is essential to protecting systems and components during distribution and when in use.

References: ISO 20243
ISO 20243 International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations, February 2018.
Related: PE-3 PM-30 SA-15 SI-4 SI-7 SR-3 SR-4 SR-5 SR-10 SR-11 SA-3
SR-10 - Inspection Of Systems Or Components
Control:...
[For baselines: Low, Moderate, High]
Inspect the following systems or system components [Selection (one or more): at random; at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection]] to detect tampering: [Assignment: organization-defined systems or system components].
Discussion:...

The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations.

References: ISO 20243
ISO 20243 International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations, February 2018.
Related: AT-3 PM-30 SI-4 SI-7 SR-3 SR-4 SR-5 SR-9 SR-11
SR-11 - Component Authenticity
Control:...
[For baselines: Low, Moderate, High]
SR-11a. Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and
SR-11b. Report counterfeit system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]].
SR-11(1). Anti-Counterfeit Training.
Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware).
SR-11(2). Configuration Control For Component Service and Repair.
Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [Assignment: organization-defined system components].
SR-11(3). Anti-Counterfeit Scanning.
Scan for counterfeit system components [Assignment: organization-defined frequency].
Discussion:...

Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.

References: ISO 20243
ISO 20243 International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations, February 2018.
Related: PE-3 SA-4 SI-7 SR-9 SR-10 AT-3 CM-3 MA-2 MA-4 SA-10 RA-5
SR-12 - Component Disposal
Control:...
[For baselines: Low, Moderate, High]
Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods].
Discussion:...

Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market.

Related: MP-6
Operational
AT - Awareness and Training
AT-1 - Policy and Procedures
Control:...
[For baselines: Low, Moderate, High, Privacy]
AT-1a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
AT-1a.1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] awareness and training policy that:
AT-1a.1.(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
AT-1a.1.(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
AT-1a.2. Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;
AT-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and
AT-1c. Review and update the current awareness and training:
AT-1c.1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
AT-1c.2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Discussion:...

Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

References: SP 800-100 SP 800-39 SP 800-30 SP 800-12 OMB A-130 SP 800-50
SP 800-100 Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
SP 800-12 Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-50 Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50.
Related: PM-9 PS-8 SI-12
AT-2 - Literacy Training and Awareness
Control:...
[For baselines: Low, Moderate, High, Privacy]
AT-2a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):
AT-2a.1. As part of initial training for new users and [Assignment: organization-defined frequency] thereafter; and
AT-2a.2. When required by system changes or following [Assignment: organization-defined events];
AT-2b. Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques];
AT-2c. Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
AT-2d. Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.
AT-2(1). Practical Exercises.
Provide practical exercises in literacy training that simulate events and incidents.
AT-2(2). Insider Threat.
Provide literacy training on recognizing and reporting potential indicators of insider threat.
AT-2(3). Social Engineering and Mining.
Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.
AT-2(4). Suspicious Communications and Anomalous System Behavior.
Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using [Assignment: organization-defined indicators of malicious code].
AT-2(5). Advanced Persistent Threat.
Provide literacy training on the advanced persistent threat.
AT-2(6). Cyber Threat Environment.
Provide literacy training on the cyber threat environment; and
Reflect current cyber threat information in system operations.
AT-2(6)(a). .
Provide literacy training on the cyber threat environment; and
Reflect current cyber threat information in system operations.
Discussion:...

Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.

Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in AT-2a.1 is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

References: OMB A-130 ODNI CTF SP 800-181 SP 800-160-2 SP 800-50
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
ODNI CTF Office of the Director of National Intelligence (ODNI) Cyber Threat Framework.
SP 800-181 Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1.
SP 800-160-2 Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2.
SP 800-50 Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50.
Related: AC-3 AC-17 AC-22 AT-3 AT-4 CP-3 IA-4 IR-2 IR-7 IR-9 PL-4 PM-13 PM-21 PS-7 PT-2 SA-8 SA-16 CA-2 CA-7 CP-4 IR-3 PM-12 RA-3
AT-3 - Role-Based Training
Control:...
[For baselines: Low, Moderate, High, Privacy]
AT-3a. Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]:
AT-3a.1. Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and
AT-3a.2. When required by system changes;
AT-3b. Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
AT-3c. Incorporate lessons learned from internal or external security incidents or breaches into role-based training.
AT-3(1). Environmental Controls.
Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.
AT-3(2). Physical Security Controls.
Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.
AT-3(3). Practical Exercises.
Provide practical exercises in security and privacy training that reinforce training objectives.
AT-3(4). Suspicious Communications and Anomalous System Behavior.
[Withdrawn: Moved to AT-2(4)].
AT-3(5). Processing Personally Identifiable Information.
Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls.
Discussion:...

Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.

Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

References: OMB A-130 SP 800-181 SP 800-50
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-181 Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1.
SP 800-50 Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50.
Related: AC-3 AC-17 AC-22 AT-2 AT-4 CP-3 IR-2 IR-4 IR-7 IR-9 PL-4 PM-13 PM-23 PS-7 PS-9 SA-3 SA-8 SA-11 SA-16 SR-5 SR-6 SR-11 PE-1 PE-11 PE-13 PE-14 PE-15 PE-2 PE-3 PE-4 PT-2 PT-3 PT-5 PT-6
AC-3 - Access Enforcement
AC-17 - Remote Access
AC-22 - Publicly Accessible Content
AT-2 - Literacy Training and Awareness
AT-4 - Training Records
CP-3 - Contingency Training
IR-2 - Incident Response Training
IR-4 - Incident Handling
IR-7 - Incident Response Assistance
IR-9 - Information Spillage Response
PL-4 - Rules Of Behavior
PM-13 - Security and Privacy Workforce
PM-23 - Data Governance Body
PS-7 - External Personnel Security
PS-9 - Position Descriptions
SA-3 - System Development Life Cycle
SA-8 - Security and Privacy Engineering Principles
SA-11 - Developer Testing and Evaluation
SA-16 - Developer-Provided Training
SR-5 - Acquisition Strategies, Tools, and Methods
SR-6 - Supplier Assessments and Reviews
SR-11 - Component Authenticity
PE-1 - Policy and Procedures
PE-11 - Emergency Power
PE-13 - Fire Protection
PE-14 - Environmental Controls
PE-15 - Water Damage Protection
PE-2 - Physical Access Authorizations
PE-3 - Physical Access Control
PE-4 - Access Control For Transmission
PT-2 - Authority To Process Personally Identifiable Information
PT-3 - Personally Identifiable Information Processing Purposes
PT-5 - Privacy Notice
PT-6 - System Of Records Notice
AT-4 - Training Records
Control:...
[For baselines: Low, Moderate, High, Privacy]
AT-4a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and
AT-4b. Retain individual training records for [Assignment: organization-defined time period].
Discussion:...

Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.

References: OMB A-130
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: AT-2 AT-3 CP-3 IR-2 PM-14 SI-12
AT-5 - Contacts With Security Groups and Associations
Control:...
[For baselines: ]
Discussion:...
Related:
AT-6 - Training Feedback
Control:...
[For baselines: Not Selected]
Provide feedback on organizational training results to the following personnel [Assignment: organization-defined frequency]: [Assignment: organization-defined personnel].
Discussion:...

Training feedback includes awareness training results and role-based training results. Training results, especially failures of personnel in critical roles, can be indicative of a potentially serious problem. Therefore, it is important that senior managers are made aware of such situations so that they can take appropriate response actions. Training feedback supports the evaluation and update of organizational training described in AT-2b and AT-3b.

Related:
CM - Configuration Management
CM-1 - Policy and Procedures
Control:...
[For baselines: Low, Moderate, High, Privacy]
CM-1a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
CM-1a.1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] configuration management policy that:
CM-1a.1.(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
CM-1a.1.(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
CM-1a.2. Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;
CM-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and
CM-1c. Review and update the current configuration management:
CM-1c.1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
CM-1c.2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Discussion:...

Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

References: SP 800-100 SP 800-39 SP 800-30 SP 800-12 OMB A-130
SP 800-100 Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
SP 800-12 Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: PM-9 PS-8 SA-8 SI-12
CM-2 - Baseline Configuration
Control:...
[For baselines: Low, Moderate, High]
CM-2a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
CM-2b. Review and update the baseline configuration of the system:
CM-2b.1. [Assignment: organization-defined frequency];
CM-2b.2. When required due to [Assignment: organization-defined circumstances]; and
CM-2b.3. When system components are installed or upgraded.
CM-2(1). Reviews and Updates.
[Withdrawn: Incorporated into CM-2].
CM-2(2). Automation Support For Accuracy and Currency.
Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms].
CM-2(3). Retention Of Previous Configurations.
Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback.
CM-2(4). Unauthorized Software.
[Withdrawn: Incorporated into CM-7(4)].
CM-2(5). Authorized Software.
[Withdrawn: Incorporated into CM-7(5)].
CM-2(6). Development and Test Environments.
Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.
CM-2(7). Configure Systems and Components For High-Risk Areas.
Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
Apply the following controls to the systems or components when the individuals return from travel: [Assignment: organization-defined controls].
CM-2(7)(a). .
Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
Apply the following controls to the systems or components when the individuals return from travel: [Assignment: organization-defined controls].
Discussion:...

Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.

References: SP 800-128 SP 800-124
SP 800-128 Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019.
SP 800-124 Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1.
Related: AC-19 AU-6 CA-9 CM-1 CM-3 CM-5 CM-6 CM-8 CM-9 CP-9 CP-10 CP-12 MA-2 PL-8 PM-5 SA-8 SA-10 SA-15 SC-18 CM-7 IA-3 RA-5 CM-4 SC-3 SC-7 MP-4 MP-5
AC-19 - Access Control For Mobile Devices
AU-6 - Audit Record Review, Analysis, and Reporting
CA-9 - Internal System Connections
CM-1 - Policy and Procedures
CM-3 - Configuration Change Control
CM-5 - Access Restrictions For Change
CM-6 - Configuration Settings
CM-8 - System Component Inventory
CM-9 - Configuration Management Plan
CP-9 - System Backup
CP-10 - System Recovery and Reconstitution
CP-12 - Safe Mode
MA-2 - Controlled Maintenance
PL-8 - Security and Privacy Architectures
PM-5 - System Inventory
SA-8 - Security and Privacy Engineering Principles
SA-10 - Developer Configuration Management
SA-15 - Development Process, Standards, and Tools
SC-18 - Mobile Code
CM-7 - Least Functionality
IA-3 - Device Identification and Authentication
RA-5 - Vulnerability Monitoring and Scanning
CM-4 - Impact Analyses
SC-3 - Security Function Isolation
SC-7 - Boundary Protection
MP-4 - Media Storage
MP-5 - Media Transport
CM-3 - Configuration Change Control
Control:...
[For baselines: Moderate, High]
CM-3a. Determine and document the types of changes to the system that are configuration-controlled;
CM-3b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;
CM-3c. Document configuration change decisions associated with the system;
CM-3d. Implement approved configuration-controlled changes to the system;
CM-3e. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period];
CM-3f. Monitor and review activities associated with configuration-controlled changes to the system; and
CM-3g. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration change conditions]].
CM-3(1). Automated Documentation, Notification, and Prohibition Of Changes.
Use [Assignment: organization-defined automated mechanisms] to:
Document proposed changes to the system;
Notify [Assignment: organization-defined approval authorities] of proposed changes to the system and request change approval;
Highlight proposed changes to the system that have not been approved or disapproved within [Assignment: organization-defined time period];
Prohibit changes to the system until designated approvals are received;
Document all changes to the system; and
Notify [Assignment: organization-defined personnel] when approved changes to the system are completed.
CM-3(1)(a). .
Document proposed changes to the system;
Notify [Assignment: organization-defined approval authorities] of proposed changes to the system and request change approval;
Highlight proposed changes to the system that have not been approved or disapproved within [Assignment: organization-defined time period];
Prohibit changes to the system until designated approvals are received;
Document all changes to the system; and
Notify [Assignment: organization-defined personnel] when approved changes to the system are completed.
CM-3(2). Testing, Validation, and Documentation Of Changes.
Test, validate, and document changes to the system before finalizing the implementation of the changes.
CM-3(3). Automated Change Implementation.
Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms].
CM-3(4). Security and Privacy Representatives.
Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element].
CM-3(5). Automated Security Response.
Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: [Assignment: organization-defined security responses].
CM-3(6). Cryptography Management.
Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [Assignment: organization-defined controls].
CM-3(7). Review System Changes.
Review changes to the system [Assignment: organization-defined frequency] or when [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.
CM-3(8). Prevent Or Restrict Configuration Changes.
Prevent or restrict changes to the configuration of the system under the following circumstances: [Assignment: organization-defined circumstances].
Discussion:...

Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10.

References: IR 8062 SP 800-128 SP 800-124
IR 8062 Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062.
SP 800-128 Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019.
SP 800-124 Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1.
Related: CA-7 CM-2 CM-4 CM-5 CM-6 CM-9 CM-11 IA-3 MA-2 PE-16 PT-6 RA-8 SA-8 SA-10 SC-28 SC-34 SC-37 SI-2 SI-3 SI-4 SI-7 SI-10 SR-11 SC-12 AU-6 AU-7 CM-3
CA-7 - Continuous Monitoring
CM-2 - Baseline Configuration
CM-4 - Impact Analyses
CM-5 - Access Restrictions For Change
CM-6 - Configuration Settings
CM-9 - Configuration Management Plan
CM-11 - User-Installed Software
IA-3 - Device Identification and Authentication
MA-2 - Controlled Maintenance
PE-16 - Delivery and Removal
PT-6 - System Of Records Notice
RA-8 - Privacy Impact Assessments
SA-8 - Security and Privacy Engineering Principles
SA-10 - Developer Configuration Management
SC-28 - Protection Of Information At Rest
SC-34 - Non-Modifiable Executable Programs
SC-37 - Out-Of-Band Channels
SI-2 - Flaw Remediation
SI-3 - Malicious Code Protection
SI-4 - System Monitoring
SI-7 - Software, Firmware, and Information Integrity
SI-10 - Information Input Validation
SR-11 - Component Authenticity
SC-12 - Cryptographic Key Establishment and Management
AU-6 - Audit Record Review, Analysis, and Reporting
AU-7 - Audit Record Reduction and Report Generation
CM-3 - Configuration Change Control
CM-4 - Impact Analyses
Control:...
[For baselines: Low, Moderate, High, Privacy]
Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.
CM-4(1). Separate Test Environments.
Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice.
CM-4(2). Verification Of Controls.
After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system.
Discussion:...

Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required.

References: SP 800-128
SP 800-128 Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019.
Related: CA-7 CM-3 CM-8 CM-9 MA-2 RA-3 RA-5 RA-8 SA-5 SA-8 SA-10 SI-2 SA-11 SC-7 SA-11 SC-3 SI-6
CM-5 - Access Restrictions For Change
Control:...
[For baselines: Low, Moderate, High]
Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.
CM-5(1). Automated Access Enforcement and Audit Records.
Enforce access restrictions using [Assignment: organization-defined automated mechanisms]; and
Automatically generate audit records of the enforcement actions.
CM-5(1)(a). .
Enforce access restrictions using [Assignment: organization-defined automated mechanisms]; and
Automatically generate audit records of the enforcement actions.
CM-5(2). Review System Changes.
[Withdrawn: Incorporated into CM-3(7)].
CM-5(3). Signed Components.
[Withdrawn: Moved to CM-14].
CM-5(4). Dual Authorization.
Enforce dual authorization for implementing changes to [Assignment: organization-defined system components and system-level information].
CM-5(5). Privilege Limitation For Production and Operation.
Limit privileges to change system components and system-related information within a production or operational environment; and
Review and reevaluate privileges [Assignment: organization-defined frequency].
CM-5(5)(a). .
Limit privileges to change system components and system-related information within a production or operational environment; and
Review and reevaluate privileges [Assignment: organization-defined frequency].
CM-5(6). Limit Library Privileges.
Limit privileges to change software resident within software libraries.
CM-5(7). Automatic Implementation Of Security Safeguards.
[Withdrawn: Incorporated into SI-7].
Discussion:...

Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).

References: FIPS 186-4 FIPS 140-3
FIPS 186-4 National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4.
FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
Related: AC-3 AC-5 AC-6 CM-9 PE-3 SC-28 SC-34 SC-37 SI-2 SI-10 AU-2 AU-6 AU-7 AU-12 CM-6 CM-11 SI-12 AC-2 AC-5 CM-3 AC-2 AC-2
CM-6 - Configuration Settings
Control:...
[For baselines: Low, Moderate, High]
CM-6a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations];
CM-6b. Implement the configuration settings;
CM-6c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and
CM-6d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.
CM-6(1). Automated Management, Application, and Verification.
Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms].
CM-6(2). Respond To Unauthorized Changes.
Take the following actions in response to unauthorized changes to [Assignment: organization-defined configuration settings]: [Assignment: organization-defined actions].
CM-6(3). Unauthorized Change Detection.
[Withdrawn: Incorporated into SI-7].
CM-6(4). Conformance Demonstration.
[Withdrawn: Incorporated into CM-4].
Discussion:...

Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.

Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.

Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline USGCB and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.

References: DOD STIG SP 800-128 NCPR USGCB SP 800-70 SP 800-126
DOD STIG Defense Information Systems Agency, Security Technical Implementation Guides (STIG).
SP 800-128 Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019.
NCPR National Institute of Standards and Technology (2020) National Checklist Program Repository. Available at
USGCB National Institute of Standards and Technology (2020) United States Government Configuration Baseline. Available at
SP 800-70 Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4.
SP 800-126 Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3.
Related: AC-3 AC-19 AU-2 AU-6 CA-9 CM-2 CM-3 CM-5 CM-7 CM-11 CP-7 CP-9 CP-10 IA-3 IA-5 PL-8 PL-9 RA-5 SA-4 SA-5 SA-8 SA-9 SC-18 SC-28 SC-43 SI-2 SI-4 SI-6 CA-7 IR-4 IR-6 SI-7
AC-3 - Access Enforcement
AC-19 - Access Control For Mobile Devices
AU-2 - Event Logging
AU-6 - Audit Record Review, Analysis, and Reporting
CA-9 - Internal System Connections
CM-2 - Baseline Configuration
CM-3 - Configuration Change Control
CM-5 - Access Restrictions For Change
CM-7 - Least Functionality
CM-11 - User-Installed Software
CP-7 - Alternate Processing Site
CP-9 - System Backup
CP-10 - System Recovery and Reconstitution
IA-3 - Device Identification and Authentication
IA-5 - Authenticator Management
PL-8 - Security and Privacy Architectures
PL-9 - Central Management
RA-5 - Vulnerability Monitoring and Scanning
SA-4 - Acquisition Process
SA-5 - System Documentation
SA-8 - Security and Privacy Engineering Principles
SA-9 - External System Services
SC-18 - Mobile Code
SC-28 - Protection Of Information At Rest
SC-43 - Usage Restrictions
SI-2 - Flaw Remediation
SI-4 - System Monitoring
SI-6 - Security and Privacy Function Verification
CA-7 - Continuous Monitoring
IR-4 - Incident Handling
IR-6 - Incident Reporting
SI-7 - Software, Firmware, and Information Integrity
CM-7 - Least Functionality
Control:...
[For baselines: Low, Moderate, High]
CM-7a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and
CM-7b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].
CM-7(1). Periodic Review.
Review the system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and
Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure].
CM-7(1)(a). .
Review the system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and
Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure].
CM-7(2). Prevent Program Execution.
Prevent program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].
CM-7(3). Registration Compliance.
Ensure compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services].
CM-7(4). Unauthorized Software — Deny-By-Exception.
Identify [Assignment: organization-defined software programs not authorized to execute on the system];
Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and
Review and update the list of unauthorized software programs [Assignment: organization-defined frequency].
CM-7(4)(a). .
Identify [Assignment: organization-defined software programs not authorized to execute on the system];
Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and
Review and update the list of unauthorized software programs [Assignment: organization-defined frequency].
CM-7(5). Authorized Software — Allow-By-Exception.
Identify [Assignment: organization-defined software programs authorized to execute on the system];
Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and
Review and update the list of authorized software programs [Assignment: organization-defined frequency].
CM-7(5)(a). .
Identify [Assignment: organization-defined software programs authorized to execute on the system];
Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and
Review and update the list of authorized software programs [Assignment: organization-defined frequency].
CM-7(6). Confined Environments With Limited Privileges.
Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: [Assignment: organization-defined user-installed software].
CM-7(7). Code Execution In Protected Environments.
Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles] when such code is:
Obtained from sources with limited or no warranty; and/or
Without the provision of source code.
CM-7(7)(a). .
Obtained from sources with limited or no warranty; and/or
Without the provision of source code.
CM-7(8). Binary Or Machine Executable Code.
Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and
Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official.
CM-7(8)(a). .
Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and
Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official.
CM-7(9). Prohibiting The Use Of Unauthorized Hardware.
Identify [Assignment: organization-defined hardware components authorized for system use];
Prohibit the use or connection of unauthorized hardware components;
Review and update the list of authorized hardware components [Assignment: organization-defined frequency].
CM-7(9)(a). .
Identify [Assignment: organization-defined hardware components authorized for system use];
Prohibit the use or connection of unauthorized hardware components;
Review and update the list of authorized hardware components [Assignment: organization-defined frequency].
Discussion:...

Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2, and SC-3).

References: FIPS 186-4 FIPS 180-4 FIPS 202 FIPS 140-3 SP 800-167
FIPS 186-4 National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4.
FIPS 180-4 National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4.
FIPS 202 National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202.
FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
SP 800-167 Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167.
Related: AC-3 AC-4 CM-2 CM-5 CM-6 CM-11 RA-5 SA-4 SA-5 SA-8 SA-9 SA-15 SC-2 SC-3 SC-7 SC-37 SI-4 AC-18 CM-8 PL-4 PL-9 PM-5 PS-6 CM-6 CM-8 CM-10 PL-9 PM-5 CM-2 CM-6 CM-8 CM-10 PL-9 PM-5 SA-10 SC-34 SI-7 CM-11 SC-44 CM-10 SC-44 SA-5 SA-22
AC-3 - Access Enforcement
AC-4 - Information Flow Enforcement
CM-2 - Baseline Configuration
CM-5 - Access Restrictions For Change
CM-6 - Configuration Settings
CM-11 - User-Installed Software
RA-5 - Vulnerability Monitoring and Scanning
SA-4 - Acquisition Process
SA-5 - System Documentation
SA-8 - Security and Privacy Engineering Principles
SA-9 - External System Services
SA-15 - Development Process, Standards, and Tools
SC-2 - Separation Of System and User Functionality
SC-3 - Security Function Isolation
SC-7 - Boundary Protection
SC-37 - Out-Of-Band Channels
SI-4 - System Monitoring
AC-18 - Wireless Access
CM-8 - System Component Inventory
PL-4 - Rules Of Behavior
PL-9 - Central Management
PM-5 - System Inventory
PS-6 - Access Agreements
CM-6 - Configuration Settings
CM-8 - System Component Inventory
CM-10 - Software Usage Restrictions
PL-9 - Central Management
PM-5 - System Inventory
CM-2 - Baseline Configuration
CM-6 - Configuration Settings
CM-8 - System Component Inventory
CM-10 - Software Usage Restrictions
PL-9 - Central Management
PM-5 - System Inventory
SA-10 - Developer Configuration Management
SC-34 - Non-Modifiable Executable Programs
SI-7 - Software, Firmware, and Information Integrity
CM-11 - User-Installed Software
SC-44 - Detonation Chambers
CM-10 - Software Usage Restrictions
SC-44 - Detonation Chambers
SA-5 - System Documentation
SA-22 - Unsupported System Components
CM-8 - System Component Inventory
Control:...
[For baselines: Low, Moderate, High]
CM-8a. Develop and document an inventory of system components that:
CM-8a.1. Accurately reflects the system;
CM-8a.2. Includes all components within the system;
CM-8a.3. Does not include duplicate accounting of components or components assigned to any other system;
CM-8a.4. Is at the level of granularity deemed necessary for tracking and reporting; and
CM-8a.5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and
CM-8b. Review and update the system component inventory [Assignment: organization-defined frequency].
CM-8(1). Updates During Installation and Removal.
Update the inventory of system components as part of component installations, removals, and system updates.
CM-8(2). Automated Maintenance.
Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms].
CM-8(3). Automated Unauthorized Component Detection.
Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and
Take the following actions when unauthorized components are detected: [Selection (one or more): disable network access by such components; isolate the components; notify [Assignment: organization-defined personnel or roles]].
CM-8(3)(a). .
Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and
Take the following actions when unauthorized components are detected: [Selection (one or more): disable network access by such components; isolate the components; notify [Assignment: organization-defined personnel or roles]].
CM-8(4). Accountability Information.
Include in the system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible and accountable for administering those components.
CM-8(5). No Duplicate Accounting Of Components.
[Withdrawn: Incorporated into CM-8].
CM-8(6). Assessed Configurations and Approved Deviations.
Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory.
CM-8(7). Centralized Repository.
Provide a centralized repository for the inventory of system components.
CM-8(8). Automated Location Tracking.
Support the tracking of system components by geographic location using [Assignment: organization-defined automated mechanisms].
CM-8(9). Assignment Of Components To Systems.
Assign system components to a system; and
Receive an acknowledgement from [Assignment: organization-defined personnel or roles] of this assignment.
CM-8(9)(a). .
Assign system components to a system; and
Receive an acknowledgement from [Assignment: organization-defined personnel or roles] of this assignment.
Discussion:...

System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.

Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components.

References: SP 800-57-1 SP 800-57-2 SP 800-57-3 IR 8011-3 IR 8011-2 SP 800-128 OMB A-130
SP 800-57-1 Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5.
SP 800-57-2 Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1.
SP 800-57-3 Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1.
IR 8011-3 Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3.
IR 8011-2 Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2.
SP 800-128 Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: CM-2 CM-7 CM-9 CM-10 CM-11 CM-13 CP-2 CP-9 MA-2 MA-6 PE-20 PL-9 PM-5 SA-4 SA-5 SI-2 SR-4 PM-16 AC-19 CA-7 RA-5 SC-3 SC-39 SC-44 SI-3 SI-4 SI-7 AC-3
CM-2 - Baseline Configuration
CM-7 - Least Functionality
CM-9 - Configuration Management Plan
CM-10 - Software Usage Restrictions
CM-11 - User-Installed Software
CM-13 - Data Action Mapping
CP-2 - Contingency Plan
CP-9 - System Backup
MA-2 - Controlled Maintenance
MA-6 - Timely Maintenance
PE-20 - Asset Monitoring and Tracking
PL-9 - Central Management
PM-5 - System Inventory
SA-4 - Acquisition Process
SA-5 - System Documentation
SI-2 - Flaw Remediation
SR-4 - Provenance
PM-16 - Threat Awareness Program
AC-19 - Access Control For Mobile Devices
CA-7 - Continuous Monitoring
RA-5 - Vulnerability Monitoring and Scanning
SC-3 - Security Function Isolation
SC-39 - Process Isolation
SC-44 - Detonation Chambers
SI-3 - Malicious Code Protection
SI-4 - System Monitoring
SI-7 - Software, Firmware, and Information Integrity
AC-3 - Access Enforcement
CM-9 - Configuration Management Plan
Control:...
[For baselines: Moderate, High]
Develop, document, and implement a configuration management plan for the system that:
CM-9a. Addresses roles, responsibilities, and configuration management processes and procedures;
CM-9b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
CM-9c. Defines the configuration items for the system and places the configuration items under configuration management;
CM-9d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and
CM-9e. Protects the configuration management plan from unauthorized disclosure and modification.
CM-9(1). Assignment Of Responsibility.
Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.
Discussion:...

Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.

Configuration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.

Organizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control.

References: SP 800-128
SP 800-128 Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019.
Related: CM-2 CM-3 CM-4 CM-5 CM-8 PL-2 RA-8 SA-10 SI-12
CM-10 - Software Usage Restrictions
Control:...
[For baselines: Low, Moderate, High]
CM-10a. Use software and associated documentation in accordance with contract agreements and copyright laws;
CM-10b. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
CM-10c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
CM-10(1). Open-Source Software.
Establish the following restrictions on the use of open-source software: [Assignment: organization-defined restrictions].
Discussion:...

Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements.

Related: AC-17 AU-6 CM-7 CM-8 PM-30 SC-7 SI-7
CM-11 - User-Installed Software
Control:...
[For baselines: Low, Moderate, High]
CM-11a. Establish [Assignment: organization-defined policies] governing the installation of software by users;
CM-11b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and
CM-11c. Monitor policy compliance [Assignment: organization-defined frequency].
CM-11(1). Alerts For Unauthorized Installations.
[Withdrawn: Incorporated into CM-8(3)].
CM-11(2). Software Installation With Privileged Status.
Allow user installation of software only with explicit privileged status.
CM-11(3). Automated Enforcement and Monitoring.
Enforce and monitor compliance with software installation policies using [Assignment: organization-defined automated mechanisms].
Discussion:...

If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved app stores. Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.

Related: AC-3 AU-6 CM-2 CM-3 CM-5 CM-6 CM-7 CM-8 PL-4 SI-4 SI-7 AC-5 AC-6
CM-12 - Information Location
Control:...
[For baselines: Moderate, High]
CM-12a. Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored;
CM-12b. Identify and document the users who have access to the system and system components where the information is processed and stored; and
CM-12c. Document changes to the location (i.e., system or system components) where the information is processed and stored.
CM-12(1). Automated Tools To Support Information Location.
Use automated tools to identify [Assignment: organization-defined information by information type] on [Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy.
Discussion:...

Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17).

References: FIPS 199 SP 800-60-1 SP 800-60-2
FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
SP 800-60-1 Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1.
SP 800-60-2 Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1.
Related: AC-2 AC-3 AC-4 AC-6 AC-23 CM-8 PM-5 RA-2 SA-4 SA-8 SA-17 SC-4 SC-16 SC-28 SI-4 SI-7
CM-13 - Data Action Mapping
Control:...
[For baselines: Not Selected]
Develop and document a map of system data actions.
Discussion:...

Data actions are system operations that process personally identifiable information. The processing of such information encompasses the full information life cycle, which includes collection, generation, transformation, use, disclosure, retention, and disposal. A map of system data actions includes discrete data actions, elements of personally identifiable information being processed in the data actions, system components involved in the data actions, and the owners or operators of the system components. Understanding what personally identifiable information is being processed (e.g., the sensitivity of the personally identifiable information), how personally identifiable information is being processed (e.g., if the data action is visible to the individual or is processed in another part of the system), and by whom (e.g., individuals may have different privacy perceptions based on the entity that is processing the personally identifiable information) provides a number of contextual factors that are important to assessing the degree of privacy risk created by the system. Data maps can be illustrated in different ways, and the level of detail may vary based on the mission and business needs of the organization. The data map may be an overlay of any system design artifact that the organization is using. The development of this map may necessitate coordination between the privacy and security programs regarding the covered data actions and the components that are identified as part of the system.

Related: AC-3 CM-4 CM-12 PM-5 PM-27 PT-2 PT-3 RA-3 RA-8
CM-14 - Signed Components
Control:...
[For baselines: Not Selected]
Prevent the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.
Discussion:...

Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication.

References: IR 8062
IR 8062 Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062.
Related: CM-7 SC-12 SC-13 SI-7
CP - Contingency Planning
CP-1 - Policy and Procedures
Control:...
[For baselines: Low, Moderate, High]
CP-1a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
CP-1a.1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that:
CP-1a.1.(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
CP-1a.1.(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
CP-1a.2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;
CP-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and
CP-1c. Review and update the current contingency planning:
CP-1c.1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
CP-1c.2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Discussion:...

Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

References: SP 800-100 SP 800-39 SP 800-30 SP 800-12 SP 800-34 SP 800-50
SP 800-100 Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
SP 800-12 Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1.
SP 800-34 Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010.
SP 800-50 Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50.
Related: PM-9 PS-8 SI-12
CP-2 - Contingency Plan
Control:...
[For baselines: Low, Moderate, High]
CP-2a. Develop a contingency plan for the system that:
CP-2a.1. Identifies essential mission and business functions and associated contingency requirements;
CP-2a.2. Provides recovery objectives, restoration priorities, and metrics;
CP-2a.3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
CP-2a.4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;
CP-2a.5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;
CP-2a.6. Addresses the sharing of contingency information; and
CP-2a.7. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
CP-2b. Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
CP-2c. Coordinate contingency planning activities with incident handling activities;
CP-2d. Review the contingency plan for the system [Assignment: organization-defined frequency];
CP-2e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
CP-2f. Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
CP-2g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and
CP-2h. Protect the contingency plan from unauthorized disclosure and modification.
CP-2(1). Coordinate With Related Plans.
Coordinate contingency plan development with organizational elements responsible for related plans.
CP-2(2). Capacity Planning.
Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.
CP-2(3). Resume Mission and Business Functions.
Plan for the resumption of [Selection: all; essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation.
CP-2(4). Resume All Mission and Business Functions.
[Withdrawn: Incorporated into CP-2(3)].
CP-2(5). Continue Mission and Business Functions.
Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.
CP-2(6). Alternate Processing and Storage Sites.
Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites.
CP-2(7). Coordinate With External Service Providers.
Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.
CP-2(8). Identify Critical Assets.
Identify critical system assets supporting [Selection: all; essential] mission and business functions.
Discussion:...

Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.

Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in IR-4(5). Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family.

References: IR 8179 SP 800-34
IR 8179 Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179.
SP 800-34 Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010.
Related: CP-3 CP-4 CP-6 CP-7 CP-8 CP-9 CP-10 CP-11 CP-13 IR-4 IR-6 IR-8 IR-9 MA-6 MP-2 MP-4 MP-5 PL-2 PM-8 PM-11 SA-15 SA-20 SC-7 SC-23 SI-12 PE-11 PE-12 PE-13 PE-14 PE-18 SC-5 SA-9 CM-8 RA-9
CP-3 - Contingency Training
CP-4 - Contingency Plan Testing
CP-6 - Alternate Storage Site
CP-7 - Alternate Processing Site
CP-8 - Telecommunications Services
CP-9 - System Backup
CP-10 - System Recovery and Reconstitution
CP-11 - Alternate Communications Protocols
CP-13 - Alternative Security Mechanisms
IR-4 - Incident Handling
IR-6 - Incident Reporting
IR-8 - Incident Response Plan
IR-9 - Information Spillage Response
MA-6 - Timely Maintenance
MP-2 - Media Access
MP-4 - Media Storage
MP-5 - Media Transport
PL-2 - System Security and Privacy Plans
PM-8 - Critical Infrastructure Plan
PM-11 - Mission and Business Process Definition
SA-15 - Development Process, Standards, and Tools
SA-20 - Customized Development Of Critical Components
SC-7 - Boundary Protection
SC-23 - Session Authenticity
SI-12 - Information Management and Retention
PE-11 - Emergency Power
PE-12 - Emergency Lighting
PE-13 - Fire Protection
PE-14 - Environmental Controls
PE-18 - Location Of System Components
SC-5 - Denial-Of-Service Protection
SA-9 - External System Services
CM-8 - System Component Inventory
RA-9 - Criticality Analysis
CP-3 - Contingency Training
Control:...
[For baselines: Low, Moderate, High]
CP-3a. Provide contingency training to system users consistent with assigned roles and responsibilities:
CP-3a.1. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
CP-3a.2. When required by system changes; and
CP-3a.3. [Assignment: organization-defined frequency] thereafter; and
CP-3b. Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
CP-3(1). Simulated Events.
Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.
CP-3(2). Mechanisms Used In Training Environments.
Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment.
Discussion:...

Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements.

References: SP 800-50
SP 800-50 Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50.
Related: AT-2 AT-3 AT-4 CP-2 CP-4 CP-8 IR-2 IR-4 IR-9
CP-4 - Contingency Plan Testing
Control:...
[For baselines: Low, Moderate, High]
CP-4a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests].
CP-4b. Review the contingency plan test results; and
CP-4c. Initiate corrective actions, if needed.
CP-4(1). Coordinate With Related Plans.
Coordinate contingency plan testing with organizational elements responsible for related plans.
CP-4(2). Alternate Processing Site.
Test the contingency plan at the alternate processing site:
To familiarize contingency personnel with the facility and available resources; and
To evaluate the capabilities of the alternate processing site to support contingency operations.
CP-4(2)(a). .
To familiarize contingency personnel with the facility and available resources; and
To evaluate the capabilities of the alternate processing site to support contingency operations.
CP-4(3). Automated Testing.
Test the contingency plan using [Assignment: organization-defined automated mechanisms].
CP-4(4). Full Recovery and Reconstitution.
Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing.
CP-4(5). Self-Challenge.
Employ [Assignment: organization-defined mechanisms] to [Assignment: organization-defined system or system component] to disrupt and adversely affect the system or system component.
Discussion:...

Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.

References: SP 800-84 FIPS 199 SP 800-160-2 SP 800-34
SP 800-84 Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84.
FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
SP 800-160-2 Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2.
SP 800-34 Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010.
Related: AT-3 CP-2 CP-3 CP-8 CP-9 IR-3 IR-4 PL-2 PM-14 SR-2 IR-8 PM-8 CP-7 CP-10 SC-24
CP-5 - Contingency Plan Update
Control:...
[For baselines: ]
Discussion:...
Related:
CP-6 - Alternate Storage Site
Control:...
[For baselines: Moderate, High]
CP-6a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and
CP-6b. Ensure that the alternate storage site provides controls equivalent to that of the primary site.
CP-6(1). Separation From Primary Site.
Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.
CP-6(2). Recovery Time and Recovery Point Objectives.
Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.
CP-6(3). Accessibility.
Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.
Discussion:...

Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems.

References: SP 800-34
SP 800-34 Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010.
Related: CP-2 CP-7 CP-8 CP-9 CP-10 MP-4 MP-5 PE-3 SC-36 SI-13 RA-3 RA-3
CP-7 - Alternate Processing Site
Control:...
[For baselines: Moderate, High]
CP-7a. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
CP-7b. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and
CP-7c. Provide controls at the alternate processing site that are equivalent to those at the primary site.
CP-7(1). Separation From Primary Site.
Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.
CP-7(2). Accessibility.
Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
CP-7(3). Priority Of Service.
Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).
CP-7(4). Preparation For Use.
Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions.
CP-7(5). Equivalent Information Security Safeguards.
[Withdrawn: Incorporated into CP-7].
CP-7(6). Inability To Return To Primary Site.
Plan and prepare for circumstances that preclude returning to the primary processing site.
Discussion:...

Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems.

References: SP 800-34
SP 800-34 Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010.
Related: CP-2 CP-6 CP-8 CP-9 CP-10 MA-6 PE-3 PE-11 PE-12 PE-17 SC-36 SI-13 RA-3 RA-3 CM-2 CM-6 CP-4
CP-8 - Telecommunications Services
Control:...
[For baselines: Moderate, High]
Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CP-8(1). Priority Of Service Provisions.
Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and
Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.
CP-8(1)(a). .
Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and
Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.
CP-8(2). Single Points Of Failure.
Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.
CP-8(3). Separation Of Primary and Alternate Providers.
Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.
CP-8(4). Provider Contingency Plan.
Require primary and alternate telecommunications service providers to have contingency plans;
Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and
Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency].
CP-8(4)(a). .
Require primary and alternate telecommunications service providers to have contingency plans;
Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and
Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency].
CP-8(5). Alternate Telecommunication Service Testing.
Test alternate telecommunication services [Assignment: organization-defined frequency].
Discussion:...

Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for CP-8. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.

References: SP 800-34
SP 800-34 Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010.
Related: CP-2 CP-6 CP-7 CP-11 SC-7 CP-3 CP-4 CP-3
CP-9 - System Backup
Control:...
[For baselines: Low, Moderate, High]
CP-9a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
CP-9b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
CP-9c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
CP-9d. Protect the confidentiality, integrity, and availability of backup information.
CP-9(1). Testing For Reliability and Integrity.
Test backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.
CP-9(2). Test Restoration Using Sampling.
Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.
CP-9(3). Separate Storage For Critical Information.
Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system.
CP-9(4). Protection From Unauthorized Modification.
[Withdrawn: Incorporated into CP-9].
CP-9(5). Transfer To Alternate Storage Site.
Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives].
CP-9(6). Redundant Secondary System.
Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.
CP-9(7). Dual Authorization For Deletion Or Destruction.
Enforce dual authorization for the deletion or destruction of [Assignment: organization-defined backup information].
CP-9(8). Cryptographic Protection.
Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information].
Discussion:...

System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

References: SP 800-152 SP 800-130 FIPS 186-4 FIPS 140-3 SP 800-34
SP 800-152 Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152.
SP 800-130 Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130.
FIPS 186-4 National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4.
FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
SP 800-34 Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010.
Related: CP-2 CP-6 CP-10 MP-4 MP-5 SC-8 SC-12 SC-13 SI-4 SI-13 CP-4 CP-4 CM-2 CM-6 CM-8 CP-7 MP-3 MP-4 MP-5 CP-7 AC-3 AC-5 MP-2 SC-12 SC-13 SC-28
CP-2 - Contingency Plan
CP-6 - Alternate Storage Site
CP-10 - System Recovery and Reconstitution
MP-4 - Media Storage
MP-5 - Media Transport
SC-8 - Transmission Confidentiality and Integrity
SC-12 - Cryptographic Key Establishment and Management
SC-13 - Cryptographic Protection
SI-4 - System Monitoring
SI-13 - Predictable Failure Prevention
CP-4 - Contingency Plan Testing
CP-4 - Contingency Plan Testing
CM-2 - Baseline Configuration
CM-6 - Configuration Settings
CM-8 - System Component Inventory
CP-7 - Alternate Processing Site
MP-3 - Media Marking
MP-4 - Media Storage
MP-5 - Media Transport
CP-7 - Alternate Processing Site
AC-3 - Access Enforcement
AC-5 - Separation Of Duties
MP-2 - Media Access
SC-12 - Cryptographic Key Establishment and Management
SC-13 - Cryptographic Protection
SC-28 - Protection Of Information At Rest
CP-10 - System Recovery and Reconstitution
Control:...
[For baselines: Low, Moderate, High]
Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure.
CP-10(1). Contingency Plan Testing.
[Withdrawn: Incorporated into CP-4].
CP-10(2). Transaction Recovery.
Implement transaction recovery for systems that are transaction-based.
CP-10(3). Compensating Security Controls.
Addressed through tailoring.
CP-10(4). Restore Within Time Period.
Provide the capability to restore system components within [Assignment: organization-defined restoration time periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components.
CP-10(5). Failover Capability.
[Withdrawn: Incorporated into SI-13].
CP-10(6). Component Protection.
Protect system components used for recovery and reconstitution.
Discussion:...

Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning.

References: SP 800-34
SP 800-34 Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010.
Related: CP-2 CP-4 CP-6 CP-7 CP-9 IR-4 SA-8 SC-24 SI-13 CM-2 CM-6 AC-3 AC-6 MP-2 MP-4 PE-3 PE-6
CP-11 - Alternate Communications Protocols
Control:...
[For baselines: Not Selected]
Provide the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations.
Discussion:...

Contingency plans and the contingency training or testing associated with those plans incorporate an alternate communications protocol capability as part of establishing resilience in organizational systems. Switching communications protocols may affect software applications and operational aspects of systems. Organizations assess the potential side effects of introducing alternate communications protocols prior to implementation.

Related: CP-2 CP-8 CP-13
CP-12 - Safe Mode
Control:...
[For baselines: Not Selected]
When [Assignment: organization-defined conditions] are detected, enter a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation].
Discussion:...

For systems that support critical mission and business functions—including military operations, civilian space operations, nuclear power plant operations, and air traffic control operations (especially real-time operational environments)—organizations can identify certain conditions under which those systems revert to a predefined safe mode of operation. The safe mode of operation, which can be activated either automatically or manually, restricts the operations that systems can execute when those conditions are encountered. Restriction includes allowing only selected functions to execute that can be carried out under limited power or with reduced communications bandwidth.

Related: CM-2 SA-8 SC-24 SI-13 SI-17
CP-13 - Alternative Security Mechanisms
Control:...
[For baselines: Not Selected]
Employ [Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised.
Discussion:...

Use of alternative security mechanisms supports system resiliency, contingency planning, and continuity of operations. To ensure mission and business continuity, organizations can implement alternative or supplemental security mechanisms. The mechanisms may be less effective than the primary mechanisms. However, having the capability to readily employ alternative or supplemental mechanisms enhances mission and business continuity that might otherwise be adversely impacted if operations had to be curtailed until the primary means of implementing the functions was restored. Given the cost and level of effort required to provide such alternative capabilities, the alternative or supplemental mechanisms are only applied to critical security capabilities provided by systems, system components, or system services. For example, an organization may issue one-time pads to senior executives, officials, and system administrators if multi-factor tokens—the standard means for achieving secure authentication— are compromised.

Related: CP-2 CP-11 SI-13
IR - Incident Response
IR-1 - Policy and Procedures
Control:...
[For baselines: Low, Moderate, High, Privacy]
IR-1a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
IR-1a.1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] incident response policy that:
IR-1a.1.(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
IR-1a.1.(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
IR-1a.2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;
IR-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; and
IR-1c. Review and update the current incident response:
IR-1c.1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
IR-1c.2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Discussion:...

Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

References: SP 800-100 SP 800-61 SP 800-39 SP 800-30 SP 800-12 OMB A-130 SP 800-83 SP 800-50
SP 800-100 Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007.
SP 800-61 Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
SP 800-12 Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-83 Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1.
SP 800-50 Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50.
Related: PM-9 PS-8 SI-12
IR-2 - Incident Response Training
Control:...
[For baselines: Low, Moderate, High, Privacy]
IR-2a. Provide incident response training to system users consistent with assigned roles and responsibilities:
IR-2a.1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access;
IR-2a.2. When required by system changes; and
IR-2a.3. [Assignment: organization-defined frequency] thereafter; and
IR-2b. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
IR-2(1). Simulated Events.
Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.
IR-2(2). Automated Training Environments.
Provide an incident response training environment using [Assignment: organization-defined automated mechanisms].
IR-2(3). Breach.
Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach.
Discussion:...

Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3. Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

References: OMB M-17-12 SP 800-50
OMB M-17-12 Office of Management and Budget Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, January 2017.
SP 800-50 Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50.
Related: AT-2 AT-3 AT-4 CP-3 IR-3 IR-4 IR-8 IR-9
IR-3 - Incident Response Testing
Control:...
[For baselines: Moderate, High, Privacy]
Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests].
IR-3(1). Automated Testing.
Test the incident response capability using [Assignment: organization-defined automated mechanisms].
IR-3(2). Coordination With Related Plans.
Coordinate incident response testing with organizational elements responsible for related plans.
IR-3(3). Continuous Improvement.
Use qualitative and quantitative data from testing to:
Determine the effectiveness of incident response processes;
Continuously improve incident response processes; and
Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format.
IR-3(3)(a). .
Determine the effectiveness of incident response processes;
Continuously improve incident response processes; and
Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format.
Discussion:...

Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes.

References: SP 800-84 OMB A-130 SP 800-115
SP 800-84 Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-115 Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115.
Related: CP-3 CP-4 IR-2 IR-4 IR-8 PM-14
IR-4 - Incident Handling
Control:...
[For baselines: Low, Moderate, High, Privacy]
IR-4a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;
IR-4b. Coordinate incident handling activities with contingency planning activities;
IR-4c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and
IR-4d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.
IR-4(1). Automated Incident Handling Processes.
Support the incident handling process using [Assignment: organization-defined automated mechanisms].
IR-4(2). Dynamic Reconfiguration.
Include the following types of dynamic reconfiguration for [Assignment: organization-defined system components] as part of the incident response capability: [Assignment: organization-defined types of dynamic reconfiguration].
IR-4(3). Continuity Of Operations.
Identify [Assignment: organization-defined classes of incidents] and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: [Assignment: organization-defined actions to take in response to classes of incidents].
IR-4(4). Information Correlation.
Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
IR-4(5). Automatic Disabling Of System.
Implement a configurable capability to automatically disable the system if [Assignment: organization-defined security violations] are detected.
IR-4(6). Insider Threats.
Implement an incident handling capability for incidents involving insider threats.
IR-4(7). Insider Threats — Intra-Organization Coordination.
Coordinate an incident handling capability for insider threats that includes the following organizational entities [Assignment: organization-defined entities].
IR-4(8). Correlation With External Organizations.
Coordinate with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses.
IR-4(9). Dynamic Response Capability.
Employ [Assignment: organization-defined dynamic response capabilities] to respond to incidents.
IR-4(10). Supply Chain Coordination.
Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain.
IR-4(11). Integrated Incident Response Team.
Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period].
IR-4(12). Malicious Code and Forensic Analysis.
Analyze malicious code and/or other residual artifacts remaining in the system after the incident.
IR-4(13). Behavior Analysis.
Analyze anomalous or suspected adversarial behavior in or related to [Assignment: organization-defined environments or resources].
IR-4(14). Security Operations Center.
Establish and maintain a security operations center.
IR-4(15). Public Relations and Reputation Repair.
Manage public relations associated with an incident; and
Employ measures to repair the reputation of the organization.
IR-4(15)(a). .
Manage public relations associated with an incident; and
Employ measures to repair the reputation of the organization.
Discussion:...

Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes.

References: 41 CFR 201 SP 800-101 SP 800-184 SP 800-61 SP 800-150 SP 800-86 OMB M-17-12 SP 800-160-2 FASC18 IR 7559
41 CFR 201
SP 800-101 Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1.
SP 800-184 Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184.
SP 800-61 Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2.
SP 800-150 Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150.
SP 800-86 Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86.
OMB M-17-12 Office of Management and Budget Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, January 2017.
SP 800-160-2 Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2.
FASC18 Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018.
IR 7559 Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559.
Related: AC-19 AU-6 AU-7 CM-6 CP-2 CP-3 CP-4 IR-2 IR-3 IR-5 IR-6 IR-8 PE-6 PL-2 PM-12 SA-8 SC-5 SC-7 SI-3 SI-4 SI-7 AC-2 AC-4 CM-2 AU-16 PM-16 CA-3 MA-2 SA-9 SR-8 AT-3
AC-19 - Access Control For Mobile Devices
AU-6 - Audit Record Review, Analysis, and Reporting
AU-7 - Audit Record Reduction and Report Generation
CM-6 - Configuration Settings
CP-2 - Contingency Plan
CP-3 - Contingency Training
CP-4 - Contingency Plan Testing
IR-2 - Incident Response Training
IR-3 - Incident Response Testing
IR-5 - Incident Monitoring
IR-6 - Incident Reporting
IR-8 - Incident Response Plan
PE-6 - Monitoring Physical Access
PL-2 - System Security and Privacy Plans
PM-12 - Insider Threat Program
SA-8 - Security and Privacy Engineering Principles
SC-5 - Denial-Of-Service Protection
SC-7 - Boundary Protection
SI-3 - Malicious Code Protection
SI-4 - System Monitoring
SI-7 - Software, Firmware, and Information Integrity
AC-2 - Account Management
AC-4 - Information Flow Enforcement
CM-2 - Baseline Configuration
AU-16 - Cross-Organizational Audit Logging
PM-16 - Threat Awareness Program
CA-3 - Information Exchange
MA-2 - Controlled Maintenance
SA-9 - External System Services
SR-8 - Notification Agreements
AT-3 - Role-Based Training
IR-5 - Incident Monitoring
Control:...
[For baselines: Low, Moderate, High, Privacy]
Track and document incidents.
IR-5(1). Automated Tracking, Data Collection, and Analysis.
Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms].
Discussion:...

Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. IR-4 provides information on the types of incidents that are appropriate for monitoring.

References: SP 800-61
SP 800-61 Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2.
Related: AU-6 AU-7 IR-4 IR-6 IR-8 PE-6 PM-5 SC-5 SC-7 SI-3 SI-4 SI-7
IR-6 - Incident Reporting
Control:...
[For baselines: Low, Moderate, High, Privacy]
IR-6a. Require personnel to report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and
IR-6b. Report incident information to [Assignment: organization-defined authorities].
IR-6(1). Automated Reporting.
Report incidents using [Assignment: organization-defined automated mechanisms].
IR-6(2). Vulnerabilities Related To Incidents.
Report system vulnerabilities associated with reported incidents to [Assignment: organization-defined personnel or roles].
IR-6(3). Supply Chain Coordination.
Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.
Discussion:...

The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products.

References: 41 CFR 201 SP 800-61 USCERT IR FASC18
41 CFR 201
SP 800-61 Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2.
USCERT IR Department of Homeland Security, US-CERT Federal Incident Notification Guidelines, April 2017.
FASC18 Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018.
Related: CM-6 CP-2 IR-4 IR-5 IR-8 IR-9 IR-7 SR-8
IR-7 - Incident Response Assistance
Control:...
[For baselines: Low, Moderate, High, Privacy]
Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.
IR-7(1). Automation Support For Availability Of Information and Support.
Increase the availability of incident response information and support using [Assignment: organization-defined automated mechanisms].
IR-7(2). Coordination With External Providers.
Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability; and
Identify organizational incident response team members to the external providers.
IR-7(2)(a). .
Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability; and
Identify organizational incident response team members to the external providers.
Discussion:...

Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required.

References: OMB A-130 IR 7559
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
IR 7559 Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559.
Related: AT-2 AT-3 IR-4 IR-6 IR-8 PM-22 PM-26 SA-9 SI-18
IR-8 - Incident Response Plan
Control:...
[For baselines: Low, Moderate, High, Privacy]
IR-8a. Develop an incident response plan that:
IR-8a.1. Provides the organization with a roadmap for implementing its incident response capability;
IR-8a.2. Describes the structure and organization of the incident response capability;
IR-8a.3. Provides a high-level approach for how the incident response capability fits into the overall organization;
IR-8a.4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
IR-8a.5. Defines reportable incidents;
IR-8a.6. Provides metrics for measuring the incident response capability within the organization;
IR-8a.7. Defines the resources and management support needed to effectively maintain and mature an incident response capability;
IR-8a.8. Addresses the sharing of incident information;
IR-8a.9. Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and
IR-8a.10. Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles].
IR-8b. Distribute copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
IR-8c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;
IR-8d. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
IR-8e. Protect the incident response plan from unauthorized disclosure and modification.
IR-8(1). Breaches.
Include the following in the Incident Response Plan for breaches involving personally identifiable information:
A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;
An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and
Identification of applicable privacy requirements.
IR-8(1)(a). .
A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;
An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and
Identification of applicable privacy requirements.
Discussion:...

It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.

References: SP 800-61 OMB A-130 OMB M-17-12
SP 800-61 Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
OMB M-17-12 Office of Management and Budget Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, January 2017.
Related: AC-2 CP-2 CP-4 IR-4 IR-7 IR-9 PE-6 PL-2 SA-15 SI-12 SR-8 PT-1 PT-2 PT-3 PT-4 PT-5 PT-7
IR-9 - Information Spillage Response
Control:...
[For baselines: Not Selected]
Respond to information spills by:
IR-9a. Assigning [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills;
IR-9b. Identifying the specific information involved in the system contamination;
IR-9c. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
IR-9d. Isolating the contaminated system or system component;
IR-9e. Eradicating the information from the contaminated system or component;
IR-9f. Identifying other systems or system components that may have been subsequently contaminated; and
IR-9g. Performing the following additional actions: [Assignment: organization-defined actions].
IR-9(1). Responsible Personnel.
[Withdrawn: Incorporated into IR-9].
IR-9(2). Training.
Provide information spillage response training [Assignment: organization-defined frequency].
IR-9(3). Post-Spill Operations.
Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: [Assignment: organization-defined procedures].
IR-9(4). Exposure To Unauthorized Personnel.
Employ the following controls for personnel exposed to information not within assigned access authorizations: [Assignment: organization-defined controls].
Discussion:...

Information spillage refers to instances where information is placed on systems that are not authorized to process such information. Information spills occur when information that is thought to be a certain classification or impact level is transmitted to a system and subsequently is determined to be of a higher classification or impact level. At that point, corrective action is required. The nature of the response is based on the classification or impact level of the spilled information, the security capabilities of the system, the specific nature of the contaminated storage media, and the access authorizations of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated.

Related: CP-2 IR-6 PM-26 PM-27 PT-2 PT-3 PT-7 RA-7 AT-2 AT-3 CP-3 IR-2
IR-10 - Integrated Information Security Analysis Team
Control:...
[For baselines: ]
Discussion:...
Related:
MA - Maintenance
MA-1 - Policy and Procedures
Control:...
[For baselines: Low, Moderate, High]
MA-1a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
MA-1a.1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] maintenance policy that:
MA-1a.1.(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
MA-1a.1.(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
MA-1a.2. Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;
MA-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the maintenance policy and procedures; and
MA-1c. Review and update the current maintenance:
MA-1c.1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
MA-1c.2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Discussion:...

Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

References: SP 800-100 SP 800-39 SP 800-30 SP 800-12 OMB A-130
SP 800-100 Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
SP 800-12 Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: PM-9 PS-8 SI-12
MA-2 - Controlled Maintenance
Control:...
[For baselines: Low, Moderate, High]
MA-2a. Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
MA-2b. Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;
MA-2c. Require that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;
MA-2d. Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: [Assignment: organization-defined information];
MA-2e. Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and
MA-2f. Include the following information in organizational maintenance records: [Assignment: organization-defined information].
MA-2(1). Record Content.
[Withdrawn: Incorporated into MA-2].
MA-2(2). Automated Maintenance Activities.
Schedule, conduct, and document maintenance, repair, and replacement actions for the system using [Assignment: organization-defined automated mechanisms]; and
Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed.
MA-2(2)(a). .
Schedule, conduct, and document maintenance, repair, and replacement actions for the system using [Assignment: organization-defined automated mechanisms]; and
Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed.
Discussion:...

Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems.

References: IR 8023 OMB A-130
IR 8023 Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: CM-2 CM-3 CM-4 CM-5 CM-8 MA-4 MP-6 PE-16 SI-2 SR-3 SR-4 SR-11 MA-3
MA-3 - Maintenance Tools
Control:...
[For baselines: Moderate, High]
MA-3a. Approve, control, and monitor the use of system maintenance tools; and
MA-3b. Review previously approved system maintenance tools [Assignment: organization-defined frequency].
MA-3(1). Inspect Tools.
Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.
MA-3(2). Inspect Media.
Check media containing diagnostic and test programs for malicious code before the media are used in the system.
MA-3(3). Prevent Unauthorized Removal.
Prevent the removal of maintenance equipment containing organizational information by:
Verifying that there is no organizational information contained on the equipment;
Sanitizing or destroying the equipment;
Retaining the equipment within the facility; or
Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.
MA-3(3)(a). .
Verifying that there is no organizational information contained on the equipment;
Sanitizing or destroying the equipment;
Retaining the equipment within the facility; or
Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.
MA-3(4). Restricted Tool Use.
Restrict the use of maintenance tools to authorized personnel only.
MA-3(5). Execution With Privilege.
Monitor the use of maintenance tools that execute with increased privilege.
MA-3(6). Software Updates and Patches.
Inspect maintenance tools to ensure the latest software updates and patches are installed.
Discussion:...

Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as ping, ls, ipconfig, or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools.

References: SP 800-88
SP 800-88 Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1.
Related: MA-2 PE-16 SI-7 SI-3 MP-6 AC-3 AC-5 AC-6 AC-3 AC-6 AC-3 AC-6
MA-4 - Nonlocal Maintenance
Control:...
[For baselines: Low, Moderate, High]
MA-4a. Approve and monitor nonlocal maintenance and diagnostic activities;
MA-4b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;
MA-4c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;
MA-4d. Maintain records for nonlocal maintenance and diagnostic activities; and
MA-4e. Terminate session and network connections when nonlocal maintenance is completed.
MA-4(1). Logging and Review.
Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions; and
Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior.
MA-4(1)(a). .
Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions; and
Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior.
MA-4(2). Document Nonlocal Maintenance.
[Withdrawn: Incorporated into MA-1, MA-4].
MA-4(3). Comparable Security and Sanitization.
Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or
Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system.
MA-4(3)(a). .
Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or
Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system.
MA-4(4). Authentication and Separation Of Maintenance Sessions.
Protect nonlocal maintenance sessions by:
Employing [Assignment: organization-defined authenticators that are replay resistant]; and
Separating the maintenance sessions from other network sessions with the system by either:
Physically separated communications paths; or
Logically separated communications paths.
MA-4(4)(a). .
Employing [Assignment: organization-defined authenticators that are replay resistant]; and
Separating the maintenance sessions from other network sessions with the system by either:
Physically separated communications paths; or
Logically separated communications paths.
MA-4(5). Approvals and Notifications.
Require the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and
Notify the following personnel or roles of the date and time of planned nonlocal maintenance: [Assignment: organization-defined personnel or roles].
MA-4(5)(a). .
Require the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and
Notify the following personnel or roles of the date and time of planned nonlocal maintenance: [Assignment: organization-defined personnel or roles].
MA-4(6). Cryptographic Protection.
Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: [Assignment: organization-defined cryptographic mechanisms].
MA-4(7). Disconnect Verification.
Verify session and network connection termination after the completion of nonlocal maintenance and diagnostic sessions.
Discussion:...

Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished, in part, by other controls. SP 800-63B provides additional guidance on strong authentication and authenticators.

References: SP 800-63-3 SP 800-88 FIPS 197 FIPS 201-2 FIPS 140-3
SP 800-63-3 Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020.
SP 800-88 Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1.
FIPS 197 National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197.
FIPS 201-2 National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2.
FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
Related: AC-2 AC-3 AC-6 AC-17 AU-2 AU-3 IA-2 IA-4 IA-5 IA-8 MA-2 MA-5 PL-2 SC-7 SC-10 AU-6 AU-12 MP-6 SI-3 SI-7 SC-8 SC-12 SC-13 AC-12
AC-2 - Account Management
AC-3 - Access Enforcement
AC-6 - Least Privilege
AC-17 - Remote Access
AU-2 - Event Logging
AU-3 - Content Of Audit Records
IA-2 - Identification and Authentication (Organizational Users)
IA-4 - Identifier Management
IA-5 - Authenticator Management
IA-8 - Identification and Authentication (Non-Organizational Users)
MA-2 - Controlled Maintenance
MA-5 - Maintenance Personnel
PL-2 - System Security and Privacy Plans
SC-7 - Boundary Protection
SC-10 - Network Disconnect
AU-6 - Audit Record Review, Analysis, and Reporting
AU-12 - Audit Record Generation
MP-6 - Media Sanitization
SI-3 - Malicious Code Protection
SI-7 - Software, Firmware, and Information Integrity
SC-8 - Transmission Confidentiality and Integrity
SC-12 - Cryptographic Key Establishment and Management
SC-13 - Cryptographic Protection
AC-12 - Session Termination
MA-5 - Maintenance Personnel
Control:...
[For baselines: Low, Moderate, High]
MA-5a. Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;
MA-5b. Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and
MA-5c. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
MA-5(1). Individuals Without Appropriate Access.
Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities o
Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components w
Develop and implement [Assignment: organization-defined alternate controls] in the event a system component cannot be sanitized, removed, or disconnected from the system.
MA-5(1)(a). .
Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities o
Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components w
Develop and implement [Assignment: organization-defined alternate controls] in the event a system component cannot be sanitized, removed, or disconnected from the system.
MA-5(2). Security Clearances For Classified Systems.
Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for compartments of information on the system.
MA-5(3). Citizenship Requirements For Classified Systems.
Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens.
MA-5(4). Foreign Nationals.
Ensure that:
Foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and
Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements.
MA-5(4)(a). .
Foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and
Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements.
MA-5(5). Non-System Maintenance.
Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations.
Discussion:...

Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

Related: AC-2 AC-3 AC-5 AC-6 IA-2 IA-8 MA-4 MP-2 PE-2 PE-3 PS-7 RA-3 MP-6 PL-2 PS-3 PS-3 PS-3
MA-6 - Timely Maintenance
Control:...
[For baselines: Moderate, High]
Obtain maintenance support and/or spare parts for [Assignment: organization-defined system components] within [Assignment: organization-defined time period] of failure.
MA-6(1). Preventive Maintenance.
Perform preventive maintenance on [Assignment: organization-defined system components] at [Assignment: organization-defined time intervals].
MA-6(2). Predictive Maintenance.
Perform predictive maintenance on [Assignment: organization-defined system components] at [Assignment: organization-defined time intervals].
MA-6(3). Automated Support For Predictive Maintenance.
Transfer predictive maintenance data to a maintenance management system using [Assignment: organization-defined automated mechanisms].
Discussion:...

Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place.

Related: CM-8 CP-2 CP-7 RA-7 SA-15 SI-13 SR-2 SR-3 SR-4
MA-7 - Field Maintenance
Control:...
[For baselines: Not Selected]
Restrict or prohibit field maintenance on [Assignment: organization-defined systems or system components] to [Assignment: organization-defined trusted maintenance facilities].
Discussion:...

Field maintenance is the type of maintenance conducted on a system or system component after the system or component has been deployed to a specific site (i.e., operational environment). In certain instances, field maintenance (i.e., local maintenance at the site) may not be executed with the same degree of rigor or with the same quality control checks as depot maintenance. For critical systems designated as such by the organization, it may be necessary to restrict or prohibit field maintenance at the local site and require that such maintenance be conducted in trusted facilities with additional controls.

Related: MA-2 MA-4 MA-5
MP - Media Protection
MP-1 - Policy and Procedures
Control:...
[For baselines: Low, Moderate, High, Privacy]
MP-1a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
MP-1a.1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] media protection policy that:
MP-1a.1.(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
MP-1a.1.(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
MP-1a.2. Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;
MP-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the media protection policy and procedures; and
MP-1c. Review and update the current media protection:
MP-1c.1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
MP-1c.2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Discussion:...

Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

References: SP 800-100 SP 800-39 SP 800-30 SP 800-12 OMB A-130
SP 800-100 Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
SP 800-12 Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
Related: PM-9 PS-8 SI-12
MP-2 - Media Access
Control:...
[For baselines: Low, Moderate, High]
Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].
MP-2(1). Automated Restricted Access.
[Withdrawn: Incorporated into MP-4(2)].
MP-2(2). Cryptographic Protection.
[Withdrawn: Incorporated into SC-28(1)].
Discussion:...

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media.

References: FIPS 199 OMB A-130 SP 800-111
FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-111 Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111.
Related: AC-19 AU-9 CP-2 CP-9 CP-10 MA-5 MP-4 MP-6 PE-2 PE-3 SC-12 SC-13 SC-34 SI-12
MP-3 - Media Marking
Control:...
[For baselines: Moderate, High]
MP-3a. Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
MP-3b. Exempt [Assignment: organization-defined types of system media] from marking if the media remain within [Assignment: organization-defined controlled areas].
Discussion:...

Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in 32 CFR 2002. Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

References: 32 CFR 2002 EO 13556 FIPS 199
32 CFR 2002 Code of Federal Regulations, Title 32, Controlled Unclassified Information (32 C.F.R. 2002).
EO 13556 Executive Order 13556, Controlled Unclassified Information, November 2010.
FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
Related: AC-16 CP-9 MP-5 PE-22 SI-12
MP-4 - Media Storage
Control:...
[For baselines: Moderate, High]
MP-4a. Physically control and securely store [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
MP-4b. Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
MP-4(1). Cryptographic Protection.
[Withdrawn: Incorporated into SC-28(1)].
MP-4(2). Automated Restricted Access.
Restrict access to media storage areas and log access attempts and access granted using [Assignment: organization-defined automated mechanisms].
Discussion:...

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection.

References: SP 800-57-1 SP 800-57-2 SP 800-56C SP 800-56A SP 800-56B SP 800-57-3 FIPS 199 SP 800-111
SP 800-57-1 Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5.
SP 800-57-2 Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1.
SP 800-56C Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2.
SP 800-56A Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3.
SP 800-56B Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2.
SP 800-57-3 Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1.
FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
SP 800-111 Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111.
Related: AC-19 CP-2 CP-6 CP-9 CP-10 MP-2 MP-7 PE-3 PL-2 SC-12 SC-13 SC-28 SC-34 SI-12 AC-3 AU-2 AU-6 AU-9 AU-12 PE-3
MP-5 - Media Transport
Control:...
[For baselines: Moderate, High]
MP-5a. Protect and control [Assignment: organization-defined types of system media] during transport outside of controlled areas using [Assignment: organization-defined controls];
MP-5b. Maintain accountability for system media during transport outside of controlled areas;
MP-5c. Document activities associated with the transport of system media; and
MP-5d. Restrict the activities associated with the transport of system media to authorized personnel.
MP-5(1). Protection Outside Of Controlled Areas.
[Withdrawn: Incorporated into MP-5].
MP-5(2). Documentation Of Activities.
[Withdrawn: Incorporated into MP-5].
MP-5(3). Custodians.
Employ an identified custodian during transport of system media outside of controlled areas.
MP-5(4). Cryptographic Protection.
[Withdrawn: Incorporated into SC-28(1)].
Discussion:...

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.

References: FIPS 199 SP 800-60-1 SP 800-60-2
FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
SP 800-60-1 Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1.
SP 800-60-2 Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1.
Related: AC-7 AC-19 CP-2 CP-9 MP-3 MP-4 PE-16 PL-2 SC-12 SC-13 SC-28 SC-34
MP-6 - Media Sanitization
Control:...
[For baselines: Low, Moderate, High, Privacy]
MP-6a. Sanitize [Assignment: organization-defined system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures]; and
MP-6b. Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
MP-6(1). Review, Approve, Track, Document, and Verify.
Review, approve, track, document, and verify media sanitization and disposal actions.
MP-6(2). Equipment Testing.
Test sanitization equipment and procedures [Assignment: organization-defined frequency] to ensure that the intended sanitization is being achieved.
MP-6(3). Nondestructive Techniques.
Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices].
MP-6(4). Controlled Unclassified Information.
[Withdrawn: Incorporated into MP-6].
MP-6(5). Classified Information.
[Withdrawn: Incorporated into MP-6].
MP-6(6). Media Destruction.
[Withdrawn: Incorporated into MP-6].
MP-6(7). Dual Authorization.
Enforce dual authorization for the sanitization of [Assignment: organization-defined system media].
MP-6(8). Remote Purging Or Wiping Of Information.
Provide the capability to purge or wipe information from [Assignment: organization-defined systems or system components] [Selection: remotely; under the following conditions: [Assignment: organization-defined conditions]].
Discussion:...

Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information.

References: 32 CFR 2002 IR 8023 SP 800-88 NARA CUI FIPS 199 NSA MEDIA OMB A-130 SP 800-124 SP 800-60-1 SP 800-60-2
32 CFR 2002 Code of Federal Regulations, Title 32, Controlled Unclassified Information (32 C.F.R. 2002).
IR 8023 Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023.
SP 800-88 Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1.
NARA CUI National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry.
FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
NSA MEDIA National Security Agency, Media Destruction Guidance.
OMB A-130 Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource, July 2016.
SP 800-124 Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1.
SP 800-60-1 Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1.
SP 800-60-2 Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1.
Related: AC-3 AC-7 AU-11 MA-2 MA-3 MA-4 MA-5 PM-22 SI-12 SI-18 SI-19 SR-11 AC-3 MP-2
MP-7 - Media Use
Control:...
[For baselines: Low, Moderate, High]
MP-7a. [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and
MP-7b. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.
MP-7(1). Prohibit Use Without Owner.
[Withdrawn: Incorporated into MP-7].
MP-7(2). Prohibit Use Of Sanitization-Resistant Media.
Prohibit the use of sanitization-resistant media in organizational systems.
Discussion:...

System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.

References: FIPS 199 SP 800-111
FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
SP 800-111 Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111.
Related: AC-19 AC-20 PL-4 PM-12 SC-34 SC-41 MP-6
MP-8 - Media Downgrading
Control:...
[For baselines: Not Selected]
MP-8a. Establish [Assignment: organization-defined system media downgrading process] that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;
MP-8b. Verify that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;
MP-8c. Identify [Assignment: organization-defined system media requiring downgrading]; and
MP-8d. Downgrade the identified system media using the established process.
MP-8(1). Documentation Of Process.
Document system media downgrading actions.
MP-8(2). Equipment Testing.
Test downgrading equipment and procedures [Assignment: organization-defined frequency] to ensure that downgrading actions are being achieved.
MP-8(3). Controlled Unclassified Information.
Downgrade system media containing controlled unclassified information prior to public release.
MP-8(4). Classified Information.
Downgrade system media containing classified information prior to release to individuals without required access authorizations.
Discussion:...

Media downgrading applies to digital and non-digital media subject to release outside of the organization, whether the media is considered removable or not. When applied to system media, the downgrading process removes information from the media, typically by security category or classification level, such that the information cannot be retrieved or reconstructed. Downgrading of media includes redacting information to enable wider release and distribution. Downgrading ensures that empty space on the media is devoid of information.

References: 32 CFR 2002 NSA MEDIA
32 CFR 2002 Code of Federal Regulations, Title 32, Controlled Unclassified Information (32 C.F.R. 2002).
NSA MEDIA National Security Agency, Media Destruction Guidance.
Related:
PE - Physical and Environmental Protection
PE-1 - Policy and Procedures
Control:...
[For baselines: Low, Moderate, High]
PE-1a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
PE-1a.1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] physical and environmental protection policy that:
PE-1a.1.(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
PE-1a.1.(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
PE-1a.2. Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;
PE-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and
PE-1c. Review and update the current physical and environmental protection:
PE-1c.1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
PE-1c.2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Discussion:...

Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

References: SP 800-100 SP 800-39 SP 800-30 SP 800-12
SP 800-100 Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
SP 800-12 Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1.
Related: AT-3 PM-9 PS-8 SI-12
PE-2 - Physical Access Authorizations
Control:...
[For baselines: Low, Moderate, High]
PE-2a. Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;
PE-2b. Issue authorization credentials for facility access;
PE-2c. Review the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
PE-2d. Remove individuals from the facility access list when access is no longer required.
PE-2(1). Access By Position Or Role.
Authorize physical access to the facility where the system resides based on position or role.
PE-2(2). Two Forms Of Identification.
Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: [Assignment: organization-defined list of acceptable forms of identification].
PE-2(3). Restrict Unescorted Access.
Restrict unescorted access to the facility where the system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined physical access authorizations]].
Discussion:...

Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.

References: SP 800-73-4 SP 800-76-2 FIPS 201-2 SP 800-78-4
SP 800-73-4 Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016.
SP 800-76-2 Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2.
FIPS 201-2 National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2.
SP 800-78-4 Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4.
Related: AT-3 AU-9 IA-4 MA-5 MP-2 PE-3 PE-4 PE-5 PE-8 PM-12 PS-3 PS-4 PS-5 PS-6 AC-2 AC-3 AC-6 IA-2 IA-4 IA-5 PS-2 PS-6
PE-3 - Physical Access Control
Control:...
[For baselines: Low, Moderate, High]
PE-3a. Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility where the system resides] by:
PE-3a.1. Verifying individual access authorizations before granting access to the facility; and
PE-3a.2. Controlling ingress and egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems or devices]; guards];
PE-3b. Maintain physical access audit logs for [Assignment: organization-defined entry or exit points];
PE-3c. Control access to areas within the facility designated as publicly accessible by implementing the following controls: [Assignment: organization-defined physical access controls];
PE-3d. Escort visitors and control visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and control of visitor activity];
PE-3e. Secure keys, combinations, and other physical access devices;
PE-3f. Inventory [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
PE-3g. Change combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
PE-3(1). System Access.
Enforce physical access authorizations to the system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the system].
PE-3(2). Facility and Systems.
Perform security checks [Assignment: organization-defined frequency] at the physical perimeter of the facility or system for exfiltration of information or removal of system components.
PE-3(3). Continuous Guards.
Employ guards to control [Assignment: organization-defined physical access points] to the facility where the system resides 24 hours per day, 7 days per week.
PE-3(4). Lockable Casings.
Use lockable physical casings to protect [Assignment: organization-defined system components] from unauthorized physical access.
PE-3(5). Tamper Protection.
Employ [Assignment: organization-defined anti-tamper technologies] to [Selection (one or more): detect; prevent] physical tampering or alteration of [Assignment: organization-defined hardware components] within the system.
PE-3(6). Facility Penetration Testing.
[Withdrawn: Incorporated into CA-8].
PE-3(7). Physical Barriers.
Limit access using physical barriers.
PE-3(8). Access Control Vestibules.
Employ access control vestibules at [Assignment: organization-defined locations within the facility].
Discussion:...

Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.

References: SP 800-73-4 SP 800-116 SP 800-76-2 FIPS 201-2 SP 800-78-4
SP 800-73-4 Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016.
SP 800-116 Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1.
SP 800-76-2 Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2.
FIPS 201-2 National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2.
SP 800-78-4 Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4.
Related: AT-3 AU-2 AU-6 AU-9 AU-13 CP-10 IA-3 IA-8 MA-5 MP-2 MP-4 PE-2 PE-4 PE-5 PE-8 PS-2 PS-3 PS-6 PS-7 RA-3 SC-28 SI-4 SR-3 AC-4 SC-7 CP-6 CP-7 PE-6 SA-16 SR-9 SR-11
AT-3 - Role-Based Training
AU-2 - Event Logging
AU-6 - Audit Record Review, Analysis, and Reporting
AU-9 - Protection Of Audit Information
AU-13 - Monitoring For Information Disclosure
CP-10 - System Recovery and Reconstitution
IA-3 - Device Identification and Authentication
IA-8 - Identification and Authentication (Non-Organizational Users)
MA-5 - Maintenance Personnel
MP-2 - Media Access
MP-4 - Media Storage
PE-2 - Physical Access Authorizations
PE-4 - Access Control For Transmission
PE-5 - Access Control For Output Devices
PE-8 - Visitor Access Records
PS-2 - Position Risk Designation
PS-3 - Personnel Screening
PS-6 - Access Agreements
PS-7 - External Personnel Security
RA-3 - Risk Assessment
SC-28 - Protection Of Information At Rest
SI-4 - System Monitoring
SR-3 - Supply Chain Controls and Processes
AC-4 - Information Flow Enforcement
SC-7 - Boundary Protection
CP-6 - Alternate Storage Site
CP-7 - Alternate Processing Site
PE-6 - Monitoring Physical Access
SA-16 - Developer-Provided Training
SR-9 - Tamper Resistance and Detection
SR-11 - Component Authenticity
PE-4 - Access Control For Transmission
Control:...
[For baselines: Moderate, High]
Control physical access to [Assignment: organization-defined system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security controls].
Discussion:...

Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors.

Related: AT-3 IA-4 MP-2 MP-4 PE-2 PE-3 PE-5 PE-9 SC-7 SC-8
PE-5 - Access Control For Output Devices
Control:...
[For baselines: Moderate, High]
Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output.
PE-5(1). Access To Output By Authorized Individuals.
[Withdrawn: Incorporated into PE-5].
PE-5(2). Link To Individual Identity.
Link individual identity to receipt of output from output devices.
PE-5(3). Marking Output Devices.
[Withdrawn: Incorporated into PE-22].
Discussion:...

Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers.

References: IR 8023
IR 8023 Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023.
Related: PE-2 PE-3 PE-4 PE-18
PE-6 - Monitoring Physical Access
Control:...
[For baselines: Low, Moderate, High]
PE-6a. Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;
PE-6b. Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
PE-6c. Coordinate results of reviews and investigations with the organizational incident response capability.
PE-6(1). Intrusion Alarms and Surveillance Equipment.
Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.
PE-6(2). Automated Intrusion Recognition and Responses.
Recognize [Assignment: organization-defined classes or types of intrusions] and initiate [Assignment: organization-defined response actions] using [Assignment: organization-defined automated mechanisms].
PE-6(3). Video Surveillance.
Employ video surveillance of [Assignment: organization-defined operational areas];
Review video recordings [Assignment: organization-defined frequency]; and
Retain video recordings for [Assignment: organization-defined time period].
PE-6(3)(a). .
Employ video surveillance of [Assignment: organization-defined operational areas];
Review video recordings [Assignment: organization-defined frequency]; and
Retain video recordings for [Assignment: organization-defined time period].
PE-6(4). Monitoring Physical Access To Systems.
Monitor physical access to the system in addition to the physical access monitoring of the facility at [Assignment: organization-defined physical spaces containing one or more components of the system].
Discussion:...

Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as AU-2, if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.

Related: AU-2 AU-6 AU-9 AU-12 CA-7 CP-10 IR-4 IR-8 SI-4
PE-7 - Visitor Control
Control:...
[For baselines: ]
Discussion:...
Related:
PE-8 - Visitor Access Records
Control:...
[For baselines: Low, Moderate, High]
PE-8a. Maintain visitor access records to the facility where the system resides for [Assignment: organization-defined time period];
PE-8b. Review visitor access records [Assignment: organization-defined frequency]; and
PE-8c. Report anomalies in visitor access records to [Assignment: organization-defined personnel].
PE-8(1). Automated Records Maintenance and Review.
Maintain and review visitor access records using [Assignment: organization-defined automated mechanisms].
PE-8(2). Physical Access Records.
[Withdrawn: Incorporated into PE-2].
PE-8(3). Limit Personally Identifiable Information Elements.
Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements].
Discussion:...

Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.

Related: PE-2 PE-3 PE-6 RA-3 SA-8
PE-9 - Power Equipment and Cabling
Control:...
[For baselines: Moderate, High]
Protect power equipment and power cabling for the system from damage and destruction.
PE-9(1). Redundant Cabling.
Employ redundant power cabling paths that are physically separated by [Assignment: organization-defined distance].
PE-9(2). Automatic Voltage Controls.
Employ automatic voltage controls for [Assignment: organization-defined critical system components].
Discussion:...

Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems.

Related: PE-4
PE-10 - Emergency Shutoff
Control:...
[For baselines: Moderate, High]
PE-10a. Provide the capability of shutting off power to [Assignment: organization-defined system or individual system components] in emergency situations;
PE-10b. Place emergency shutoff switches or devices in [Assignment: organization-defined location by system or system component] to facilitate access for authorized personnel; and
PE-10c. Protect emergency power shutoff capability from unauthorized activation.
PE-10(1). Accidental and Unauthorized Activation.
[Withdrawn: Incorporated into PE-10].
Discussion:...

Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery.

Related: PE-15
PE-11 - Emergency Power
Control:...
[For baselines: Moderate, High]
Provide an uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the system; transition of the system to long-term alternate power] in the event of a primary power source loss.
PE-11(1). Alternate Power Supply — Minimal Operational Capability.
Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that can maintain minimally required operational capability in the event of an extended loss of the primary power source.
PE-11(2). Alternate Power Supply — Self-Contained.
Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that is:
Self-contained;
Not reliant on external power generation; and
Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source.
PE-11(2)(a). .
Self-contained;
Not reliant on external power generation; and
Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source.
Discussion:...

An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system.

Related: AT-3 CP-2 CP-7
PE-12 - Emergency Lighting
Control:...
[For baselines: Low, Moderate, High]
Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
PE-12(1). Essential Mission and Business Functions.
Provide emergency lighting for all areas within the facility supporting essential mission and business functions.
Discussion:...

The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies.

Related: CP-2 CP-7
PE-13 - Fire Protection
Control:...
[For baselines: Low, Moderate, High]
Employ and maintain fire detection and suppression systems that are supported by an independent energy source.
PE-13(1). Detection Systems — Automatic Activation and Notification.
Employ fire detection systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.
PE-13(2). Suppression Systems — Automatic Activation and Notification.
Employ fire suppression systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]; and
Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis.
PE-13(2)(a). .
Employ fire suppression systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]; and
Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis.
PE-13(3). Automatic Fire Suppression.
[Withdrawn: Incorporated into PE-13(2)].
PE-13(4). Inspections.
Ensure that the facility undergoes [Assignment: organization-defined frequency] fire protection inspections by authorized and qualified inspectors and identified deficiencies are resolved within [Assignment: organization-defined time period].
Discussion:...

The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility.

Related: AT-3
PE-14 - Environmental Controls
Control:...
[For baselines: Low, Moderate, High]
PE-14a. Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and
PE-14b. Monitor environmental control levels [Assignment: organization-defined frequency].
PE-14(1). Automatic Controls.
Employ the following automatic environmental controls in the facility to prevent fluctuations potentially harmful to the system: [Assignment: organization-defined automatic environmental controls].
PE-14(2). Monitoring With Alarms and Notifications.
Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to [Assignment: organization-defined personnel or roles].
Discussion:...

The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions.

Related: AT-3 CP-2
PE-15 - Water Damage Protection
Control:...
[For baselines: Low, Moderate, High]
Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
PE-15(1). Automation Support.
Detect the presence of water near the system and alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms].
Discussion:...

The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations.

Related: AT-3 PE-10
PE-16 - Delivery and Removal
Control:...
[For baselines: Low, Moderate, High]
PE-16a. Authorize and control [Assignment: organization-defined types of system components] entering and exiting the facility; and
PE-16b. Maintain records of the system components.
Discussion:...

Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.

Related: CM-3 CM-8 MA-2 MA-3 MP-5 PE-20 SR-2 SR-3 SR-4 SR-6
PE-17 - Alternate Work Site
Control:...
[For baselines: Moderate, High]
PE-17a. Determine and document the [Assignment: organization-defined alternate work sites] allowed for use by employees;
PE-17b. Employ the following controls at alternate work sites: [Assignment: organization-defined controls];
PE-17c. Assess the effectiveness of controls at alternate work sites; and
PE-17d. Provide a means for employees to communicate with information security and privacy personnel in case of incidents.
Discussion:...

Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations.

References: SP 800-46
SP 800-46 Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2.
Related: AC-17 AC-18 CP-7
PE-18 - Location Of System Components
Control:...
[For baselines: High]
Position system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access.
PE-18(1). Facility Site.
[Withdrawn: Moved to PE-23].
Discussion:...

Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications using wireless packet sniffers or microphones, or unauthorized disclosure of information.

Related: CP-2 PE-5 PE-19 PE-20 RA-3
PE-19 - Information Leakage
Control:...
[For baselines: Not Selected]
Protect the system from information leakage due to electromagnetic signals emanations.
PE-19(1). National Emissions Policies and Procedures.
Protect system components, associated data communications, and networks in accordance with national Emissions Security policies and procedures based on the security category or classification of the information.
Discussion:...

Information leakage is the intentional or unintentional release of data or information to an untrusted environment from electromagnetic signals emanations. The security categories or classifications of systems (with respect to confidentiality), organizational security policies, and risk tolerance guide the selection of controls employed to protect systems against information leakage due to electromagnetic signals emanations.

References: FIPS 199
FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
Related: AC-18 PE-18 PE-20
PE-20 - Asset Monitoring and Tracking
Control:...
[For baselines: Not Selected]
Employ [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas].
Discussion:...

Asset location technologies can help ensure that critical assets—including vehicles, equipment, and system components—remain in authorized locations. Organizations consult with the Office of the General Counsel and senior agency official for privacy regarding the deployment and use of asset location technologies to address potential privacy concerns.

Related: CM-8 PE-16 PM-8
PE-21 - Electromagnetic Pulse Protection
Control:...
[For baselines: Not Selected]
Employ [Assignment: organization-defined protective measures] against electromagnetic pulse damage for [Assignment: organization-defined systems and system components].
Discussion:...

An electromagnetic pulse (EMP) is a short burst of electromagnetic energy that is spread over a range of frequencies. Such energy bursts may be natural or man-made. EMP interference may be disruptive or damaging to electronic equipment. Protective measures used to mitigate EMP risk include shielding, surge suppressors, ferro-resonant transformers, and earth grounding. EMP protection may be especially significant for systems and applications that are part of the U.S. critical infrastructure.

Related: PE-18 PE-19
PE-22 - Component Marking
Control:...
[For baselines: Not Selected]
Mark [Assignment: organization-defined system hardware components] indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.
Discussion:...

Hardware components that may require marking include input and output devices. Input devices include desktop and notebook computers, keyboards, tablets, and smart phones. Output devices include printers, monitors/video displays, facsimile machines, scanners, copiers, and audio devices. Permissions controlling output to the output devices are addressed in AC-3 or AC-4. Components are marked to indicate the impact level or classification level of the system to which the devices are connected, or the impact level or classification level of the information permitted to be output. Security marking refers to the use of human-readable security attributes. Security labeling refers to the use of security attributes for internal system data structures. Security marking is generally not required for hardware components that process, store, or transmit information determined by organizations to be in the public domain or to be publicly releasable. However, organizations may require markings for hardware components that process, store, or transmit public information in order to indicate that such information is publicly releasable. Marking of system hardware components reflects applicable laws, executive orders, directives, policies, regulations, and standards.

References: IR 8023
IR 8023 Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023.
Related: AC-3 AC-4 AC-16 MP-3
PE-23 - Facility Location
Control:...
[For baselines: Not Selected]
PE-23a. Plan the location or site of the facility where the system resides considering physical and environmental hazards; and
PE-23b. For existing facilities, consider the physical and environmental hazards in the organizational risk management strategy.
Discussion:...

Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. The location of system components within the facility is addressed in PE-18.

Related: CP-2 PE-18 PE-19 PM-8 PM-9 RA-3
PS - Personnel Security
PS-1 - Policy and Procedures
Control:...
[For baselines: Low, Moderate, High]
PS-1a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
PS-1a.1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] personnel security policy that:
PS-1a.1.(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
PS-1a.1.(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
PS-1a.2. Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;
PS-1b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personnel security policy and procedures; and
PS-1c. Review and update the current personnel security:
PS-1c.1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
PS-1c.2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Discussion:...

Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

References: SP 800-100 SP 800-39 SP 800-30 SP 800-12
SP 800-100 Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007.
SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
SP 800-12 Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1.
Related: PM-9 PS-8 SI-12
PS-2 - Position Risk Designation
Control:...
[For baselines: Low, Moderate, High]
PS-2a. Assign a risk designation to all organizational positions;
PS-2b. Establish screening criteria for individuals filling those positions; and
PS-2c. Review and update position risk designations [Assignment: organization-defined frequency].
Discussion:...

Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.

References: 5 CFR 731 SP 800-181