Key Controls Review
Calc test - Review and manage critical security controls
Search & Add Controls
AI Search Results
Found semantically similar controls
Current Key Controls
101 TotalScoping Question 1
Will the entity’s personnel require specialized clearances or certifications? Determines if staff need background checks, professional licenses, or industry certifications before starting work. Delays onboarding if certifications lapse; compliance risk if unauthorised staff perform regulated tasks. Credential-verification process Expiration-tracking of certifications Backup resource plan for lapsed clearances
Establish and Maintain an Inventory of Accounts
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, ...
Ensure Authorized Software is Currently Supported
Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterpri...
Physical Access Control
Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas...
Role-based Training
Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to whi...
Developer Screening
Developer screening is directed at external developers. Internal developer screening is addressed by PS-3. Because the system, system component, or system service may be used in critical activities es...
Contingency Training
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included i...
Authorization
Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly a...
Physical Access Authorizations
Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID b...
Authorization Process
Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standard...
Personnel Screening
Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk desig...
System Backup
System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-lev...
Authority to Process Personally Identifiable Information
The processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information acro...
Account Management
Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specificat...
Position Risk Designation
Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel secu...
Maintenance Personnel
Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place ...
Specific Categories of Personally Identifiable Information
Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, dire...
Cryptographic Module Authentication
Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and ...
Personnel Termination
System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals un...
Separation of Duties
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or...
Personally Identifiable Information Processing Purposes
Identifying and documenting the purpose for processing provides organizations with a basis for understanding why personally identifiable information may be processed. The term process includes every s...
Policy and Procedures
Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an importan...
Policy and Procedures
Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor...
Policy and Procedures
Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing su...
Mission and Business Process Definition
Protection needs are technology-independent capabilities that are required to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss o...
Risk Assessment
Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider ris...
Rules of Behavior
Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use ...
Position Descriptions
Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles a...
Control Assessments
Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and...
Policy and Procedures
Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establi...
Identity Proofing
Identity proofing is the process of collecting, validating, and verifying a user’s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is ...
Scoping Question 2
Will the entity have physical access to the entity’s managed devices (e.g., laptops, smartphones, tablets)? Determines if the entity’s personnel will handle or use corporate-owned endpoints, which may store sensitive data. Direct device access can lead to data leakage, malware introduction, or unauthorised configuration changes. Device inventory and tracking Endpoint security policies (e.g., MDM enforcement) Access logging and tamper-evident seals
Enforce Remote Wipe Capability on Portable End-User Devices
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.
Log Sensitive Data Access
Log sensitive data access, including modification and disposal.
Establish and Maintain Detailed Enterprise Asset Inventory
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile...
Establish and Maintain a Secure Configuration Process
Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating...
Physical Access Control
Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas...
Physical Access Authorizations
Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID b...
Access Enforcement
Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains)...
Access Restrictions for Change
Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or indi...
Sensor Capability and Data
Sensor capability and data applies to types of systems or system components characterized as mobile devices, such as cellular telephones, smart phones, and tablets. Mobile devices often include sensor...
Monitoring Physical Access
Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i...
System Backup
System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-lev...
Authority to Process Personally Identifiable Information
The processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information acro...
Protection of Information at Rest
Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, stora...
Media Transport
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact d...
External Personnel Security
External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide s...
Media Use
System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-di...
Specific Categories of Personally Identifiable Information
Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, dire...
Device Identification and Authentication
Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that ...
Access Control for Mobile Devices
A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non...
Re-authentication
In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators o...
Security and Privacy Attributes
Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active en...
Asset Monitoring and Tracking
Asset location technologies can help ensure that critical assets—including vehicles, equipment, and system components—remain in authorized locations. Organizations consult with the Office ...
Access Control for Output Devices
Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized indivi...
Reference Monitor
A reference monitor is a set of design requirements on a reference validation mechanism that, as a key component of an operating system, enforces an access control policy over all subjects and objects...
Information Flow Enforcement
Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses ...
Software, Firmware, and Information Integrity
Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers...
Component Marking
Hardware components that may require marking include input and output devices. Input devices include desktop and notebook computers, keyboards, tablets, and smart phones. Output devices include printe...
Delivery and Removal
Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.
Identifier Management
Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable...
Device Lock
Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out ...
Permitted Actions Without Identification or Authentication
Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organ...
Out-of-band Channels
Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal...
Scoping Question 3
Will the entity host entity, partner, or customer data in their own network environment? Determines if your data will reside on the provider’s infrastructure rather than your controlled systems. Loss of direct control over data storage, potential co-tenant risks, and challenges in meeting data-sovereignty or compliance requirements. Contractual data-hosting SLA and security requirements Data-segregation (logical/physical) and encryption at rest Periodic network and configuration audits Defined backup, retention, and e-discovery procedures
Establish and Maintain a Data Management Process
Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitiv...
Securely Dispose of Data
Securely dispose of data as outlined in the enterprise’s documented data management process. Ensure the disposal process and method are commensurate with the data sensitivity.
System Backup
System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-lev...
Protection of Information at Rest
Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, stora...
Data Governance Body
A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body estab...
Information Exchange
System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, conn...
Alternate Storage Site
Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate ...
Information Flow Enforcement
Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses ...
Information Sharing
Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive informat...
Secure Name/Address Resolution Service (Authoritative Source)
Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name ...
Scoping Question 4
Does the service require handling or custody of the entity’s physical assets (e.g., hardware, inventory)? Flags responsibility for equipment, shipments, or on-site physical items under the entity’s care. Asset damage, loss, or theft can disrupt operations and lead to replacement costs or insurance claims. Asset-tagging and inventory management system Insurance and liability clauses Chain-of-custody documentation for transfers
Establish and Maintain Detailed Enterprise Asset Inventory
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile...
Media Transport
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact d...
Supply Chain Controls and Processes
Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and di...
Timely Maintenance
Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by th...
Asset Monitoring and Tracking
Asset location technologies can help ensure that critical assets—including vehicles, equipment, and system components—remain in authorized locations. Organizations consult with the Office ...
Controlled Maintenance
Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal ...
Provenance
Every system and system component has a point of origin and may be changed throughout its existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a syst...
System Component Inventory
System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories...
Scoping Question 5
Will the service integrate directly with core business processes or systems? Identifies if the entity’s outputs plug into mission-critical workflows (order processing, billing, manufacturing, etc.). A faulty integration can cascade failures into critical operations, causing downtime, data corruption, or billing errors. Formal change-management process Pre-/post-integration validation testing Role-based access controls on integrated interfaces
Document Data Flows
Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when sig...
External System Services
External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. O...
Specialization
It is often necessary for a system or system component that supports mission-essential services or functions to be enhanced to maximize the trustworthiness of the resource. Sometimes this enhancement ...
Internal System Connections
Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including ...
Timely Maintenance
Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by th...
Information Diversity
Actions taken by a system service or a function are often driven by the information it receives. Corruption, fabrication, modification, or deletion of that information could impact the ability of the ...
Configuration Change Control
Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades a...
Alternate Processing Site
Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capabil...
Service Identification and Authentication
Services that may require identification and authentication include web applications using digital certificates or services or applications that query a database. Identification and authentication met...
Criticality Analysis
Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioriti...
Central Management
Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organi...
Scoping Question 6
Will the entity’s services be subject to periodic audits by us or third parties? Identifies whether you must audit their performance, controls, or compliance on a recurring basis. Audit preparation consumes internal resources; findings may require remediation and renegotiation of contract terms. Audit schedule and scoping document Right-to-audit clauses in contract Remediation-tracking and closure reporting
Audit Record Review, Analysis, and Reporting
Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, r...
Cross-organizational Audit Logging
When organizations use systems or services of external organizations, the audit logging capability necessitates a coordinated, cross-organization approach. For example, maintaining the identity of ind...
Response to Audit Logging Process Failures
Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions incl...
Audit Record Retention
Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availab...
Policy and Procedures
Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in estab...
Notification Agreements
The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentia...
Content of Audit Records
Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process ident...
Protection of Audit Information
Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit loggin...
Accounting of Disclosures
The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed, to provide a basis for subsequently advising recipients ...
Audit Log Storage Capacity
Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity...
Session Audit
Session audits can include monitoring keystrokes, tracking websites visited, and recording information and/or file transfers. Session audit capability is implemented in addition to event logging and m...
Audit Record Reduction and Report Generation
Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report gener...
Event Logging
An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals....
Scoping Question 7
Will the entity’s staff operate on-site at entity facilities? Determines whether the entity’s personnel need to be co-located with your teams, impacting coordination and oversight. Increases insider/physical-security risk (tailgating, unauthorised access); adds complexity for facility management and supervision. Badge-based physical access controls Escort and visitor logging policy Segregated work areas with monitoring cameras
Physical Access Control
Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas...
Role-based Training
Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to whi...
Authorization
Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly a...
Physical Access Authorizations
Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID b...
Access Enforcement
Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains)...
Authorization Process
Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standard...
Identification and Authentication (Organizational Users)
Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12. Organizational users include employees or individuals who organizations cons...
Monitoring Physical Access
Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i...
Account Management
Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specificat...
Maintenance Personnel
Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place ...
Alternate Work Site
Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternat...
Location of System Components
Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming elect...
Separation of Duties
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or...
Software-enforced Separation and Policy Enforcement
System owners may require additional strength of mechanism to ensure domain separation and policy enforcement for specific types of threats and environments of operation.
Policy and Procedures
Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing su...
Delivery and Removal
Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.
Scoping Question 8
Does the entity use third parties to deliver services outside the United States? Identifies whether any part of service delivery is outsourced internationally, beyond your direct oversight. Offshore third parties can fall under different regulatory regimes, complicate compliance, data-sovereignty, and oversight. International due-diligence and risk assessments Flow-down contract clauses for compliance and data handling Regular third-party audits and SLAs
External System Services
External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. O...
Supplier Assessments and Reviews
An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively a...
External Personnel Security
External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide s...
Notification Agreements
The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentia...
Security Alerts, Advisories, and Directives
The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued...
Scoping Question 9
Is continuous (24/7) availability required for this service? Establishes whether the service must run without interruption (e.g., call center, global e-commerce). Leaves little maintenance window, higher ops burden, risk of slip-ups or fatigue-related errors in support shifts. SLAs with uptime guarantees Geographically redundant infrastructure Automated alerting and escalation paths
Continuous Monitoring
Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing...
Telecommunications Services
Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for CP-8. Alternate telecommunications services reflect the continuity requirements...
Scoping Question 10
Does the entity’s performance depend on access to proprietary processes or intellectual property? Clarifies whether the entity needs to understand or use your unique methodologies, algorithms, or trade secrets. Exposure of IP risks theft or leakage, eroding competitive advantage and complicating future provider transitions. NDAs and IP assignment clauses ACLs on sensitive repositories Periodic IP-use audits
Identification and Authentication (Non-organizational Users)
Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than tho...