Key Controls Review
VendorEntity - Review and manage critical security controls
Search & Add Controls
AI Search Results
Found semantically similar controls
Current Key Controls
179 TotalScoping Question 1
Will the entity’s personnel require specialized clearances or certifications? Determines if staff need background checks, professional licenses, or industry certifications before starting work. Delays onboarding if certifications lapse; compliance risk if unauthorised staff perform regulated tasks. Credential-verification process Expiration-tracking of certifications Backup resource plan for lapsed clearances
Establish and Maintain an Inventory of Accounts
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, ...
Establish and Maintain a Data Management Process
Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitiv...
Ensure Authorized Software is Currently Supported
Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterpri...
Physical Access Control
Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas...
Role-based Training
Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to whi...
External System Services
External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. O...
Developer Screening
Developer screening is directed at external developers. Internal developer screening is addressed by PS-3. Because the system, system component, or system service may be used in critical activities es...
Contingency Training
Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included i...
Authorization
Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly a...
Physical Access Authorizations
Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID b...
Access Enforcement
Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains)...
Authorization Process
Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standard...
Personnel Screening
Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk desig...
Identification and Authentication (Organizational Users)
Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12. Organizational users include employees or individuals who organizations cons...
Monitoring Physical Access
Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i...
System Backup
System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-lev...
Authority to Process Personally Identifiable Information
The processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information acro...
Data Governance Body
A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body estab...
Policy and Procedures
Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in estab...
Specialization
It is often necessary for a system or system component that supports mission-essential services or functions to be enhanced to maximize the trustworthiness of the resource. Sometimes this enhancement ...
External Personnel Security
External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide s...
Account Management
Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specificat...
Position Risk Designation
Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel secu...
Maintenance Personnel
Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place ...
Specific Categories of Personally Identifiable Information
Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, dire...
Continuous Monitoring
Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing...
Cryptographic Module Authentication
Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and ...
Accounting of Disclosures
The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed, to provide a basis for subsequently advising recipients ...
Personnel Termination
System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals un...
Separation of Duties
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or...
Personally Identifiable Information Processing Purposes
Identifying and documenting the purpose for processing provides organizations with a basis for understanding why personally identifiable information may be processed. The term process includes every s...
Re-authentication
In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators o...
Policy and Procedures
Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an importan...
Reference Monitor
A reference monitor is a set of design requirements on a reference validation mechanism that, as a key component of an operating system, enforces an access control policy over all subjects and objects...
Policy and Procedures
Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor...
Policy and Procedures
Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing su...
Mission and Business Process Definition
Protection needs are technology-independent capabilities that are required to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss o...
Alternate Processing Site
Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capabil...
Risk Assessment
Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider ris...
Rules of Behavior
Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use ...
Position Descriptions
Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles a...
Provenance
Every system and system component has a point of origin and may be changed throughout its existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a syst...
Delivery and Removal
Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.
Control Assessments
Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and...
Policy and Procedures
Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establi...
Identification and Authentication (Non-organizational Users)
Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than tho...
Permitted Actions Without Identification or Authentication
Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organ...
Identity Proofing
Identity proofing is the process of collecting, validating, and verifying a user’s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is ...
Visitor Access Records
Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the ...
Authenticator Management
Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authentic...
Continuous Monitoring Strategy
Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms...
Training Records
Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records ...
Policy and Procedures
Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing s...
Policy and Procedures
Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establish...
System Development Life Cycle
A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy conside...
Insider Threat Program
Organizations that handle classified information are required, under Executive Order 13587 EO 13587 and the National Insider Threat Policy ODNI NITP, to establish insider threat programs. The same sta...
Privacy Notice
Privacy notices help inform individuals about how their personally identifiable information is being processed by the system or organization. Organizations use privacy notices to inform individuals ab...
Policy and Procedures
Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing su...
Acquisition Strategies, Tools, and Methods
The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or syste...
Baseline Selection
Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either...
Personnel Transfer
Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the ...
Policy and Procedures
System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor i...
Impact Analyses
Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the c...
Personally Identifiable Information Quality Operations
Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information...
Minimization of Personally Identifiable Information Used in Testing, Training, and Research
The use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior age...
Policy and Procedures
System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor ...
Security and Privacy Function Verification
Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages t...
Policy and Procedures
Personally identifiable information processing and transparency policy and procedures address the controls in the PT family that are implemented within systems and organizations. The risk management s...
Security and Privacy Workforce
Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based...
Policy and Procedures
Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such ...
Literacy Training and Awareness
Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training ...
Personnel Sanctions
Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be incl...
Policy and Procedures
Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important fa...
Scoping Question 2
Will the entity have physical access to the entity’s managed devices (e.g., laptops, smartphones, tablets)? Determines if the entity’s personnel will handle or use corporate-owned endpoints, which may store sensitive data. Direct device access can lead to data leakage, malware introduction, or unauthorised configuration changes. Device inventory and tracking Endpoint security policies (e.g., MDM enforcement) Access logging and tamper-evident seals
Enforce Remote Wipe Capability on Portable End-User Devices
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.
Log Sensitive Data Access
Log sensitive data access, including modification and disposal.
Establish and Maintain Detailed Enterprise Asset Inventory
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile...
Establish and Maintain a Secure Configuration Process
Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating...
Securely Dispose of Data
Securely dispose of data as outlined in the enterprise’s documented data management process. Ensure the disposal process and method are commensurate with the data sensitivity.
Securely Manage Enterprise Assets and Software
Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces o...
Separate Enterprise Workspaces on Mobile End-User Devices
Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate e...
Establish and Maintain a Secure Configuration Process for Network Infrastructure
Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safe...
Audit Record Review, Analysis, and Reporting
Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, r...
Physical Access Control
Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas...
Physical Access Authorizations
Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID b...
Access Enforcement
Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains)...
Access Restrictions for Change
Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or indi...
Authorization Process
Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standard...
Sensor Capability and Data
Sensor capability and data applies to types of systems or system components characterized as mobile devices, such as cellular telephones, smart phones, and tablets. Mobile devices often include sensor...
Identification and Authentication (Organizational Users)
Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12. Organizational users include employees or individuals who organizations cons...
Monitoring Physical Access
Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i...
System Backup
System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-lev...
Authority to Process Personally Identifiable Information
The processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information acro...
Protection of Information at Rest
Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, stora...
Data Governance Body
A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body estab...
Media Transport
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact d...
External Personnel Security
External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide s...
Account Management
Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specificat...
Media Use
System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-di...
Specific Categories of Personally Identifiable Information
Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, dire...
Device Identification and Authentication
Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that ...
Protection of Audit Information
Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit loggin...
Location of System Components
Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming elect...
Internal System Connections
Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including ...
Access Control for Mobile Devices
A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non...
Personnel Termination
System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals un...
Re-authentication
In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators o...
Security and Privacy Attributes
Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active en...
Asset Monitoring and Tracking
Asset location technologies can help ensure that critical assets—including vehicles, equipment, and system components—remain in authorized locations. Organizations consult with the Office ...
Access Control for Output Devices
Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized indivi...
Session Audit
Session audits can include monitoring keystrokes, tracking websites visited, and recording information and/or file transfers. Session audit capability is implemented in addition to event logging and m...
Reference Monitor
A reference monitor is a set of design requirements on a reference validation mechanism that, as a key component of an operating system, enforces an access control policy over all subjects and objects...
Information Flow Enforcement
Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses ...
Software, Firmware, and Information Integrity
Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers...
Component Marking
Hardware components that may require marking include input and output devices. Input devices include desktop and notebook computers, keyboards, tablets, and smart phones. Output devices include printe...
Delivery and Removal
Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.
Information Sharing
Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive informat...
Identifier Management
Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable...
Device Lock
Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out ...
Permitted Actions Without Identification or Authentication
Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organ...
Out-of-band Channels
Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal...
Data Action Mapping
Data actions are system operations that process personally identifiable information. The processing of such information encompasses the full information life cycle, which includes collection, generati...
Use of External Systems
External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessmen...
Remote Access
Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broa...
Policy and Procedures
Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing su...
Publicly Accessible Content
In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including info...
Non-modifiable Executable Programs
The operating environment for a system contains the code that hosts applications, including operating systems, executives, or virtual machine monitors (i.e., hypervisors). It can also include certain ...
Information in Shared System Resources
Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf ...
Usage Restrictions
Usage restrictions apply to all system components including but not limited to mobile code, mobile devices, wireless access, and wired and wireless peripheral components (e.g., copiers, printers, scan...
Spam Protection
System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transporte...
Minimization of Personally Identifiable Information Used in Testing, Training, and Research
The use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior age...
Media Storage
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs...
Transmission of Security and Privacy Attributes
Security and privacy attributes can be explicitly or implicitly associated with the information contained in organizational systems or system components. Attributes are abstractions that represent the...
Information Location
Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside...
Scoping Question 3
Does the entity use proprietary or third-party technology that must be licensed separately? Flags dependencies on paid tools, platforms, or IP that add cost or complicate your management landscape. Creates unexpected cost, version-mismatch risk, and additional vendor-management overhead. License-management tracking and renewal reminders Proof-of-license audits Evaluation of alternative open-source options
Establish and Maintain a Software Inventory
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business p...
Ensure Authorized Software is Currently Supported
Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterpri...
Cross-organizational Audit Logging
When organizations use systems or services of external organizations, the audit logging capability necessitates a coordinated, cross-organization approach. For example, maintaining the identity of ind...
Notification Agreements
The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentia...
Supplier Assessments and Reviews
An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively a...
External System Services
External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. O...
Software Usage Restrictions
Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure ...
External Personnel Security
External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide s...
Software-enforced Separation and Policy Enforcement
System owners may require additional strength of mechanism to ensure domain separation and policy enforcement for specific types of threats and environments of operation.
Unsupported System Components
Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide cr...
Provenance
Every system and system component has a point of origin and may be changed throughout its existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a syst...
System Component Inventory
System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories...
Customized Development of Critical Components
Organizations determine that certain system components likely cannot be trusted due to specific threats to and vulnerabilities in those components for which there are no viable security controls to ad...
Use of External Systems
External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessmen...
Acquisition Strategies, Tools, and Methods
The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or syste...
User-installed Software
If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions reg...
Scoping Question 4
Will the service integrate directly with core business processes or systems? Identifies if the entity’s outputs plug into mission-critical workflows (order processing, billing, manufacturing, etc.). A faulty integration can cascade failures into critical operations, causing downtime, data corruption, or billing errors. Formal change-management process Pre-/post-integration validation testing Role-based access controls on integrated interfaces
Establish and Maintain a Data Management Process
Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitiv...
Establish and Maintain a Secure Configuration Process
Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating...
Document Data Flows
Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when sig...
Notification Agreements
The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentia...
External System Services
External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. O...
Authorization
Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly a...
Authorization Process
Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standard...
Specialization
It is often necessary for a system or system component that supports mission-essential services or functions to be enhanced to maximize the trustworthiness of the resource. Sometimes this enhancement ...
External Personnel Security
External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide s...
Internal System Connections
Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including ...
Timely Maintenance
Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by th...
Separation of Duties
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or...
Telecommunications Services
Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for CP-8. Alternate telecommunications services reflect the continuity requirements...
Information Diversity
Actions taken by a system service or a function are often driven by the information it receives. Corruption, fabrication, modification, or deletion of that information could impact the ability of the ...
Configuration Change Control
Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades a...
Alternate Processing Site
Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capabil...
Unsupported System Components
Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide cr...
Controlled Maintenance
Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal ...
Service Identification and Authentication
Services that may require identification and authentication include web applications using digital certificates or services or applications that query a database. Identification and authentication met...
Provenance
Every system and system component has a point of origin and may be changed throughout its existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a syst...
Criticality Analysis
Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioriti...
Central Management
Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organi...
Fail-safe Procedures
Failure conditions include the loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include alerting operator personnel...
Purposing
Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside of the scope o...
Flaw Remediation
The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those fl...
Maintenance Tools
Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used s...
Policy and Procedures
System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor i...
Developer Configuration Management
Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecti...
Incident Response Plan
It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabil...
Configuration Management Plan
Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software lib...
Alternative Security Mechanisms
Use of alternative security mechanisms supports system resiliency, contingency planning, and continuity of operations. To ensure mission and business continuity, organizations can implement alternativ...
Concept of Operations
The CONOPS may be included in the security or privacy plans for the system or in other system development life cycle documents. The CONOPS is a living document that requires updating throughout the sy...
Safe Mode
For systems that support critical mission and business functions—including military operations, civilian space operations, nuclear power plant operations, and air traffic control operations (esp...
Scoping Question 5
Will the entity’s services be subject to periodic audits by us or third parties? Identifies whether you must audit their performance, controls, or compliance on a recurring basis. Audit preparation consumes internal resources; findings may require remediation and renegotiation of contract terms. Audit schedule and scoping document Right-to-audit clauses in contract Remediation-tracking and closure reporting
Establish and Maintain a Data Management Process
Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitiv...
Audit Record Review, Analysis, and Reporting
Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, r...
Physical Access Control
Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas...
Cross-organizational Audit Logging
When organizations use systems or services of external organizations, the audit logging capability necessitates a coordinated, cross-organization approach. For example, maintaining the identity of ind...
Notification Agreements
The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentia...
Response to Audit Logging Process Failures
Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions incl...
Supplier Assessments and Reviews
An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively a...
External System Services
External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. O...
Audit Record Retention
Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availab...
Authorization
Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly a...
Monitoring Physical Access
Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i...
Policy and Procedures
Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in estab...
Content of Audit Records
Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process ident...
Protection of Audit Information
Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit loggin...
Continuous Monitoring
Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing...
Accounting of Disclosures
The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed, to provide a basis for subsequently advising recipients ...
Audit Log Storage Capacity
Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity...
Policy and Procedures
Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an importan...
Session Audit
Session audits can include monitoring keystrokes, tracking websites visited, and recording information and/or file transfers. Session audit capability is implemented in addition to event logging and m...
Audit Record Reduction and Report Generation
Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report gener...
Configuration Change Control
Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades a...
Controlled Maintenance
Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal ...
Provenance
Every system and system component has a point of origin and may be changed throughout its existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a syst...
Event Logging
An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals....
Flaw Remediation
The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those fl...
Policy and Procedures
System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor i...
Policy and Procedures
System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor ...
Policy and Procedures
Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such ...
Privacy Reporting
Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meet...
Scoping Question 6
Will the entity host entity, partner, or customer data in their own network environment? Determines if your data will reside on the provider’s infrastructure rather than your controlled systems. Loss of direct control over data storage, potential co-tenant risks, and challenges in meeting data-sovereignty or compliance requirements. Contractual data-hosting SLA and security requirements Data-segregation (logical/physical) and encryption at rest Periodic network and configuration audits Defined backup, retention, and e-discovery procedures
Establish and Maintain a Data Management Process
Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitiv...
Establish and Maintain Detailed Enterprise Asset Inventory
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile...
Establish and Maintain a Secure Configuration Process
Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating...
Securely Dispose of Data
Securely dispose of data as outlined in the enterprise’s documented data management process. Ensure the disposal process and method are commensurate with the data sensitivity.
Enforce Data Retention
Retain data according to the enterprise’s documented data management process. Data retention must include both minimum and maximum timelines.
Securely Manage Enterprise Assets and Software
Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces o...
Establish and Maintain a Data Inventory
Establish and maintain a data inventory based on the enterprise’s data management process. Inventory sensitive data annually, at a minimum. Review and update inventory annually, at a minimum, with a p...
Encrypt Sensitive Data at Rest
Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encr...
Establish and Maintain a Secure Configuration Process for Network Infrastructure
Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safe...
Deploy a Data Loss Prevention Solution
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located on...
External System Services
External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. O...
System Backup
System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-lev...
Authority to Process Personally Identifiable Information
The processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information acro...
Protection of Information at Rest
Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, stora...
Data Governance Body
A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body estab...
Information Exchange
System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, conn...
Specific Categories of Personally Identifiable Information
Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, dire...
Telecommunications Services
Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for CP-8. Alternate telecommunications services reflect the continuity requirements...
Alternate Storage Site
Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate ...
Information Flow Enforcement
Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses ...
Service Identification and Authentication
Services that may require identification and authentication include web applications using digital certificates or services or applications that query a database. Identification and authentication met...
System Component Inventory
System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories...
Information Sharing
Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive informat...
Secure Name/Address Resolution Service (Authoritative Source)
Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name ...
Out-of-band Channels
Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal...
Data Action Mapping
Data actions are system operations that process personally identifiable information. The processing of such information encompasses the full information life cycle, which includes collection, generati...
Remote Access
Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broa...
Developer Configuration Management
Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecti...
Distributed Processing and Storage
Distributing processing and storage across multiple physical locations or logical domains provides a degree of redundancy or overlap for organizations. The redundancy and overlap increase the work fac...
Allocation of Resources
Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle.
Transmission Confidentiality and Integrity
Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, not...
Boundary Protection
Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetw...
Scoping Question 7
Does the service require handling or custody of the entity’s physical assets (e.g., hardware, inventory)? Flags responsibility for equipment, shipments, or on-site physical items under the entity’s care. Asset damage, loss, or theft can disrupt operations and lead to replacement costs or insurance claims. Asset-tagging and inventory management system Insurance and liability clauses Chain-of-custody documentation for transfers
Establish and Maintain Detailed Enterprise Asset Inventory
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile...
External System Services
External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. O...
Access Enforcement
Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains)...
System Backup
System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-lev...
Media Transport
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact d...
External Personnel Security
External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide s...
Supply Chain Controls and Processes
Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and di...
Timely Maintenance
Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by th...
Separation of Duties
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or...
Asset Monitoring and Tracking
Asset location technologies can help ensure that critical assets—including vehicles, equipment, and system components—remain in authorized locations. Organizations consult with the Office ...
Controlled Maintenance
Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal ...
Provenance
Every system and system component has a point of origin and may be changed throughout its existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a syst...
System Component Inventory
System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories...
Supply Chain Operations Security
Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is a process that includes identifying critical information, analyzing friendly actions related to ope...
Personnel Transfer
Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the ...
Policy and Procedures
System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor i...
Incident Response Plan
It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabil...
Policy and Procedures
Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organization...
Supply Chain Risk Management Plan
The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Thre...
Policy and Procedures
Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such ...
Component Disposal
Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, ...
Incident Handling
Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organiz...
Scoping Question 8
Will the entity’s staff operate on-site at entity facilities? Determines whether the entity’s personnel need to be co-located with your teams, impacting coordination and oversight. Increases insider/physical-security risk (tailgating, unauthorised access); adds complexity for facility management and supervision. Badge-based physical access controls Escort and visitor logging policy Segregated work areas with monitoring cameras
Audit Record Review, Analysis, and Reporting
Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, r...
Physical Access Control
Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas...
Cross-organizational Audit Logging
When organizations use systems or services of external organizations, the audit logging capability necessitates a coordinated, cross-organization approach. For example, maintaining the identity of ind...
Role-based Training
Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to whi...
Authorization
Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly a...
Physical Access Authorizations
Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID b...
Access Enforcement
Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains)...
Access Restrictions for Change
Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or indi...
Authorization Process
Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standard...
Personnel Screening
Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk desig...
Identification and Authentication (Organizational Users)
Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12. Organizational users include employees or individuals who organizations cons...
Monitoring Physical Access
Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i...
Media Transport
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact d...
Account Management
Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specificat...
Maintenance Personnel
Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place ...
Specific Categories of Personally Identifiable Information
Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, dire...
Alternate Work Site
Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternat...
Location of System Components
Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming elect...
Timely Maintenance
Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by th...
Separation of Duties
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or...
Asset Monitoring and Tracking
Asset location technologies can help ensure that critical assets—including vehicles, equipment, and system components—remain in authorized locations. Organizations consult with the Office ...
Software-enforced Separation and Policy Enforcement
System owners may require additional strength of mechanism to ensure domain separation and policy enforcement for specific types of threats and environments of operation.
Session Audit
Session audits can include monitoring keystrokes, tracking websites visited, and recording information and/or file transfers. Session audit capability is implemented in addition to event logging and m...
Information Flow Enforcement
Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses ...
Policy and Procedures
Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing su...
Position Descriptions
Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles a...
Delivery and Removal
Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.
Policy and Procedures
Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establi...
Out-of-band Channels
Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal...
Visitor Access Records
Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the ...
Continuous Monitoring Strategy
Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms...
Environmental Controls
The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms)....
Insider Threat Program
Organizations that handle classified information are required, under Executive Order 13587 EO 13587 and the National Insider Threat Policy ODNI NITP, to establish insider threat programs. The same sta...
Policy and Procedures
Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing su...
Personnel Transfer
Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the ...
Impact Analyses
Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the c...
Cross Domain Policy Enforcement
For logical policy enforcement mechanisms, organizations avoid creating a logical path between interfaces to prevent the ability to bypass the policy enforcement mechanism. For physical policy enforce...
Personnel Sanctions
Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be incl...
Policy and Procedures
Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing ...
Sensor Relocation
Adversaries may take various paths and use different approaches as they move laterally through an organization (including its systems) to reach their target or as they attempt to exfiltrate informatio...
Hardware-enforced Separation and Policy Enforcement
System owners may require additional strength of mechanism and robustness to ensure domain separation and policy enforcement for specific types of threats and environments of operation. Hardware-enfor...
Scoping Question 9
Will the entity subcontract any portion of this engagement to other providers? Checks if the prime entity relies on fourth parties, affecting visibility into who actually performs the work. Sub-providers may have weaker controls, inconsistent quality, and introduce hidden compliance or contractual gaps. Flow-down contractual requirements Right-to-audit sub-providers Sub-vendor inventory and control reviews
Cross-organizational Audit Logging
When organizations use systems or services of external organizations, the audit logging capability necessitates a coordinated, cross-organization approach. For example, maintaining the identity of ind...
Notification Agreements
The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentia...
Supplier Assessments and Reviews
An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively a...
External System Services
External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. O...
External Personnel Security
External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide s...
Supply Chain Operations Security
Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is a process that includes identifying critical information, analyzing friendly actions related to ope...
Acquisition Strategies, Tools, and Methods
The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or syste...
Scoping Question 10
Does the entity’s performance depend on access to proprietary processes or intellectual property? Clarifies whether the entity needs to understand or use your unique methodologies, algorithms, or trade secrets. Exposure of IP risks theft or leakage, eroding competitive advantage and complicating future provider transitions. NDAs and IP assignment clauses ACLs on sensitive repositories Periodic IP-use audits
Cross-organizational Audit Logging
When organizations use systems or services of external organizations, the audit logging capability necessitates a coordinated, cross-organization approach. For example, maintaining the identity of ind...
Notification Agreements
The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentia...
Access Restrictions for Change
Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or indi...
Authority to Process Personally Identifiable Information
The processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information acro...
Specific Categories of Personally Identifiable Information
Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, dire...
Accounting of Disclosures
The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed, to provide a basis for subsequently advising recipients ...
Information Flow Enforcement
Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses ...
System Component Inventory
System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories...
Information Sharing
Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive informat...
Identification and Authentication (Non-organizational Users)
Non-organizational users include system users other than organizational users explicitly covered by IA-2. Non-organizational users are uniquely identified and authenticated for accesses other than tho...
Customized Development of Critical Components
Organizations determine that certain system components likely cannot be trusted due to specific threats to and vulnerabilities in those components for which there are no viable security controls to ad...
Remote Access
Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broa...
Acquisition Strategies, Tools, and Methods
The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or syste...
Personally Identifiable Information Quality Operations
Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information...
Monitoring for Information Disclosure
Unauthorized disclosure of information is a form of data leakage. Open-source information includes social networking sites and code-sharing platforms and repositories. Examples of organizational infor...
Allocation of Resources
Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle.
Scoping Question 11
Does the entity use third parties to deliver services outside the United States? Identifies whether any part of service delivery is outsourced internationally, beyond your direct oversight. Offshore third parties can fall under different regulatory regimes, complicate compliance, data-sovereignty, and oversight. International due-diligence and risk assessments Flow-down contract clauses for compliance and data handling Regular third-party audits and SLAs
Cross-organizational Audit Logging
When organizations use systems or services of external organizations, the audit logging capability necessitates a coordinated, cross-organization approach. For example, maintaining the identity of ind...
Notification Agreements
The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentia...
Supplier Assessments and Reviews
An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively a...
External System Services
External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. O...
Developer Screening
Developer screening is directed at external developers. Internal developer screening is addressed by PS-3. Because the system, system component, or system service may be used in critical activities es...
External Personnel Security
External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide s...
Security Alerts, Advisories, and Directives
The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued...
Use of External Systems
External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessmen...
Supply Chain Operations Security
Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is a process that includes identifying critical information, analyzing friendly actions related to ope...
Incident Response Plan
It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabil...
Scoping Question 12
Will the service generate customer-facing deliverables or directly impact end users? Determines if the entity’s outputs (reports, portals, APIs) are visible to or used by your customers or partners. Errors or downtime become public, risking reputational damage, customer churn, and potential SLA penalties. QA review gates Pre-release user-acceptance testing (UAT) Versioned API contracts and rollback procedures
Notification Agreements
The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentia...
External System Services
External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. O...
Scoping Question 13
Is continuous (24/7) availability required for this service? Establishes whether the service must run without interruption (e.g., call center, global e-commerce). Leaves little maintenance window, higher ops burden, risk of slip-ups or fatigue-related errors in support shifts. SLAs with uptime guarantees Geographically redundant infrastructure Automated alerting and escalation paths
Continuous Monitoring
Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing...
Timely Maintenance
Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by th...
Telecommunications Services
Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for CP-8. Alternate telecommunications services reflect the continuity requirements...
Alternate Processing Site
Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capabil...
Fail-safe Procedures
Failure conditions include the loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include alerting operator personnel...
Continuous Monitoring Strategy
Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms...
Predictable Failure Prevention
While MTTF is primarily a reliability issue, predictable failure prevention is intended to address potential failures of system components that provide security capabilities. Failure rates reflect ins...
Contingency Plan
Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restorati...
Emergency Lighting
The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. ...
Scoping Question 14
Will any part of the work be performed—or deliverables hosted—outside the United States? Reveals cross-border execution or hosting, with implications for time zones, language, and differing regulations. May violate data-sovereignty laws, complicate breach-notification requirements, and introduce communication or time-zone challenges. Data-residency and export-control policies Encryption of data in transit and at rest Jurisdiction-specific compliance attestations
Security Alerts, Advisories, and Directives
The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued...
Alternate Storage Site
Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate ...
Information Flow Enforcement
Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses ...
Alternate Processing Site
Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capabil...
Scoping Question 15
Does the service entail custom or bespoke development unique to entity? Flags projects that require tailored code, configurations, or processes rather than off-the-shelf solutions. Custom solutions are harder to maintain, increase dependency, and may not be supported by other providers or future upgrades. Secure SDLC with code reviews Version-controlled documentation Exit-ready source-code escrow
Unsupported System Components
Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide cr...
Customized Development of Critical Components
Organizations determine that certain system components likely cannot be trusted due to specific threats to and vulnerabilities in those components for which there are no viable security controls to ad...
Development Process, Standards, and Tools
Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such ...