CSF v9.3 Summary of Changes PDF

Version 9.
3 Summary of Changes
Incorporates changes stemming from
the California Consumer Privacy Act,
the South Carolina Insurance Data Security Act,
and NIST SP 800-171 r2
October 2019
© 2019 HITRUST. All rights reserved. Any commercial uses or creations of derivative works are prohibited. No part of this publication may be reproduced or
utilized other than being shared as is in full, in any form or by any means, electronical or mechanical, without HITRUST’s prior written permission.
October 2019
Fundamental to HITRUST’s mission is the availability of a common security and privacy framework, the
HITRUST CSF (“CSF”), which provides the needed structure, transparency, guidance and cross-references
to authoritative sources organizations globally need to be certain of their data protection compliance.
The initial development of the CSF leveraged nationally and internationally accepted security and privacy
related regulations, standards, and frameworks–including ISO, NIST, PCI, HIPAA, and COBIT–to ensure a
comprehensive set of security and privacy controls. The CSF standardizes these requirements, providing
clarity and consistency and reducing the burden of compliance.
HITRUST ensures the CSF stays relevant and current to the needs of organizations by regularly updating
the CSF to integrate and normalize applicable requirements and best practices as authoritative sources.
The HITRUST CSF v9.3 release includes changes based on feedback from the HITRUST community;
miscellaneous corrections; added language to the glossary to better clarify terms found in the
framework; and incorporation of regulatory requirements from the California Consumer Privacy Act
(CCPA), the South Carolina Insurance Data Security Act (SCIDSA), and NIST SP 800-171 r2 (DFARS). These
updates reflect HITRUST’s commitment to provide a framework fitting for any organization globally.
Minor administrative updates, such as the correction of grammar or formatting errors, are generally not
reflected in the Summary of Changes. Simple mapping updates from one version of a source to a newer
version, which do not impact existing content, are also generally not reflected.
The table below provides a summary of the changes to the CSF broken down by Control Specification and
Implementation Requirement Level.
© 2019 HITRUST. All rights reserved. Any commercial uses or creations of derivative works are prohibited. No part of this publication may be
reproduced or utilized other than being shared as is in full, in any form or by any means, electronical or mechanical, without HITRUST’s prior
written permission.
CSF Control Authoritative
Summary of Changes Remarks
Cntrl Level Source Cross-
Reference(s)
Added:
Licensees have a formal information security program

SCIDSA 33-99-20(A)
that, based on a risk assessment, is designed to Necessitates new MyCSF requirement
SCIDSA 33-99-20(B)
mitigate identified risks, commensurate with the size, statement industry specific to SCIDSA
00.a SCIDSA SCIDSA 33-22-20(C)
complexity, and sensitivity of the data which the SCIDSA 33-99-20(E) (011201.00aSCIDSAOrganizational.1)
licensee holds. The licensee designates a specific SCIDSA 33-99-20(D)
person, affiliate, or entity to be responsible for the
program.
Added:
Annually, insurers are required to submit a written Necessitates new MyCSF requirement
00.a SCIDSA statement by the 15th of February, certifying SCIDSA 33-99-20(I) statement industry specific to SCIDSA
compliance with the South Carolina Insurance Data (011202.00aSCIDSAOrganizational.2)
Security Act and maintain all required records for a
period of five years.
Added:
Consistent with existing content
00.a 2 SCIDSA 33-99-20(G)
SCIDSA Cross Reference (0102.00a2Organizational.123)
Update:
Title 23 NYCRR 01112.00a23NYCRR500.Organizational.1 Updated BUID

00.a N/A
Part 500
01112.00aNYCRR500Organizational.1
© 2019 HITRUST. All rights reserved. Any commercial uses or creations of derivative works are prohibited. No part of this publication may be reproduced or utilized other than being shared as is in
full, in any form or by any means, electronical or mechanical, without HITRUST’s prior written permission. 3
Update:

00.a N/A
Part 500
Update:

00.a N/A
Part 500
Updated:

00.a N/A
Part 500
Update:

00.a N/A
Part 500

Added:
(1101.01a1Organizational.1245,
01.a 1 ISO/IEC 27799:2016 9.1.1 1102.01a1Organizational.3,
ISO/IEC 27799:2016 Cross Reference
1103.01a1Organizational.67)
Added:
ISO/IEC 27799:2016 9.1.1 Consistent with existing content
01.a 2 ISO/IEC 27799:2016 9.1.2 (1104.01a2Organizational.123)
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 9.2.1
Added:
ISO/IEC 27799:2016 9.1.1
01.a 2
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 9.2.1 (1105.01a2Organizational.4)
Added:
NIST Cybersecurity
01.a 1 (1101.01a1Organizational.1245)
NIST Cybersecurity Framework v1.1 Cross Reference Framework v1.1 PR:SC-6
Added:
NIST Cybersecurity
NIST Cybersecurity Framework v1.1 Cross Reference Framework v1.1 PR.AC-6
Added:
01.a 1 NIST SP 800-171 r2 3.1.1 (1101.01a1Organizational.1245)
NIST SP 800-171 r2 Cross Reference
Added:
NIST SP 800-171 r2 3.1.1
01.a 1 NIST SP 800-171 r2 Cross Reference (1103.01a1Organizational.67)
NIST SP 800-171 r2 3.1.2
Added: Consistent with existing content

ISO/IEC 27799:2016 9.2.1 (1111.01b2System.1,
01.b 2
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 9.2.2 1112.01b2System.2)

NIST Cybersecurity (1106.01b1System.1,
01.b 1
NIST Cybersecurity Framework v1.1 Cross Reference Framework v1.1 PR.AC-6 1109.01b1System.479)
Added:
01.b 1 NIST SP 800-171 r2 3.1.1 (1106.01b1System.1)
Added:
01.b 1 NIST SP 800-171 r2 3.1.2 (1139.01b1System.68)
Updated:
The organization disables accounts of users posing a Updated requirement statement due to new CMS ARS 3.1
significant risk immediately, not to exceed 30 minutes CMSRs v3.1 AC-02(13) language
01.b CMS
within sixty (60) minutes of after discovery of the risk, (HIGH) (1141.01bCMSSystem.12)
and all disabled accounts are deleted during the
annual re-certification process.
Removed:
Removed segment and requirement; as language was removed in
CMSRs v3.1 AC-02(13) CMS ARS v3.1
01.b HIX Disabled accounts are deleted during the annual re- (HIGH) (1142.01bHIXSystem.1)
certification process.
Removed:
Remote access to privileged functions, e.g., server,

Removed requirement; as requirement was deleted in CIS CSC
workstation and network device administration, is
01.c CIS CIS CSC v6 3.4 v7.1
performed over secure channels. Protocols such as
(11181.01c3System.7)
telnet and others that do not actively support strong
encryption are only used when performed over a
secondary encryption channel, e.g., SSL, TLS or IPSEC.
Added:
01.c 1 ISO/IEC 27799:2016 9.2.3 (1143.01c1System.123)
Added:
01.c 2 ISO/IEC 27799:2016 9.2.3 (1147.01c2System.456)
Added:
ISO/IEC 27799:2016 9.1.1
01.c 2
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 9.2.3 (1148.01c2System.78)
Added:
01.c 3 ISO/IEC 27799:2016 9.2.3 (1151.01c3System.1)
Added:
NIST Cybersecurity
01.c 2 (1147.01c2System.456)
Added:
NIST SP 800-171 r2 3.1.2
01.c 1 (1143.01c1System.123)
NIST SP 800-171 r2 Cross Reference NIST SP 800-171 r2 3.1.5
Added:
01.c 1 NIST SP 800-171 r2 3.1.5 (1144.01c1System.4)
Added:
NIST SP 800-171 r2 3.1.5
01.c 2 (1148.01c2System.78)
Added:
Added:
NIST SP 800-171 r2 3.1.5
01.c 3 (1151.01c3System.1)
Added:
Added:
Updated:
The organization uses automated tools to inventory

all administrative accounts, including domain and Updated requirement statement due to new CIS CSC v7.1
01.c CIS local accounts, to ensure that only authorized CIS CSC v7.1 4.1 language
individuals have elevated privileges and validates that (11182.01cCISSystem.8)
each person with administrative privileges on
desktops, laptops, and servers is authorized by a
senior executive.
Updated:
Administrators are required to access a system using

a fully logged and non-administrative account. Then,
once logged on to the machine without
administrative privileges, the administrator
Updated requirement statement due to new CIS CSC v7.1
transitions to administrative privileges using tools
language
01.c CIS such as Sudo on Linux/UNIX, RunAs on Windows, and CIS CSC v7.1 4.3
(11183.01cCISSystem.9)
other similar facilities for other types of systems.
Ensure that all users with administrative account
access use a dedicated or secondary account for
elevated activities. This account should only be used
for administrative activities and not internet
browsing, email, or similar activities.
Updated:
The organization authorizes network access to Updated requirement statement due to new CMS ARS 3.1
privileged commands only for defined compelling CMSRs v3.1 AC-06(03) language
01.c CMS
operational needs documented as defined in the (HIGH) (1156.01cCMSSystem.3)
system sSecurity pPlan and documents the rationale
for the information system.
Updated:
11182.01c3System.8 Updated BUID

01.c CIS N/A
11182.01cCISSystem.8
Updated:
11183.01c3System.9 Updated BUID

01.c CIS N/A
Updated:
01.c CIS 11184.01c3System.10 N/A Updated BUID
Updated:
If the operating environment allows, the organization Updated requirement statement due to new CMS ARS v3.1
requires at least six (6) characters to be changed. CMSRs v3.1 IA-05(01) language
01.d CMS
enforces a minimum of number of changed (HIGH)(MOD) (1031.01dCMSSystem.5)
characters when new passwords are created, set the
value at 12 for High and 6 for Moderate systems.
Added:
ISO/IEC 27799:2016 9.4.2
01.d 1
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 9.4.3 (1002.01d1System.1)
Added:
ISO/IEC 27799:2016 9.3.1
01.d 1

01.d 1 ISO/IEC 27799:2016 9.4.3 (1005.01d1System.1011,
ISO/IEC 27799:2016 Cross Reference 1014.01d1System.12)
01.d 1 ISO/IEC 27799:2016 9.2.4 (1015.01d1System.14,
Added:
ISO/IEC 27799:2016 9.3.1
01.d 1
Added:
01.d 2 ISO/IEC 27799:2016 9.2.4 (1009.01d2System.4)
Added:
NIST SP 800-171 r2 3.5.10
01.d 1
NIST SP 800-171 r2 Cross Reference NIST SP 800-171 r2 3.5.11 (1005.01d1System.1011)
Added:
01.d 1 NIST SP 800-171 r2 3.5.9 (1031.01d1System.34510)
Updated:
The information system for password-based

authentication: (i) enforces password minimum
lifetime restriction of one day; (ii) enforces non- Requirement statement updated for clarity
IRS Pub 1075 v2016
01.d FTI privileged account password expiration of to be (1019.01dFTISystem.1)
9.3.7.5
changed at least every 90 days; and, (iii) enforces
privileged account passwords expiration of to be
changed at least every 60 days.
Updated:
01.d CIS 1023.01d2System.6 N/A Updated BUID
1023.01dCISSystem.6
Updated:
1028.01PCISystem.4 Updated BUID

01.d PCI N/A
1028.01dPCISystem.4
Added:
01.e 1 ISO/IEC 27799:2016 9.2.5 (1166.01e1System.12)

01.e 2 ISO/IEC 27799:2016 9.2.5 (1167.01e2System.1,
ISO/IEC 27799:2016 Cross Reference 1168.01e2System.2)
Added:
01.e 1 NIST SP 800-171 r2 3.9.2 (1166.01e1System.12)
Removed:
Removed segment and requirement; as requirement was
CMSRs 2013v2 AC-2 removed in CMS ARS 3.1
01.e CMS All information system accounts are reviewed to (HIGH) (1169.01eCMSSystem.1)
receive annual certification.
Updated:
11185.01e1System.3 Updated BUID

01.e CIS N/A
11185.01eCISSystem.3
Updated:
11186.01e2System.3 Updated BUID

01.e CIS N/A
11186.01eCISSystem.3
01.f 1 ISO/IEC 27799:2016 9.3.1 (1011.01f1Organizational.1,
ISO/IEC 27799:2016 Cross Reference 1020.01f1System.2)
Added:
01.g 1 ISO/IEC 27799:2016 11.2.8 (0210.01g1Organizational.1)
Added:
01.h 1 ISO/IEC 27799:2016 11.2.9 (1114.01h1Organizational.123)
Added:
Added:
01.h 1 NIST SP 800-171 r2 3.8.1 (1114.01h1Organizational.123)
Added:
01.i 1 ISO/IEC 27799:2016 9.1.2 (0801.01i1Organizational.1)
Added:
Added:
NIST SP 800-171 r2 3.1.1 Consistent with existing content
01.i 2 NIST SP 800-171 r2 3.1.2 (0802.01i2Organizational.123)
Added:
NIST SP 800-171 r2 3.1.1
01.i 2
NIST SP 800-171 r2 Cross Reference NIST SP 800-171 r2 3.1.20 (0803.01i2Organizational.4)
Added:
Added:
01.j HIX NIST SP 800-171 r2 3.1.12 (1188.01jHIXOrganizational.1)
Added:
NIST SP 800-171 r2 3.5.2
01.j 1 (1116.01j1Organizational.145)
Added:
01.j 1 NIST SP 800-171 r2 3.7.5 (1117.01j1Organizational.23)
Added:
NIST SP 800-171 r2 3.1.16
01.j 1
NIST SP 800-171 r2 Cross Reference NIST SP 800-171 r2 3.1.17 (1174.01j1Organizational.7)
Added:
NIST SP 800-171 r2 3.5.1
Added:
NIST SP 800-171 r2 3.1.13
01.j 3
NIST SP 800-171 r2 Cross Reference NIST SP 800-171 r2 3.1.15 (1121.01j3Organizational.2)
Added:
Added:
Updated:
The organization requires all remote login access

(including VPN, dial-up, and other forms of access
language
01.j CIS that allow login to internal systems, e.g., from an CIS CSC v7.1 12.11
(11187.01jCISSystem.8)
alternate work location or to sensitive information via
a Web portal) to encrypt data in transit and use two-
factor authentication.
Added:
01.l 3 NIST SP 800-171 r2 3.4.7 (1195.01l3Organizational.1)
Added:
Updated:
The organization identifies defined software

programs authorized to execute on the information
system, employs automated mechanisms to prevent
program execution in accordance with the list of
authorized programs through a deny-all, permit-by- CMSRs v3.1 CM-07(02) Updated requirement statement due to new CMS ARS 3.1
exception policy, and reviews and updates the list of HIGH; MOD) language
01.l CMS
authorized software programs within every ninety CMSRs v3.1 CM-07(05) (11100.01lCMSOrganizational.34)
(90) days. employs a deny-all, permit-by-exception (HIGH)
policy to allow the execution of authorized software
programs on the information system, reviews and
updates the list of authorized software programs no
less often than every 72 hours, and receives
automated updates from a trusted source.
Updated:
1192.01l1Organizational.1 Updated BUID

01.l 1 N/A
1892.01l1Organizational.1
Added:
01.m 1 ISO/IEC 27799:2016 13.1.3 (0805.01m1Organizational.12)
Added:
01.m 2 ISO/IEC 27799:2016 13.1.3 (0806.01m2Organizational.12356)
Added:
01.m 1 NIST SP 800-171 r2 3.13.1 (0805.01m1Organizational.12)
Added:
Updated:
The organization uses virtual machines and/or air-

gapped (i.e., stand-alone) systems to isolate and run
applications that are required for business operations
language
01.m CIS but present a high risk to the organization for CIS CSC v7.1 2.10
(0893.01mCISOrganizational.4)
connection to its network(s). Physically or logically
segregated systems should be used to isolate and run
software that is required for business operations but
incur higher risk for the organization.
Updated:
The organization creates separate virtual local area Updated requirement statement due to new CIS CSC v7.1
networks (VLANs) for BYOD systems or other language
01.m CIS CIS CSC v7.1 15.10
untrusted devices (e.g., legacy devices). Enterprise (0897.01mCISOrganizational.10)
access from this network should be treated as
untrusted and filtered and audited accordingly.
Updated:
01.m CIS 0893.01m1Organizational.4 N/A Updated BUID
0893.01mCISOrganizational.4
Removed:
Removed requirement; as requirement was removed in CIS CSC
The organization operates critical services on v7.1
01.m CIS CIS CSC v6 9.5
separate physical or logical host machines, such as (0898.01m2Organizational.11)
DNS, file, mail, Web and database servers.
Updated:
0892.01m1Organizational.3 Updated BUID

01.m CIS N/A
Updated:
Updated:

01.m CIS N/A
Updated:

01.m CIS N/A
Added:
01.n 1 NIST SP 800-171 r2 3.13.6 (0814.01n1Organizational.12)
Added:
Added:
Added:
Added:
01.o 1 ISO/IEC 27799:2016 13.1.3 (0850.01o1Organizational.12)
Removed:
Removed requirement; as requirement was re-written in CIS CSC
Internet access from virtual local area networks
01.o CIS CIS CSC v6 15.9 v7.1
(VLANs) for BYOD systems or other untrusted devices
(08100.01o2Organizational.5)
(e.g., legacy devices) goes through at least the same
border as corporate traffic.
Updated:
The organization configures all network switches for

Private VLAN (also known as port isolation) disables Updated requirement statement due to language change in CIS
all workstation-to-workstation communication to CSC v7.1
01.o CIS CIS CSC v7.1 14.3
limit an attacker's ability to move laterally and (0899.01oCISOrganizational.4)
compromise neighboring systems, through
technologies such as Private VLANs or
microsegmentation.
Updated:
0899.01o2Organizational.4 Updated BUID

01.o CIS N/A
0899.01oCISOrganizational.4
Removed:
Removed segment and requirement; as requirement was made
01.p CMS CMSRs v3.1 AC-09 non-mandatory in CMS ARS v3.1
The information system notifies the user upon
(11106.01pCMSOrganizational.4)
successful logon (access) to the system of the date
and time of the last logon (access).
Updated:
The organization configures the information system

to lock out the user account for a minimum of three
Updated requirement statement due to new CMS ARS v3.1
(3) hours automatically after three (3) invalid login
01.p CMS attempts via a local or network connection during a CMSRs v3.1 AC-07 (HIGH) language
(11107.01pCMSOrganizational.56)
one (1) hour time period. automatically after 3
invalid login attempts during a 120-minute time
window and requires the lockout to persist until
released by an administrator.
Added:
01.p 1 ISO/IEC 27799:2016 9.4.2 (11102.01p1Organizational.1)
Added:
01.p 2 ISO/IEC 27799:2016 9.4.2 (11103.01p2Organizational.12)
Added:
ISO/IEC 27799:2016 7.2.2
01.p 3
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 9.4.2 (11104.01p3Organizational.13)
Added:
ISO/IEC 27799:2016 7.2.2
01.p 3
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 9.4.2 (1312.01p3Organizational.2)
Added:
01.p 1 NIST SP 800-171 r2 3.1.8 (11102.01p1Organizational.1)
Added:
Added:

01.q 1 ISO/IEC 27799:2016 9.2.1 (11109.01q1Organizational.57,
ISO/IEC 27799:2016 Cross Reference 1122.01q1System.1)
Added:
01.q 1 ISO/IEC 27799:2016 9.2.3 (1123.01q1System.2)
Added:
01.q 1 ISO/IEC 27799:2016 9.2.1 (1124.01q1System.34)
01.q 2 ISO/IEC 27799:2016 9.2.1 (1127.01q2System.3,
ISO/IEC 27799:2016 Cross Reference 1128.01q2System.5)
Added:
NIST Cybersecurity
01.q CMS (11114.01qCMSOrganizational.12)
Added:
01.q 1 NIST SP 800-171 r2 3.5.5 (11109.01q1Organizational.57)
Added:
NIST SP 800-171 r2 3.1.5
01.q 1 (1123.01q1System.2)
Added:
01.q 3 NIST SP 800-171 r2 3.5.3 (11113.01q3Organizational.1)
Added:
NIST SP 800-171 R2 3.5.2
01.q 2
NIST SP 800-171 r2 Cross Reference NIST SP 800-171 R2 3.5.4 (11112.01q2Organizational.67)
Added:
NIST SP 800-171 R2 3.5.1
01.q 2
NIST SP 800-171 r2 Cross Reference NIST SP 800-171 R2 3.5.2 (1128.01q2System.5)
Updated:
Where multi-factor authentication is not supported

for use cases such as remote network access to
privileged and non-privileged accounts or local access
01.q CIS CIS CSC v7.1 16.10 language
to privileged accounts (including those used for non-
(11188.01qCISOrganizational.8)
local maintenance and diagnostic sessions), users are
required to use long passwords on the system of at
least 14 characters. Ensure that all accounts have an
expiration date that is monitored and enforced.
Updated:
11188.01q2Organizational.8 Updated BUID

01.q CIS N/A
11188.01qCISOrganizational.8
Updated:
01.q CIS 11189.01q2Organizational.8 N/A Updated BUID
11189.01qCISOrganizational.8
Updated:
1126.01q2System.PCI Updated BUID

01.q PCI N/A
1126.01qPCISystem.PCI
Added:
ISO/IEC 27799:2016 9.2.4
01.r 1
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 9.4.3 (1012.01r1System.12345)
Added:
01.r 2 ISO/IEC 27799:2016 9.4.3 (1013.01r2System.12345)
Added:
NIST SP 800-171 R2 3.5.7
01.r 2
NIST SP 800-171 R2 Cross Reference NIST SP 800-171 R2 3.5.8 (1013.01r2System.12345)
Added:
01.s 1 ISO/IEC 27799:2016 9.4.4 (11124.01s1Organizational.1)
Added:
01.s 2 ISO/IEC 27799:2016 9.4.4 (11125.01s2Organizational.12)
Updated:
For systems that are publicly positioned, A a time-out Requirement statement updated for clarity
01.t 2 system (e.g., a screen saver) pauses the session N/A (11127.01t2Organizational.1)
screen after two minutes of inactivity and closes
network sessions after 30 minutes of inactivity.
Added:
01.t 1 ISO/IEC 27799:2016 9.4.2 (11126.01t1Organizational.12)
Added:
01.t 2 ISO/IEC 27799:2016 9.4.2 (11127.01t2Organizational.1)
Added:
NIST SP 800-171 r2 3.1.10
01.t 1
NIST SP 800-171 r2 Cross Reference NIST SP 800-171 r2 3.1.11 (11126.01t1Organizational.12)
Added:
01.t 2 NIST SP 800-171 r2 3.13.9 (11127.01t2Organizational.1)
Updated:
The organization requires that users log out when the

time-period of expected inactivity exceeds ninety (90)
minutes and at the end of the user’s normal work
period., and t The information system automatically CMSRs v3.1 AC-02(05) Updated requirement statement due to new CMS ARS 3.1
terminates the network connection at the end of the (HIGH) language
01.t CMS
session; otherwise, the system forcibly (i) disconnects CMSRs v3.1 SC-10 (HIGH; (11128.01tCMSOrganizational.12)
VPN connections after 30 minutes or less of inactivity; MOD)
and (i) de-allocates DHCP leases after 7 consecutive
days of network connectivity or other defined period
AND forcibly disconnects VPN connections after 30
minutes of inactivity or other defined period.
Added:
01.u 1 ISO/IEC 27799:2016 9.4.2 (11131.01u1Organizational.1)
Added:
01.v 1 ISO/IEC 27799:2016 9.4.1 (1129.01v1System.12)
01.v 2 ISO/IEC 27799:2016 9.4.1 (1130.01v2System.1,
ISO/IEC 27799:2016 Cross Reference 1131.01v2System.2)
Added:
NIST Cybersecurity
01.v 2 (1133.01v2System.4)
Added:
01.w 1 ISO/IEC 27799:2016 9.1.1 (08114.01wSRSystem.1)

01.x 1 ISO/IEC 27799:2016 6.2.1 (0401.01x1System.124579,
ISO/IEC 27799:2016 Cross Reference 1309.01x1System.36)
Added:
01.x HIX NIST SP 800-171 r2 3.1.18 (0414.01xHIXOrganizational.1)
Added:
NIST SP 800-171 r2 3.1.18
01.x 1
NIST SP 800-171 r2 Cross Reference NIST SP 800-171 r2 3.1.19 (0401.01x1System.124579)
Added:
01.x 1 NIST SP 800-171 r2 3.1.18 (0403.01x1System.8)
Added:
(0408.01y3Organizational.12
01.y 3 ISO/IEC 27799:2016 6.2.2 0409.01y3Organizational.3,
0416.01y3Organizational.4)
Added:
01.y 1 ISO/IEC 27799:2016 6.2.2 (0405.01y1Organizational.12345678)
Added:
01.y 1 ISO/IEC 27799:2016 6.2.1 (0415.01y1Organizational.10)
Added:
01.y 1 NIST SP 800-171 r2 3.1.13 (0405.01y1Organizational.12345678)
Added:
Added:
Added:
ISO/IEC 27799:2016 6.1.1
02.a 1
Added:
Added:
Updated:
The organization requires that individuals with

significant security responsibilities be assigned and
hold, at a minimum, a Level 5 Public Trust sensitivity Updated requirement statement due to new CMS ARS v3.1
level clearance Tier 2S background investigation as CMSRs v3.1 PS-03 (HIGH; language
02.b CMS
defined in the HHS Personnel Security/Suitability MOD) (0148.02bCMSOrganizational.1)
Handbook; and assigns other individuals with Public
Trust positions the appropriate sensitivity level as
defined in the HHS Personnel Security/Suitability
Handbook.

(01109.02b1Organizational.7,
Added:
0138.02b1Organizational.12,
02.b 1 ISO/IEC 27799:2016 7.1.1 0139.02b1Organizational.3,
0141.02b1Organizational.56)
Added: (0142.02b2Organizational.1234,
ISO/IEC 27799:2016 Cross Reference 0144.02b2Organizational.79,

02.b 3 ISO/IEC 27799:2016 7.1.1 (0146.02b3Organizational.12
ISO/IEC 27799:2016 Cross Reference 0147.02b3Organizational.3)
Added:
02.b 1 NIST SP 800-171 R2 3.9.1 0143.02b2Organizational.56,
NIST SP 800-171 R2 Cross Reference
02.c 2 ISO/IEC 27799:2016 7.1.2 (0152.02c2Organizational.1,
ISO/IEC 27799:2016 Cross Reference 0153.02c2Organizational.23)

Updated:
The organization ensures that individuals requiring

access to organizational information or information Updated requirement statement due to new CMS ARS 3.1
systems sign appropriate access agreements prior to CMSRs v3.1 PS-06 (HIGH; language
02.c CMS
being granted access and re-acknowledge such MOD) (0156.02cCMSOrganizational.23)
agreements when they are updated or within 365
days to maintain access to organizational information
systems.
Updated:
02.c HIPAA 0154.02c2Organizational.4 N/A Updated BUID
0154.02cHIPAAOrganizational.4
Added:
02.d 1 ISO/IEC 27799:2016 7.2.1 (0109.02d1Organizational.4)
Added:
Added:
02.e 1 ISO/IEC 27799:2016 7.2.2 (1301.02e1Organizational.12)
02.e 2 ISO/IEC 27799:2016 7.2.2 (1302.02e2Organizational.134,
ISO/IEC 27799:2016 Cross Reference 1315.02e2Organizational.67)
Added:
NIST SP 800-171 r2 3.2.1
02.e 1 (1301.02e1Organizational.12)
Added:
02.e 1 NIST SP 800-171 r2 3.6.1 (1313.02e1Organizational.3)
Added:
Added:
NIST SP 800-171 r2 3.2.1
02.e 3 (1304.02e3Organizational.1)
Removed:
The organization validates and improves awareness

levels for social engineering through periodic testing
as part of its information security awareness and Removed requirement; as requirement was removed in CIS CSC
training program (e.g., to see whether employees will v7.1
02.e CIS CIS CSC v6 17.4
click on a link from suspicious e-mail or provide (1329.02e2Organizational.10)
sensitive information on the telephone without
following appropriate procedures for authenticating a
caller). The organization provides targeted training to
those individuals that fail testing.
Removed:
The organization uses security skills assessments for
02.e CIS CIS CSC v6 17.5 v7.1
each of the mission-critical roles to identify skills gaps
(1330.02e2Organizational.11)
and hands-on, real-world examples to measure
mastery.
Updated:
1328.02e2Organizational.9 Updated BUID

02.e CIS N/A
1328.02eCISOrganizational.9
Updated:
Title 21 CFR 1335.02e21CFRPart11Organizational.1 Updated BUID

02.e N/A
Part 11
1335.02eCFRPart11Organizational.1
Added:
02.f 2 ISO/IEC 27799:2016 7.2.3 (1503.02f2Organizational.12)

ISO/IEC 27799:2016 Cross Reference 1502.02f1Organizational.4)
Added:
02.f 1 AICPA 2017 CC1.1 (1501.02f1Organizational.123)
AICPA 2017 Cross Reference
Added:
Added:

Added:
(11146.02g2Organizational.1,
02.g 2 ISO/IEC 27799:2016 7.3.1 11147.02g2Organizational.2,
11148.02g2Organizational.3)
Added:
02.g 1 NIST SP 800-171 r2 3.9.2 11144.02g1Organizational.234,

02.g 2 NIST SP 800-171 r2 3.9.2
NIST SP 800-171 r2 Cross Reference 11148.02g2Organizational.3)

02.h 1 ISO/IEC 27799:2016 8.1.4 (11152.02h1Organizational.1,
ISO/IEC 27799:2016 Cross Reference 11153.02h1Organizational.23)
Added:
Added:
02.i 1 ISO/IEC 27799:2016 9.2.6 (11154.02i1Organizational.5,
ISO/IEC 27799:2016 Cross Reference 1135.02i1Organizational.1234)
Added:

02.i 1 NIST SP 800-171 r2 3.9.2 (11154.02i1Organizational.5,
NIST SP 800-171 r2 Cross Reference 1135.02i1Organizational.1234)
Added:
NIST Cybersecurity
NIST Cybersecurity Framework v1.1 Cross Reference Framework v1.1 ID.SC-2
Added:
Added:
The licensee is required to identify reasonably

Necessitates new MyCSF requirement
foreseeable threats; assess the likelihood and
03.a SCIDSA SCIDSA 33-99-20(C) statement industry specific to SCIDSA
possible damage from such threats; assess its
(171203.03aSCIDSAOrganizational.1)
policies, procedures, and systems to manage threats;
and implement safeguards to manage identified
threats.
Removed:
Removed requirement; as requirement was made non-
The organization employs automated mechanisms to
CMSRs 2013v2 CA-5(1) mandatory in CMS ARS v3.1
03.b CMS help ensure that the Plan of Action and Milestones (HIGH) (1729.03cCMSOrganizational.1)
(POA&M) for the information system is accurate, up
to date, and readily available.
Added:
ISO/IEC 27799:2016 12.6.1
03.b 1
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 17.1.1 (1704.03b1Organizational.12)
Added:
03.b 1 NIST SP 800-171 r2 3.11.1 (1704.03b1Organizational.12)
Added:
Updated:
1706.03b1Organizational.3 Updated BUID

03.b HIPAA N/A
1706.03bHIPAAOrganizational.3
Added:
03.c 2 ISO/IEC 27799:2016 12.7.1 (1708.03c2Organizational.12)
Added:
03.c 1 NIST SP 800-171 r2 3.12.2 (1707.03c1Organizational.12)
Added:

03.d 2 ISO/IEC 27799:2016 12.1.2 (1734.03d2Organizational.1,
ISO/IEC 27799:2016 Cross Reference 1735.03d2Organizational.23)
Added:
03.d 1 NIST SP 800-171 r2 3.11.1 (1733.03d1Organizational.1)

03.d 2 NIST SP 800-171 r2 3.11.1 (1735.03d2Organizational.23,
NIST SP 800-171 r2 Cross Reference 1736.03d2Organizational.4)
Added:
Added:
04.b 1 ISO/IEC 27799:2016 5.1.2 (0114.04b1Organizational.1)
Added:
Added:
Added:
Added:
Added:
Added:
Added:
Added:
Added:
Added:
Added:

Removed:
The appropriate contact information for external

third parties (e.g., an Internet service provider or Removed segment and requirement; as requirement was made
telecommunications operation)--including the non-mandatory in CMS ARS v3.1
05.f CMS CMSRs v3.1 IR-07(02)
instances for which these third parties must be (1745.05f1Organizational.4)
contacted, such as when the organization is under
attack from the Internet--is documented and
communicated.
ISO/IEC 27799:2016 Cross Reference 1744.05f1Organizational.23)
Added:
Added:
ISO/IEC 27799:2016 6.1.3
05.f 2
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 6.1.6 (1747.05f2Organizational.23)
Added:
05.f 1 NIST SP 800-171 r2 3.6.1 (1744.05f1Organizational.23)
Added:
05.f 2 NIST SP 800-171 r2 3.6.2 (1746.05f2Organizational.1)
Added:

05.g 2 ISO/IEC 27799:2016 6.1.4 (1750.05g2Organizational.1,
ISO/IEC 27799:2016 Cross Reference 1751.05g2Organizational.23)
Added:
NIST Cybersecurity
05.g 2 (1751.05g2Organizational.23)
NIST Cybersecurity Framework v1.1 Cross Reference Framework v1.1 RS.AN-5

Added:
(0177.05h1Organizational.12,
05.h 1 ISO/IEC 27799:2016 18.2.1 0178.05h1Organizational.3,
0179.05h1Organizational.4)
Added:
Added:
NIST SP 800-171 r2 3.12.1
05.h 1
NIST SP 800-171 r2 Cross Reference NIST SP 800-171 r2 3.12.3 (0177.05h1Organizational.12)
Added:
Added:
Added:
Added:
05.j 2 ISO/IEC 27799:2016 14.1.2 (1424.05j2Organizational.5)
Added:
Updated:
05.j HIPAA 1420.05j1Organizational.34 N/A Updated BUID
1420.05jHIPAAOrganizational.34
Added: ISO/IEC 27799:2016 7.1.1

ISO/IEC 27799:2016 15.1.1
05.k 1
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 15.1.2 (1406.05k1Organizational.110)
ISO/IEC 27799:2016 15.1.3
Added:
05.k 1 ISO/IEC 27799:2016 15.1.2 (1428.05k1Organizational.2)
Added:
ISO/IEC 27799:2016 15.1.2
05.k 1
Added:
Added:
NIST Cybersecurity
05.k 2 (1407.05k2Organizational.1)
Added:
ISO/IEC 27799:2016 7.2.2
06.a 1
Added:
ISO/IEC 27799:2016 6.1.4
06.a 2
Added:
Added:


Added:
Updated:
Updated requirement statement for clarity
06.c HIPAA If retained, the organization ensures PHI individually HIPAA § 160.103 (1905.06cHIPAAOrganizational.6)
identifiable information is safeguarded for a period of
50 years following the date of death of the individual.
Updated:
1905.06c1Organizational.6 Updated BUID

06.c HIPAA N/A
1905.06cHIPAAOrganizational.6
Updated:
1908.06.c1Organizational.4 Updated BUID

06.c 1 N/A
1908.06c1Organizational.4

Added: (1901.06d1Organizational.1,
06.d 1 ISO/IEC 27799:2016 18.1.4 1902.06d1Organizational.2,
ISO/IEC 27799:2016 Cross Reference 1903.06d1Organizational.3456711,
1911.06d1Organizational.13)
Added:
Added:
NIST SP 800-171 r2
06.d 1 (1903.06d1Organizational.3456711)
NIST SP 800-171 r2 Cross Reference 3.13.16
Updated:
06.d CIS 19244.06d1Organizational.16 N/A Updated BUID
19244.06dCISOrganizational.16
Added:
Added:
ISO/IEC 27799:2016 18.1.1
06.f 1
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 18.1.2 (19162.06f1Organizational.12)
Added:
Added:
ISO/IEC 27799:2016 18.2.2
06.g 1
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 18.2.3 (0601.06g1Organizational.124)
Added:
Added:
Added:
Added:
06.g 2 NIST SP 800-171 r2 3.12.3 (0604.06g2Organizational.2)
Added:
ISO/IEC 27799:2016 18.2.2
06.h 1
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 18.2.3 (0613.06h1Organizational.12)
Added:
Updated:
The organization uses file integrity checking

mechanisms to detect unauthorized changes to its
master system component images stored on its
secure servers; otherwise ensures these servers are
06.h CIS CIS CSC v7.1 13.3 language
air-gapped from the production network and secure
(0660.06hCISOrganizational.5)
media is used to move them into the production
network. an automated tool on network perimeters
that monitors for unauthorized transfer of sensitive
information and blocks such transfers while alerting
information security professionals.
Removed:
The organization verifies that all authentication files v7.1
06.h CIS CIS CSC v6 16.14
are encrypted or hashed and cannot be accessed (0658.06h1Organizational.3)
without root or administrator privileges.
Updated:
To help determine if a business or technical process is

leaving behind or otherwise leaking covered
information (e.g., PII, PCI), the organization conducts
periodic scans of server machines using automated Updated requirement statement due to new CIS CSC v7.1
tools to determine whether sensitive data is present language
06.h CIS CIS CSC V7.1 14.5
on the system in clear text. The organization utilizes (0659.06hCISOrganizational.4)
an active discovery tool to identify all sensitive
information stored, processed, or transmitted by the
organization's technology systems, including those
located onsite or at a remote service provider and
update the organization's sensitive information
inventory.
Updated:
0659.06h2Organizational.4 Updated BUID

06.h CIS N/A
0659.06hCISOrganizational.4
Updated:
06.h CIS 0660.06h2Organizational.5 N/A Updated BUID
Updated:
0661.06h2Organizational.6 Updated BUID

06.h CIS N/A
Added:
Added:
Added:
Added:
06.j 2 NIST SP 800-171 r2 3.3.9 (1236.06j2Organizational.1,
NIST SP 800-171 r2 Cross Reference 1237.06j2Organizational.23)

07.a 1 ISO/IEC 27799:2016 8.1.1 (0701.07a1Organizational.12,
ISO/IEC 27799:2016 Cross Reference 0720.07a1Organizational.4)
Added:
Removed:
The organization updates its asset inventories
07.a CIS CIS CSC v6 1.3 v7.1
whenever changes to assets occur and new devices
(0759.07a1Organizational.9)
are acquired and approved for connection to the
network.
Updated:
The organization uses If dynamic host configuration

protocol (DHCP) logging on all DHCP or IP address Updated requirement statement due to new CIS CSC v7.1
management tools is used to dynamically assign IP language
07.a CIS CIS CSC v7.1 1.3
addresses, the organization ensures the DHCP server (0760.07aCISOrganizational.10)
logs are used to help detect unknown systems on the
network and to improve the organization’s asset
inventory.
Update:
The organization uses a software inventory tool to

automate the documentation of all software on
business systems, tracking the name, version,
publisher, and install date for all software, including Updated requirement statement due to new CIS CSC v7.1
operating systems unauthorized by the organization. CIS CSC v7.1 2.3 language
07.a CIS
system to track the version of operating system and CIS CSC v7.1 2.4 (0761.07aCISOrganizational.2)
applications installed on its information systems,
including servers, workstations and laptops. The
system is tied into the hardware asset inventory so
that all devices and associated software are
maintained in a single repository.
Updated:
0760.07a1Organizational.10 Updated BUID

07.a CIS N/A
0760.07aCISOrganizational.10
Updated:

07.a CIS N/A
Updated:

07.a CIS N/A
Added:
Added:
Added:
ISO/IEC 27799:2016 8.1.2
07.d 2
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 8.2.1 (1758.07d2Organizational.125)
Added:

ISO/IEC 27799:2016 Cross Reference 1761.07d2Organizational.6)
Added:
ISO/IEC 27799:2016 8.1.1
07.d 2
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 8.1.2 (1762.07d2Organizational.78)
Added:


Added:
07.e 2 ISO/IEC 27799:2016 16.1.7 (19170.07e2Organizational.4)

(19165.07e1Organizational.13,
07.e 1 NIST SP 800-171 r2 3.8.4
NIST SP 800-171 r2 Cross Reference 19166.07e1Organizational.4)
Added:
Added:
Added:
ISO/IEC 27799:2016 11.1.1
08.a 1
Added:

Added:
1832.08a2Organizational.4,

08.b 3 ISO/IEC 27799:2016 11.1.1 (1812.08b3Organizational.46,

Added:

08.b 3 NIST SP 800-171 r2 3.10.5 (1810.08b3Organizational.2,
NIST SP 800-171 r2 Cross Reference 1811.08b3Organizational.3)

08.b 3 NIST SP 800-171 r2 3.10.2 (1812.08b3Organizational.46,
NIST SP 800-171 r2 Cross Reference 1813.08b3Organizational.56)
Added:
Added:
Added:
Added:
Updated:
08104.08bHIXOrganizational.1 Updated BUID

08.b HIX N/A
18104.08bHIXOrganizational.1
Added:

Updated:
Updated to the highest level
NIST SP 800-53 R4 PE-
08.d 3 Fire authorities are automatically notified when a fire (1862.08d3Organizational.3)
13(1)
alarm is activated.
Updated:
08.d 3 1862.08d1Organizational.3 N/A Updated BUID
1862.08d3Organizational.3
Added:
08.e 1 ISO/IEC 27799:2016 11.1.5 1868.08e1Organizational.34,
1869.08e1Organizational.5)
Added:
(1871.08f1Organizational.13,
08.f 1 ISO/IEC 27799:2016 11.1.6 1872.08f1Organizational.2,
1873.08f1Organizational.45)
Added:

Added:
1876.08g1Organizational.2,
1878.08g1Organizational.4,
Added:
ISO/IEC 27799:2016 11.1.4
08.g 1
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 11.2.1 (1881.08g1Organizational.789)

Added:

Added:
(1892.08h2Organizational.3,
Added:
Added:
Added: (1886.08h1Organizational.12,
ISO/IEC 27799:2016 Cross Reference 1888.08h1Organizational.456,

08.i 1 ISO/IEC 27799:2016 11.2.3 (18100.08i1Organizational.23,
ISO/IEC 27799:2016 Cross Reference 1899.08i1Organizational.1)

(18101.08i2Organizational.1,
Added:
18102.08i2Organizational.23,
08.i 2 ISO/IEC 27799:2016 11.2.3 18103.08i2Organizational.4,
18104.08i2Organizational.56,
18105.08i2Organizational.78)
Added:

Added:
(18101.08i2Organizational.1,
08.i 2 NIST SP 800-171 r2 3.10.2 18102.08i2Organizational.23,
18103.08i2Organizational.4)
Added:
NIST SP 800-171 r2 3.10.1
08.i 2
NIST SP 800-171 r2 Cross Reference NIST SP 800-171 r2 3.10.2 (18105.08i2Organizational.78)
Added:
Added:
(1820.08j2Organizational.1,
08.j 2 ISO/IEC 27799:2016 11.2.4 1821.08j2Organizational.3,
1822.08j2Organizational.2)
Added:
Added:
NIST SP 800-171 r2 3.7.1

08.j 2 NIST SP 800-171 r2 3.7.1 (1821.08j2Organizational.3,
NIST SP 800-171 r2 Cross Reference 1822.08j2Organizational.2)
Added:
Added:
NIST SP 800-171 r2 3.7.2
Added:
Added:
ISO/IEC 27799:2016 6.2.1
08.k 1
Added:
ISO/IEC 27799:2016 6.2.2
08.k 1
Added:
ISO/IEC 27799:2016 6.2
08.k 1
Added:
Added:
08.k 1 NIST SP 800-171 r2 3.10.6 (18124.08k1Organizational.5)

(18127.08l1Organizational.3,
08.l 1 ISO/IEC 27799:2016 11.2.7
ISO/IEC 27799:2016 Cross Reference 1825.08l1Organizational.12456)
Added:

08.m 1 ISO/IEC 27799:2016 11.2.5 (18128.08m1Organizational.12,
ISO/IEC 27799:2016 Cross Reference 18129.08m1Organizational.34)
Added:

Added:
(0191.09a1System.1,
09.a 1 ISO/IEC 27799:2016 12.1.1 0192.09a1System.2,
0193.09a1System.3)
Added:
ISO/IEC 27799:2016 12.4.1
09.aa 1
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 12.4.2 (1202.09aa1System.1)
Added:
09.aa 1 ISO/IEC 27799:2016 12.4.1 (1203.09aa1System.2)
Added:
ISO/IEC 27799:2016 12.4.1
09.aa 1
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 12.4.3 (1204.09aa1System.3)

09.aa 3 ISO/IEC 27799:2016 12.4.1 (1208.09aa3System.1,
ISO/IEC 27799:2016 Cross Reference 1209.09aa3System.2)

Added:
(1205.09aa2System.1,
09.aa 2 ISO/IEC 27799:2016 12.4.1 1206.09aa2System.23,
1213.09ab2System.128)
Added:
09.aa 2 ISO/IEC 27799:2016 12.4.2 (1207.09aa2System.4)
Added:
NIST Cybersecurity
09.aa 2 (1206.09aa2System.23)
NIST SP 800-171 r2 3.3.1 (1203.09aa1System.2,
09.aa 1
NIST SP 800-171 r2 Cross Reference NIST SP 800-171 r2 3.3.2 1204.09aa1System.3)
Added:
09.aa 3 NIST SP 800-171 r2 3.3.1 (1208.09aa3System.1)
Added:
NIST SP 800-171 r2 3.3.1
09.aa 3 (1209.09aa3System.2)
Added:
09.aa 2 NIST SP 800-171 r2 3.3.2 (1206.09aa2System.23)
Added:
All records concerning cybersecurity events are statement industry specific to SCIDSA
09.aa SCIDSA SCIDSA 38-99-30(D)
maintained for at least five years from the date of the (121204.09aaSCIDSAOrganizational.1)
event and be available for inspection.
Update:
Systems record logs in a standardized format such as
syslog entries or those outlined by the Common Event
Expression initiative. If systems cannot generate logs in
a standardized format, the organization deploys log Updated requirement statement due to new CIS CSC v7.1
normalization tools to convert logs into such a format. language
09.aa CIS CIS CSC v7.1 6.3
(1281.09aaCISSystem.10)
The organization enables system logging to include
detailed information such as an event source, date,
user, timestamp, source addresses, destination
addresses, and other useful elements.
Updated:
Title 23 NYCRR 12101.09aa23NYCRR500.System.1 Updated BUID

09.aa N/A
Part 500
12101.09aaNYCRR500System.1
Updated:
09.aa CIS 1281.09aa2System.10 N/A Updated BUID
1281.09aaCISSystem.10
Updated:
1282.09aa2System.11 Updated BUID

09.aa CIS N/A
1282.09aaCISSystem.11
Updated:
1284.09ab1System.2 Updated BUID

09.ab CIS N/A
1284.09abCISSystem.2
Updated:
09.ab CIS 1286.09ab2System.11 N/A Updated BUID
Updated:

09.ab CIS N/A
Updated:

09.ab CIS N/A
Updated:
Updated:

09.ab CIS N/A
Updated:
Updated:

09.ab CIS N/A
Updated:

09.ab CIS N/A
Removed:
The organization interconnects and configures CMSRs 2013v2 SI-4(1) Removed requirement; as requirements were made non-
individual intrusion detection tools into a system- (HIGH) mandatory in CMS ARS v3.1
09.ab CMS
wide intrusion detection system (IDS) and employs CMSRs 2013v2 SI-4(3) (11161.09abCMSSystem.34)
automated tools to integrate intrusion detection (HIGH)
tools into access control and flow control
mechanisms.
Added:
09.ab 2 ISO/IEC 27799:2016 12.4.1 (1214.09ab2System.3456)
Added:
09.ab 2 NIST SP 800-171 r2 3.3.3 (1213.09ab2System.128)
Added:
Added:
Added:
Removed:
To help identify covert channels exfiltrating data

through a firewall, the organization configures the
v7.1
09.ab CIS built-in firewall session tracking mechanisms included CIS CSC v6 12.10
(1290.09ab3System.13)
in many commercial firewalls to identify TCP sessions
that last an unusually long time for the given
organization and firewall device, alerting personnel
about the source and destination addresses
Updated:
associated with these long sessions.
The organization monitors the use and attempted use Updated requirement statement due to language change in CIS
09.ab CIS of removable media in the organization's information CIS CSC v7.1 8.4 CSC v7.1
systems. configure devices so that they automatically (1284.09abCISSystem.2)
conduct an anti-malware scan of removable media
when inserted or connected.
Updated:
1294.09ac3System.4 Updated BUID

09.ac CIS N/A
1294.09acCISSystem.4
Added:
ISO/IEC 27799:2016 12.4.2
09.ac 1
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 12.4.3 (1223.09ac1System.1)
Updated:
Updated requirement statement due to language change in CIS
Audit logs are archived and digitally signed on a
09.ac CIS CIS CSC v7.1 6.4 CSC v7.1
periodic basis. The organization ensures that all
(1294.09acCISSystem.4)
systems that store logs have adequate storage space
for the logs generated.
Added:
ISO/IEC 27799:2016 12.4.1
09.ad 1
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 12.4.3 (1270.09ad1System.12)
Added:
09.ad 1 ISO/IEC 27799:2016 12.4.3 (1271.09ad1System.1)
Added:
NIST Cybersecurity
09.ad 1 (1270.09ad1System.12)
Added:
09.ad 1 NIST SP 800-171 r2 3.3.2 (1270.09ad1System.12)

09.ae 1 ISO/IEC 27799:2016 12.4.1 (1272.09ae1System.13,
ISO/IEC 27799:2016 Cross Reference 1273.09ae1System.2)
Added:
09.af 1 ISO/IEC 27799:2016 12.4.4 (1226.09af1System.1234)
Added:
09.af 1 NIST SP 800-171 r2 3.3.7 (1226.09af1System.1234)
Updated:
09.af CIS 1295.09af2System.2 N/A Updated BUID
1295.09afCISSystem.2
Added:
09.b 1 ISO/IEC 27799:2016 12.1.2 (0618.09b1System.1)

09.b 2 ISO/IEC 27799:2016 12.1.2 (0619.09b2System.12,
ISO/IEC 27799:2016 Cross Reference 0620.09b2System.3)
Added:
NIST SP 800-171 r2 3.4.4
09.b 2 (0619.09b2System.12)
Added:

(1230.09c2Organizational.1,
Added:
1231.09c2Organizational.23,
09.c 2 ISO/IEC 27799:2016 6.1.2 1276.09c2Organizational.2,
1277.09c2Organizational.4,
1278.09c2Organizational.56)

Added:
(1232.09c3Organizational.12,
09.c 3 ISO/IEC 27799:2016 6.1.2 1233.09c3Organizational.3,
1279.09c3Organizational.4)

09.c 2 NIST SP 800-171 r2 3.1.4 (1231.09c2Organizational.23,
NIST SP 800-171 r2 Cross Reference 1278.09c2Organizational.56)
Added:
Added:
ISO/IEC 27799:2016 12.1.2
09.d 1
Added:
09.d 2 ISO/IEC 27799:2016 12.1.4 (0622.09d2System.1)
Added:
09.e 1 ISO/IEC 27799:2016 15.1.1 (1408.09e1System.1)
Added:
09.e 2 ISO/IEC 27799:2016 15.2.1 (1410.09e2System.23)
Added:
09.f 1 ISO/IEC 27799:2016 15.2.1 (1411.09f1System.1)
Added:
09.f 2 ISO/IEC 27799:2016 15.2.1 (1412.09f2System.12)
Added:
09.f 2 ISO/IEC 27799:2016 13.1.2 (1413.09f2System.3)
Added:
09.f 2 ISO/IEC 27799:2016 15.2.1 (1442.09f2System.456)
Added:
09.g 1 ISO/IEC 27799:2016 15.2.2 (1414.09g1System.1)
Added:
09.g 2 ISO/IEC 27799:2016 15.2.2 (1415.09g2System.12)

09.h 1 ISO/IEC 27799:2016 12.1.3 (1610.09h1System.1,
ISO/IEC 27799:2016 Cross Reference 1611.09h1System.2)
Added:
09.h 2 ISO/IEC 27799:2016 12.1.3 (1612.09h2System.1)
Added:
ISO/IEC 27799:2016 14.2.2
09.i 1
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 14.2.9 (1769.09i1System.12)
Added:
09.i 2 ISO/IEC 27799:2016 14.2.9 (1771.09i2System.24)

09.i 2 NIST SP 800-171 r2 3.4.4 (1770.09i2System.1,
NIST SP 800-171 r2 Cross Reference 1771.09i2System.24)

09.j 1 ISO/IEC 27799:2016 12.2.1 (0201.09j1Organizational.124,
ISO/IEC 27799:2016 Cross Reference 0214.09j1Organizational.6)
Added:
ISO/IEC 27799:2016 12.2.1
09.j 1
ISO/IEC 27799:2016 Cross Reference ISO/IEC 27799:2016 12.6.2 (1308.09j1Organizational.5)

(0204.09j2Organizational.1,
0205.09j2Organizational.2,
Added:
09.j 2 ISO/IEC 27799:2016 12.2.1 0207.09j2Organizational.56,
0219.09j2Organizational.12)
Added:
Added:
Removed:
The organization uses network-based anti-malware Removed requirement; as requirement was removed in CIS CSC
09.j CIS tools to identify executables in all network traffic and CSI CSC v6 8.5 v7.1
uses techniques other than signature-based detection (0233.09j2Organizational.14)
to identify and filter out malicious content before it
arrives at the endpoint.
Updated:
0231.09j1Organizational.7 Updated BUID

09.j CIS N/A
0231.09jCISOrganizational.7
Updated:
09.j CIS 0232.09j2Organizational.13 N/A Updated BUID
0232.09jCISOrganizational.13
CMSRs 2013v2 SC-3(1)

Removed:
(HIGH) Removed segment and requirement; as requirements were made
CMSRs 2013v2 SC-3(2) non-mandatory in CMS ARS v3.1
09.k CMS Information systems facilitate the implementation of (HIGH) (0229.09kCMSOrganizational.13)
security-function isolation. CMSRs 2013v2 SC-3(3)
(HIGH)
Removed:
CMSRs 2013v2 SC-3(2)
Security functions enforcing access and information (HIGH)
flow control are compartmentalized and isolated CMSRs 2013v2 SC-3(3) Removed segment and requirement; as requirements were made
from each other and from non-security functions in a (HIGH) non-mandatory in CMS ARS v3.1
09.k CMS
layered structure to minimize interactions between CMSRs 2013v2 SC-3(4) (0230.09kCMSOrganizational.245)
layers of the design and avoid any dependence by (HIGH)
lower layers on the functionality or correctness of CMSRs 2013v2 SC-3(5)
higher layers. (HIGH)
Added:

09.k 2 ISO/IEC 27799:2016 12.2.1 (0226.09k1Organizational.2,
ISO/IEC 27799:2016 Cross Reference 0227.09k2Organizational.12)
Added:
Added:
NIST SP 800-171 R2
Added:
NIST SP 800-171 R2

Added:
(1621.09l2Organizational.1,
09.l 2 ISO/IEC 27799:2016 12.3.1 1622.09l2Organizational.23,
1623.09l2Organizational.4)
Added: (1624.09l3Organizational.12,
1625.09l3Organizational.34,
09.l 3 ISO/IEC 27799:2016 12.3.1
ISO/IEC 27799:2016 Cross Reference 1626.09l3Organizational.5,

Added: (1616.09l1Organizational.16,
09.l 1 ISO/IEC 27799:2016 12.3.1 1617.09l1Organizational.23,
ISO/IEC 27799:2016 Cross Reference 1618.09l1Organizational.45,
Added:
09.l 1 ISO/IEC 27799:2016 15.2 (1620.09l1Organizational.8)
Added:
NIST Cybersecurity
09.l 1 (1616.09l1Organizational.16)
Added:
09.l 2 NIST SP 800-171 R2 3.8.9 (1622.09l2Organizational.23)
Added:
09.l 1 NIST SP 800-171 R2 3.8.1 (1618.09l1Organizational.45)
Removed:
Removed requirement; as requirement was revised in CIS CSC
Multiple backups are retained over time, so that in
09.l CIS CIS CSC v6 10.1 v7.1
the event of malware infection, restoration can be
(1687.09l1Organizational.9)
made from a version that is believed to predate the
original infection.
Updated:
The organization automatically backs up each system

on a regular basis on at least a weekly basis, and
more often for systems storing sensitive information.
To help ensure the ability to rapidly restore a system CIS CSC v7.1 10.1 language
09.l CIS from a backup, the operating system, application CIS CSC v7.1 10.2 (1688.09lCISOrganizational.5)
software, and data on a machine is included in the
overall backup procedure. and ensures that each of
the organization's key systems are backed up as a
complete system, through processes such as imaging,
to enable the quick recovery of an entire system.
Updated:
1688.09l2Organizational.5 Updated BUID

09.l CIS N/A
1688.09lCISOrganizational.5
Updated:
Title 23 NYCRR 1699.09l23NYCRR500Organizational.1 Updated BUID

09.l N/A
Part 500
1699.09lNYCRR500Organizational.1
Removed:
Removed requirement; as requirements were removed in CMS
The information system fails securely in the event of CMSRs 2013v2 SC-7(18) ARS v3.1
09.m CMS
an operational failure of a boundary protection (HIGH) (0872.09mCMSOrganizational.1)
device.

ISO/IEC 27799:2016 13.1.2
09.m 2 (0822.09m2Organizational.4)
ISO/IEC 27799:2016 13.1.3
Added:
09.m 2 ISO/IEC 27799:2016 13.1.2
(0863.09m2Organizational.910)
Added:
09.m 3
ISO/IEC 27799:2016 13.1.3 (0825.09m3Organizational.23)

(0826.09m3Organizational.45,
0827.09m3Organizational.6,
Added: 0829.09m3Organizational.911,
09.m 3 ISO/IEC 27799:2016 13.1.1 0830.09m3Organizational.1012,
ISO/IEC 27799:2016 Cross Reference 0832.09m3Organizational.14,
0871.09m3Organizational.22)
Added:
09.m 3
ISO/IEC 27799:2016 13.1.3 (0870.09m3Organizational.20)
Added:
09.m 1
NIST SP 800-171 r2 3.1.17 (0502.09m1Organizational.5)
Added:
09.m 2 NIST SP 800-171 r2 3.13.6 Consistent with existing content
NIST SP 800-171 r2 Cross Reference (0504.09m2Organizational.5)
Added:
Added:
Added:
09.m 2
NIST SP 800-171 r2 3.13.11 (099.09m2Organizational.11)
Added:
Added:
Added:
Updated:
In addition to URL filtering, The organization denies Updated requirement statement due to new CIS CSC v7.1
09.m CIS CIS CSC v7.1 12.3 language
communications with known malicious or unused IP
addresses (blacklists), or and limits access only to (0958.09mCISOrganizational.16)
trusted sites (whitelists).
Updated:
Updated:
Updated:
Updated:
Updated:
Added:
09.n 1 ISO/IEC 27799:2016 13.1.2 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (0835.09n1Organizational.1)
Added:
NIST Cybersecurity Consistent with existing content
09.n 1
Framework v1.1 ID.SC-1 (0835.09n1Organizational.1)
NIST Cybersecurity Framework v1.1 Cross Reference
Added:
09.n 2
Framework v1.1 ID.SC-3 (0888.09n2Organizational.6)
Removed:
CMSRs 2013v2 MP-5(3) Removed requirement; as requirements were made non-
09.o CMS mandatory in CMS ARS v3.1
The organization employs an identified custodian during (HIGH)
transport of CMS information system media. (0310.09oCMSOrganizational.1)
Added:
09.o 2 ISO/IEC 27799:2016 8.3.1 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (0302.09o2Organizational.1)
Added:
Added:
Added:
09.o 2 NIST SP 800-171 r2 3.8.5 Consistent with existing content
NIST SP 800-171 r2 Cross Reference (0302.09o2Organizational.1)
Added:
Added:
Updated:
The organization limits the use of removable media to

those with a valid business need. If there is no business
need for supporting the use of removable media, the
organization configures systems so that they will not
write data to such devices. If such devices are required, Updated requirement statement due to new CIS CSC v7.1
09.o CIS language
the organization (i) configures systems to allow only CIS CSC v7.1 13.7
specific USB devices (based on serial number or other (0330.09oCISOrganizational.22)
unique property) to be accessed and (ii) automatically
configures devices so that they automatically conduct an
anti-malware scan of removable media when inserted or
connected encrypts all data placed on such devices,
(e.g., through the use of third-party software).
Updated:
The organization employs an approved method of Updated requirement statement due to new CMS ARS 3.1
CMSRs v3.1 MP-04 (HIGH;
09.o CMS cryptography to protect PII at rest, consistent with NIST language
MOD)
SP 800-66 guidance and, If PII is recorded on magnetic (19177.09oCMSOrganizational.4)
media with other data, it is protected as if it were
entirely personally identifiable information.
Updated:
09.o CIS 0330.09o3Organizational.2 N/A Updated BUID
0330.09oCISOrganizational.2

09.p 1 ISO/IEC 27799:2016 8.3.2 (18130.09p1Organizational.24,
ISO/IEC 27799:2016 Cross Reference 18131.09p1Organizational.3,
1826.09p1Organizational.1)
Added:
09.p 2 ISO/IEC 27799:2016 8.3.2 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (1827.09p2Organizational.1)
Added:
09.p 1 NIST SP 800-171 r2 3.8.2 Consistent with existing content
NIST SP 800-171 r2 Cross Reference (18130.09p1Organizational.24)

09.p 1 NIST SP 800-171 r2 3.8.3 (18131.09p1Organizational.3,
NIST SP 800-171 r2 Cross Reference 1826.09p1Organizational.1)
Added:
09.q 1 ISO/IEC 27799:2016 8.2.3 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (0305.09q1Organizational.12)
Added:
09.q 2 ISO/IEC 27799:2016 8.2.3 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (0307.09q2Organizational.12)
Added:
NIST SP 800-171 R2 3.8.1 Consistent with existing content
09.q 1
NIST SP 800-171 R2 3.8.4 (0305.09q1Organizational.12)
Added:
09.q 2 NIST SP 800-171 r2 3.8.5 Consistent with existing content
NIST SP 800-171 R2 Cross Reference (0307.09q2Organizational.12)
Added:
09.q 3
NIST SP 800-171 r2 3.8.6 (0314.09q3Organizational.2)

09.s 1 ISO/IEC 27799:2016 13.2.1 (0901.09s1Organizational.1,
ISO/IEC 27799:2016 Cross Reference 1325.09s1Organizational.3)
Added:
09.s 1 NIST SP 800-171 r2 3.1.20 Consistent with existing content
NIST SP 800-171 r2 Cross Reference (0911.09s1Organizational.2)
Added:
Added:
Added:
Added:
09.s 2
NIST SP 800-171 r2 3.1.21 (0915.09s2Organizational.2)
Added:

09.t 1 ISO/IEC 27799:2016 13.2.2 (1444.09t1Organizational.12,
ISO/IEC 27799:2016 Cross Reference 1445.09t1Organizational.3)
Removed:
The organization employs an identified custodian

throughout the transport of information system media CMSRs 2013v2 MP-5(3) Removed requirement; as requirements were made non-
09.u CMS mandatory in CMS ARS v3.1
outside of controlled areas; and custodial (HIGH)
responsibilities are only transferred from one individual (0327.09uCMSOrganizational.45)
to another if an unambiguous custodian is identified at
all times.

09.u 1 ISO/IEC 27799:2016 8.3.3 (0320.09u1Organizational.1,
ISO/IEC 27799:2016 Cross Reference 0321.09u1Organizational.2)

09.u 2 ISO/IEC 27799:2016 8.3.3 (0322.09u2Organizational.12,
ISO/IEC 27799:2016 Cross Reference 0323.09u2Organizational.3)
Added:
09.u 1 NIST SP 800-171 r2 3.8.5 Consistent with existing content
NIST SP 800-171 r2 Cross Reference (0320.09u1Organizational.1)

NIST SP 800-171 r2 3.8.5
09.u 2 (0322.09u2Organizational.12,
NIST SP 800-171 r2 3.8.6
NIST SP 800-171 r2 Cross Reference 0323.09u2Organizational.3)

09.v 1 ISO/IEC 27799:2016 13.2.3 (0925.09v1Organizational.1,
ISO/IEC 27799:2016 Cross Reference 0926.09v1Organizational.2,
0927.09v1Organizational.3)
Added:
09.v 1 NIST SP 800-171 r2 3.13.8 Consistent with existing content
NIST SP 800-171 r2 Cross Reference (0928.09v1Organizational.45)
Added:
09.w 2 ISO/IEC 27799:2016 13.1.3 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (0935.09w2Organizational.3)
Added:
09.w 2
NIST SP 800-171 r2 3.4.2 (0936.09w2Organizational.4)

09.x 2 ISO/IEC 27799:2016 14.1.2 (0939.09x2Organizational.12,
ISO/IEC 27799:2016 Cross Reference 0940.09x2Organizational.3,
0941.09x2Organizational.4)

09.y 1 ISO/IEC 27799:2016 14.1.3 (0943.09y1Organizational.1,
ISO/IEC 27799:2016 Cross Reference 0944.09y1Organizational.2,

Added: (0946.09y2Organizational.14,
09.y 2 ISO/IEC 27799:2016 14.1.3 0947.09y2Organizational.2,
ISO/IEC 27799:2016 Cross Reference 0948.09y2Organizational.3,
Added:
09.y 1 NIST SP 800-171 r2 3.13.8 Consistent with existing content
NIST SP 800-171 r2 Cross Reference (0945.09y1Organizational.3)
Added:
09.z 3 ISO/IEC 27799:2016 14.1.2 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (19184.09z3Organizational.12)
Added:
09.z 3
Framework v1.1 PR.DS-8 (19184.09z3Organizational.12)

09.z 2 NIST SP 800-171 r2 3.1.22 (19180.09z2Organizational.12,
NIST SP 800-171 r2 Cross Reference 19181.09z2Organizational.345)
Updated:
Each contract and Statement of Work (SOW) that

requires development or access to CMS information
include language requiring adherence to CMS security Updated requirement statement due to new CMS ARS v3.1
10.a CMS CMSRs v3.1 SA-04 (HIGH) language
and privacy policies and standards, define security roles
and responsibilities, and receive approval from CMS (17103.10aCMSOrganizational.2)
officials. The organization requires that contracts include
the standard CMS information security and privacy
contract language.

Added: 1782.10a1Organizational.4,
ISO/IEC 27799:2016 Cross Reference 1784.10a1Organizational.7,
Added:
10.a 2 ISO/IEC 27799:2016 14.2.6 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (1788.10a2Organizational.2)
Added:
Added:
ISO/IEC 27799:2016 14.1.1

Added:
10.a 2
ISO/IEC 27799:2016 14.2.6 (1792.10a2Organizational.7814)
ISO/IEC 27799:2016 14.2.8
Added:
10.a 2

ISO/IEC 27799:2016 Cross Reference 1795.10a2Organizational.13,
Added:
10.a 2 NIST SP 800-171 r2 3.13.2 Consistent with existing content
NIST SP 800-171 r2 Cross Reference (1789.10a2Organizational.3)
Updated:
The organization manages the information system using

a formally defined and documented system Updated requirement statement due to new CMS ARS 3.1
CMSRs v3.1 SA-03 (HIGH;
10.a CMS development life cycle (SDLC) process the information language
MOD)
security steps of IEEE 12207.0 standard for SDLC, as (17102.10aCMSOrganizational.1)
provided in the CMS eXpedited Life Cycle (XLC) that
incorporates information security control
considerations.
Updated:
The organization reviews the development process,

standards, tools, and tool options/configurations at least Updated requirement statement due to new CMS ARS 3.1
CMSRs v3.1 SA-15 (HIGH;
10.a CMS every three years within every three hundred and sixty- language
MOD)
five (365) days to determine if the process, standards, (17105.10aCMSOrganizational.4)
tools, and tool options/configurations selected and
employed satisfy all applicable System Acquisition (SA)
and Configuration Management (CM) security controls.
Updated:
The organization tests all systems that are part of critical

business processes for proper configuration and Updated requirement statement due to language change in CIS
10.b CIS application-level vulnerabilities prior to deployment. For CIS CSC v7.1 18.11 CSC v7.1
applications that rely on a database, the organization (0763.10bCISSystem.5)
uses standard hardening configuration templates. All
systems that are part of critical business processes
should also be tested.
Updated:
10.b CIS 0763.10b2System.5 N/A Updated BUID
0763.10bCISSystem.5
Updated:
10.b CIS 0764.10b2System.6 N/A Updated BUID
0764.10bCISSystem.6
Updated:
The information system provides automated

CMSRs v3.1 SI-07(02)
mechanisms to support the management of distributed Updated requirement statement due to new CMS ARS v3.1
(HIGH)
10.c CMS security function testing and automatically implements language
CMSRs v3.1 SI-07(05)
security safeguards (defined in the applicable security (19196.10cCMSSystem.35)
(HIGH)
plan) when integrity violations are discovered, and
automated tools provide notification upon the discovery
of discrepancies during integrity verification.
Added:
10.c 2
Framework v1.1 PR.DS-8 (0625.10c2System.8)

10.d 1 ISO/IEC 27799:2016 10.1.1 (0954.10d1System.1,
Added:
10.d 1 NIST SP 800-171 r2 3.13.15 Consistent with existing content
NIST SP 800-171 r2 Cross Reference (0954.10d1System.1)
Added:
10.e 1 ISO/IEC 27799:2016 14.2.5 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (19199.10e1System.12)
Added:
ISO/IEC 27799:2016 Cross Reference (19200.10e2System.1)
Added:
10.f 2 ISO/IEC 27799:2016 10.1.1 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (0904.10f2Organizational.1)
Added:
10.f 1 ISO/IEC 27799:2016 10.1.1 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (0903.10f1Organizational.1)
Updated:
Title 21 CFR
10.f 0963.10f21CFRPart11Organizational.1 N/A Updated BUID
Part 11
0963.10fCFRPart11Organizational.1
Added:
10.g 1 ISO/IEC 27799:2016 10.1.2 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (0905.10g1Organizational.12)

10.g 2 ISO/IEC 27799:2016 10.1.2 (0906.10g2Organizational.13,
ISO/IEC 27799:2016 Cross Reference 0907.10g2Organizational.2,
Added:
10.g 2 NIST SP 800-171 r2 3.13.10 Consistent with existing content
NIST SP 800-171 r2 Cross Reference (0906.10g2Organizational.13)
Updated:
The organization employs automated mechanisms to

respond to unauthorized changes to network and
system security-related configuration settings. The CMSRs v3.1 CM-06(02) Updated requirement statement due to new CMS ARS v3.1
10.h CMS language
organization responds to unauthorized changes to (HIGH)
information system and components by alerting (0631.10hCMSSystem.1)
responsible actors (person, organization), restoring to
the approved configuration, and halting system
processing as warranted.
10.h 1 ISO/IEC 27799:2016 12.5.1 (0605.10h1System.12,
ISO/IEC 27799:2016 Cross Reference 0626.10h1System.3,
0627.10h1System.45)

Added: (0606.10h2System.1,
10.h 2 ISO/IEC 27799:2016 12.5.1 0607.10h2System.23,
ISO/IEC 27799:2016 Cross Reference 0629.10h2System.45,
0630.10h2System.6)
Added:
10.h 1 NIST SP 800-171 r2 3.4.4 Consistent with existing content
NIST SP 800-171 r2 Cross Reference (0605.10h1System.12)
Added:
10.h 1
NIST SP 800-171 r2 3.4.2 (0627.10h1System.45)
Updated:
The organization ensures that only authorized limits the Updated requirement statement due to new CIS CSC v7.1
10.h CIS use of unnecessary scripting languages are able to run in CIS CSC v7.1 7.3 language
all web browsers and email clients. This includes the use (0665.10hCISSystem.8)
of languages such as ActiveX and JavaScript on systems
where it is unnecessary to support such capabilities.
Updated:
The organization's maintains an up-to-date list of Updated requirement statement due to new CIS CSC v7.1
10.h CIS authorized software and version (whitelist) that is CIS CSC v7.1 2.1 language
required in the enterprise for any business purpose on (0666.10hCISSystem.1)
any business system. is monitored by file integrity
checking tools to validate the list has not been modified.
Removed:
The organization deploys two separate browser

configurations to each system. One configuration is used
for general Web browsing, disables the use of all plugins Removed segment and requirement; as requirement was
10.h CIS CSI CSC v6 2.2 removed in CIS CSC v7.1
and unnecessary scripting languages, and is generally
configured with limited functionality. The other (0668.10h3System.3)
configuration allows for more browser functionality but
is only used to access specific websites that require the
use of such functionality.
Updated:
10.h CIS 0664.10h2System.7 N/A Updated BUID
0664.10hCISSystem.7
Updated:
0665.10hCISSystem.8
Updated:
0666.10hCISSystem.1
Updated:
0667.10hCISSystem.2
10.i 1 ISO/IEC 27799:2016 14.3.1 (19204.10i1System.1,
ISO/IEC 27799:2016 Cross Reference 19205.10i1System.2)
Added:
10.i 2 ISO/IEC 27799:2016 14.3.1
(19206.10i2System.1,
19207.10i2System.2)
Removed:
For in-house developed applications, the organization Removed segment and requirement; as requirement was
10.i CIS ensures that development artifacts (sample data and CIS CSC v6 18.9 removed in CIS CSC v7.1
scripts; unused libraries, components, debug code; or (19247.10i2Organizational.3)
tools) are not included in the deployed software, or
accessible in the production environment.
Added:
10.j 1 ISO/IEC 27799:2016 9.4.5 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (0633.10j1System.1)
Added:
10.j 2 ISO/IEC 27799:2016 9.4.5 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (0634.10j2System.12)
Update:
HHS-specific minimum security configurations are used

for the following operating systems (OSs) and
applications: HHS FDCC Windows XP Standard, HHS
FDCC Windows Vista Standard, Blackberry Server, and
Websense; and for all other OSs and applications and to
resolve configuration conflicts among multiple security Updated requirement statement due to new CMS ARS v3.1
CMSRs v3.1 CM-06 (HIGH;
10.k CMS guidelines, the organization uses the CMS hierarchy for language
MOD)
implementing security configuration guidelines. for the (0645.10kCMSOrganizational.12)
following OS and Applications: HHS approved USGCB
Windows Standards (e.g., Microsoft supported versions
only), Blackberry Server - Websense; and for all other
OS’s and applications, and to resolve configuration
conflicts among multiple security guidelines, the CMS
hierarchy for implementing security configuration
guidelines.
Removed:
10.k CMS The organization maintains a baseline configuration for CMSRs v3.1 CM-02(06) mandatory in CMS ARS v3.1
development and test environments that is managed (0646.10kCMSOrganizational.3)
separately from the operational baseline configuration.
Updated:
The organization reviews information system changes Updated requirement statement due to new CMS ARS v3.1
CMSRs v3.1 CM-05(02)
10.k CMS weekly and when indications so warrant, to determine language
(HIGH)
whether unauthorized changes may have occurred. (0648.10kCMSOrganizational.5)
unauthorized changes or unexpected levels of system
performance are indicated.
Added:
10.k 1
ISO/IEC 27799:2016 14.2.6 (0635.10k1Organizational.12)
Added:
10.k 2 ISO/IEC 27799:2016 14.2.2 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (0636.10k2Organizational.1)
Added:
10.k 2
ISO/IEC 27799:2016 14.2.4 (0637.10k2Organizational.2,
ISO/IEC 27799:2016 Cross Reference 0638.10k2Organizational.34569)
Added:
10.k 2
ISO/IEC 27799:2016 14.2.7 (0640.10k2Organizational.1012)
Added:
10.k 2 ISO/IEC 27799:2016 14.2.2 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (0641.10k2Organizational.11)
Added:
10.k 2
NIST SP 800-171 r2 3.4.5 (0638.10k2Organizational.34569)

NIST SP 800-171 r2 3.4.1
10.k 3 (0642.10k3Organizational.12,
NIST SP 800-171 r2 3.4.2
NIST SP 800-171 r2 Cross Reference 0643.10k3Organizational.3)
Updated:
10.k CIS 0673.10k3System.6 N/A Updated BUID
0673.10kCISSystem.6
Removed:
The organization requires that all information systems

meet a level of security functionality and security
assurance that is sufficient to preserve the CMSRs 2013v2 SA-13 (non Removed requirement; as requirement was made non-
10.l CMS mandatory in CMS ARS v3.1
confidentiality, integrity, and availability of the mandatory)
information being processed, stored, or transmitted by (1449.10lCMSOrganizational.2)
the system by establishing system trustworthiness
objectives as part of the security authorization by
following the CMS eXpedited Life Cycle (XLC).
Added:
10.l 1 ISO/IEC 27799:2016 14.2.7 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (1416.10l1Organizational.1)
Added:
10.l 2 ISO/IEC 27799:2016 14.2.7 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (1417.10l2Organizational.1)
Updated:
The organization conducts regular penetration testing,

no less than every three hundred sixty-five (365) days,
on defined information systems or system components
to identify vulnerabilities and attack vectors that can be
used to successfully exploit enterprise systems.
Penetration testing occurs from outside the network
perimeter (i.e., the Internet or wireless frequencies
around an organization) as well as from within its
boundaries (i.e., on the internal network) to simulate
both outsider and insider attacks. This includes tests for
the presence of unprotected system information and
artifacts that would be useful to attackers, including
network diagrams, configuration files, older penetration Updated requirement statement due to new CMS ARS v3.1
CMSRs v3.1 CA-08 (HIGH;
10.m CMS test reports, emails or documents containing passwords language
MOD)
or other information critical to system operation. both (0746.10mCMSOrganizational.6)
internal and external penetration testing, within every
365 days, on defined information systems or system
components (defined in the applicable system security
plan), or whenever there has been a significant change
to the system. As a minimum, penetration testing must
be conducted to determine: (i) how well the system
tolerates real world-style attack patterns; (ii) the likely
level of sophistication an attacker needs to successfully
compromise the system; (iii) additional
countermeasures that could mitigate threats against the
system; and, (iv) defenders’ ability to detect attacks and
respond appropriately. Penetration testing is required
under OMB M-17-09 for all systems defined as High
Value Assets (HVAs).
Added:
10.m 1 ISO/IEC 27799:2016 12.6.1 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (0709.10m1Organizational.1)

ISO/IEC 27799:2016 Cross Reference 0713.10m2Organizational.5,
0714.10m2Organizational.7)
Added:
Added:
Added:
Added:
Updated:
Patches are applied to all systems, even systems that are

properly air gapped. Updated requirement statement due to new CIS CSC v7.1
10.m CIS CIS CSC v7.1 3.4 language
The organization deploys automated software update (0766.10mCISSystem.4)
tools in order to ensure that the operating systems are
running the most recent security updates provided by
the software vendor.
Removed:
The organization correlates event logs with information Removed requirement; as requirement was removed in CIS CSC
10.m CIS from its vulnerability scanning tools to verify the activity CIS CSC v6 4.1 v7.1
of the regular vulnerability scanning tools is itself logged (0775.10m3System.16)
and whether a given exploit was used against a target
known by the organization to be vulnerable.
Removed:
The organization monitors logs associated with any Removed requirement; as requirement was removed in CIS CSC
10.m CIS CIS CSC v6 4.6 v7.1
scanning activity and associated administrator accounts
to ensure this activity is limited to the timeframes of (0777.10m3System.18)
legitimate scans.
Updated:
The organization regularly compare the results from

consecutive vulnerability scans to verify that
vulnerabilities have been remediated in a timely
manner. compares the results from back-to-back
vulnerability scans to verify that vulnerabilities were Updated requirement statement due to new CIS CSC v7.1
10.m CIS addressed either by patching, implementing a CIS CSC v7.1 3.6 language
compensating control, or documenting and accepting a (0778.10mCISSystem.19)
reasonable business risk. Such acceptance of business
risks for existing vulnerabilities are periodically reviewed
to determine if newer compensating controls or
subsequent patches can address vulnerabilities that
were previously accepted, or if conditions have changed,
increasing the risk.
Updated:
The organization establishes a program for penetration

tests that includes a full scope of blended attacks, such
as wireless, client-based, and web application attacks.
provides clear goals for penetration tests (e.g., to
address blended attacks and identifying potential goal Updated requirement statement due to language change in CIS
10.m CIS CIS CSC v7.1 20.1 CSC v7.1
machines or target assets). The organization's testing
addresses APT-style attacks deploying multiple vectors— (0768.10mCISSystem.9)
often social engineering combined with web or network
exploitation. The organization's Red Team manual or
automated testing also captures pivoted and multi-
vector attacks to provide a more realistic assessment of
security posture and risk to critical assets.
Updated:
The organization utilizes an up-to-date uses a Security

Content Automation Protocol (SCAP)-compliant -
validated vulnerability scannering tool to automatically
scan all systems on the network on a weekly or more Updated requirement statement due to language change in CIS
frequent basis to identify all potential vulnerabilities on
the organization's systems. that looks for both code- (0773.10mCISSystem.14)
based vulnerabilities (such as those described by
Common Vulnerabilities and Exposures entries) and
configuration-based vulnerabilities (as enumerated by
the Common Configuration Enumeration Project).
Updated:
Vulnerability scanning is performed in authenticated

mode either with local agents running on each endpoint
to analyze the security configuration or with remote
scanners that are given administrative rights on the
system being tested. The organization uses a A Updated requirement statement due to language change in CIS
dedicated account—which is tied to specific machines at
specific IP addresses and not used for any other (0774.10mCISSystem.15)
administrative activities— to authenticate vulnerability
scans. Only authorized employees have access to
vulnerability management tools and/or the
management interface, and roles are applied to each
user.
Updated
The organization ensures new vulnerabilities and threats

are addressed when updating secure system
(component) standards and images.
10.m CIS
CIS CSC v7.1 5.1 Updated requirement statement due to change in CIS CSC v7.1
The organization documents security configuration (0772.10mCISSystem.13)
standards for all authorized operating systems and
software.
Updated:
10.m CIS 0765.10m1System.3 N/A Updated BUID
0765.10mCISSystem.3
Updated:
0766.10mCISSystem.4
Updated:
0767.10mCISSystem.8
Updated:
0768.10mCISSystem.9
Updated:
0769.10mCISSystem.10
Updated:
Updated:
Updated:
Updated:
Updated:
Updated:
Updated:
Added:
Businesses are required to notify consumers if there is New requirement in new segment.
11.a CCPA unauthorized access to the consumer's non-encrypted CCPA 1798.150(a) Necessitates new MyCSF requirement
or non-redacted personal information due to the statement industry specific to CCPA.
business's lack of sufficient security controls. (111015.11aCCPAOrganizational.1)
Updated:
The organization requires personnel to report suspected

security incidents actual or suspected security and Updated requirement statement due to new CMS ARS v3.1
11.a CMS CMSRs v3.1 IR-06 (HIGH) language
privacy incidents to the organizational incident response
capability within the timeframe established in the (1531.11aCMSOrganizational.1)
current CMS Incident Handling and Breach Notification
Standard.
Added:
Added:
Added: ISO/IEC 27799:2016 16.1.1


Added:
Added: ISO/IEC 27799:2016 7.2.2

Added:
11.a 2
Added:
Added:
Added:
11.a 2 NIST SP 800-171 r2 3.6.2 Consistent with existing content
NIST SP 800-171 r2 Cross Reference (1508.11a2Organizational.1)

11.a 2 NIST SP 800-171 r2 3.6.1 (1509.11a2Organizational.236,
NIST SP 800-171 r2 Cross Reference 1511.11a2Organizational.5)
Added:
The licensee is required to report, at least annually, the Necessitates new MyCSF requirement
11.a SCIDSA SCIDSA 33-99-20(E)
overall status and compliance of the information statement industry specific to SCIDSA
security program, and any matters relevant to the (151205.11aSCIDSAOrganizational.1)
program (e.g., risk assessments, events, violations, etc.).
Added;
The licensee is required to notify the director no later

than 72 hours after notification of a cybersecurity event
if: (i) South Carolina is the licensee's state of domicile, or Necessitates new MyCSF requirement
11.a SCIDSA SCIDSA 38-99-40(A) statement industry specific to SCIDSA
the licensee's home state in the case of a producer; or,
(ii) the licensee has reason to believe the information (151206.11aSCIDSAOrganizational.1)
involved in the event involves no less than 250
consumers residing in the State and there's reasonable
likelihood of harm to consumers residing in the State.
Added:
The licensee provides, in electronic form, as much

information as possible regarding the event, including Necessitates new MyCSF requirement
11.a SCIDSA but not limited to: (i) the date of the event; (ii) a SCIDSA 38-99-40(B) statement industry specific to SCIDSA
description what information was breached and how the (151207.11aSCIDSAOrganizational.2)
information was breached; (iii) how the event was
discovered; and, (iv) the number of total consumers in
the state affected by the event.
Added:
11.a SCIDSA The licensee provides notice of the security breach to SCIDSA 38-99-40(C) statement industry specific to SCIDSA
consumers residing in the State and whose information (151208.11aSCIDSAOrganizational.3)
was affected by the breach.
Added:
11.a 1 SCIDSA 33-99-20(H) Consistent with existing content
Added:
11.a 2 SCIDSA 33-99-20(H) Consistent with existing content
Updated:
Title 23 NYCRR
11.a 1594.11a23NYCRR500Organizational.1 N/A Updated BUID
Part 500

Added:
11.b 2 ISO/IEC 27799:2016 16.1.3 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (1537.11b2Organizational.1)
Added:
11.b 2
Framework v1.1 RS.AN-5 (1537.11b2Organizational.1)
Removed:
Removed segment and requirement; as requirement was made
11.c CMS The organization employs automated mechanisms to CMSRs v3.1 IR-03(01) non-mandatory in CMS ARS v3.1
more thoroughly and effectively test/exercise the (1549.11cCMSOrganizational.1)
incident response capability.
Added:
11.c 1
ISO/IEC 27799:2016 16.1.5 (1516.11c1Organizational.12)
Added:
11.c 1 ISO/IEC 27799:2016 16.1.1 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (1517.11c1Organizational.3)

Added:
11.c 3
Added:
11.c 3
Added:
11.c 2
Framework v1.1 ID.SC-5 (1521.11c2Organizational.56)
Added:
11.c 2 NIST SP 800-171 r2 3.6.1 Consistent with existing content
NIST SP 800-171 r2 Cross Reference (1518.11c2Organizational.13)
Added:
Added:
11.c 3
NIST SP 800-171 r2 3.6.2 (1522.11c3Organizational.13)
Added:
Added:
SCIDSA 38-99-30(A) Necessitates new MyCSF requirement
11.c SCIDSA Upon notification of a cybersecurity event, the licensee SCIDSA 38-99-30(B) statement industry specific to SCIDSA
must conduct a prompt and thorough investigation of SCIDSA 38-99-30(C) (151205.11cSCIDSAOrganizational.1)
the event.
Added:
11.c 2 AICPA 2017 P6.3 Consistent with existing content
AICPA 2017 Cross Reference (1519.11c2Organizational.2)
Added:
Plan and conduct routine incident response exercises

and scenarios for the workforce involved in the incident New requirement.
11.c CIS response to maintain awareness and comfort in CIS CSC v7.1 19.7 Necessitates new MyCSF requirement
responding to real world threats. Exercises should test statement specific to CIS CSC. (1585.11cCISOrganizational.58)
communication channels, decision making, and incident
responders technical capabilities using tools and data
available to them.
Added:
11.d 1 ISO/IEC 27799:2016 16.11.6 Consistent with existing content
ISO/IEC 27799:2016 Cross Reference (1560.11d1Organizational.1)
Added:
11.d 2 NIST SP 800-171 R2 3.6.1 Consistent with existing content
NIST SP 800-171 R2 Cross Reference (1561.11d2Organizational.14)
Added:
ISO/IEC 27799:2016 Cross Reference (1569.11e1Organizational.12)

ISO/IEC 27799:2016 Cross Reference 1571.11e2Organizational.2,
Added:
11.e 2
ISO/IEC 27799:2016 16.1.7 (1574.11e2Organizational.7)
Added:
Added:
Added:
Added:
Added:
Added:
12.b 1
Framework v1.1 PR.PT-5 (1635.12b1Organizational.2)
Added:
12.b 2 NIST SP 800-171 r2 3.11.1 Consistent with existing content
NIST SP 800-171 r2 Cross Reference (1638.12b2Organizational.345)
Updated:
CMSRs v3.1 CP-02(05)
The organization uses a sample of backup information in Updated requirement statement due to new CMS ARS v3.1
(HIGH)
12.c CMS the restoration of selected information system functions language
CMSRs v3.1 CP-09(02)
and includes a full recovery and reconstitution of the (1656.12cCMSOrganizational.810)
(HIGH)
information system to a known state as part of
contingency plan testing.
Added:
Added:
Added:
Added:
12.c 2
ISO/IEC 27799:2016 17.1.2 (1604.12c2Organizational.16789,

Added: (1666.12d1Organizational.1235,
12.d 1 ISO/IEC 27799:2016 17.1.2 1667.12d1Organizational.4,

Removed:
12.e CMS The organization includes a full recovery and CMSRs v3.1 CP-04(04) mandatory in CMS ARS v3.1
reconstitution of the information system to a known (1685.12eCMSOrganizational.2)
state as part of contingency plan testing.

Added: (1679.12e2Organizational.1,
1682.12e2Organizational.6,

Added: 1674.12e1Organizational.2,
1677.12e1Organizational.6,
Added:
12.e 2
Framework v1.1 ID.SC-5 (1679.12e2Organizational.1)
Added:
12.e 1
Framework v1.1 ID.SC-5 (1673.12e1Organizational.1)
Updated:
13.a GDPR 19300.13aGDPROrganiational.2 N/A Updated BUID
19300.13aGDPROrganizational.2
Added:
New requirement in new segment.
13.b CCPA Businesses are required to notify consumers of their CCPA 1798.105(b) Necessitates new MyCSF requirement
right to request deletion. statement industry specific to CCPA.
(191003.13bCCPAOrganizational.1)
Added:
Businesses that sell information or disclose it for a New requirement in new segment.
13.b CCPA business purpose are required to disclose in their notice CCPA 1798.115(c) Necessitates new MyCSF requirement
to consumers the categories of personal information it statement industry specific to CCPA.
has sold and/or disclosed for a business purpose or that (191005.13bCCPAOrganizational.2)
it has not sold and/or disclosed any.
Added:
13.b CCPA Businesses that sell information to third-parties are CCPA 1798.120(b) Necessitates new MyCSF requirement
required to disclose in their notice to consumers that statement industry specific to CCPA.
they have the right to opt-out. (191007.13bCCPAOrganizational.3)
Added:
Before offering financial incentives to consumers, New requirement in new segment.

13.b CCPA businesses are required to provide notice of the CCPA 1798.125(b) Necessitates new MyCSF requirement
incentives, receive the consumer’s opt-in to the statement industry specific to CCPA.
program, and not use incentives that are unjust or (191010.13bCCPAOrganizational.4)
unreasonable.
Added:
Businesses are required to: (i) provide notices to

consumers in a reasonably accessible form that includes
information on how to submit requests for information.
Businesses must provide a toll-free number to request
information unless all business is conducted online and a
web address to do so if the business maintains a
website; (ii) respond to verified consumer requests
within 45 days of receipt, which may be extended an
additional 45 days if reasonably necessary, the time
period to respond to a consumer request may be
extended by an additional 90 days if the requests are New requirement in new segment.
CCPA 1798.130(a) Necessitates new MyCSF requirement
13.b CCPA complex or numerous so long as the consumer is
CCPA 1798.145(g) statement industry specific to CCPA.
notified of the delay within 45 days of receiving the
request, disclosures should cover the 12-month period (191011.13bCCPAOrganizational.5)
prior to the request—if the business decides not to
honor a consumer request, it must tell the consumer
without delay, informing the consumer why their
request was not honored and notifying them of any
appeal processes, businesses may charge a reasonable
fee based on related administrative costs for excessive
or unfounded requests, but they must be able to show
the requests are excessive or unfounded; and, (iii)
provide access promptly and free of charge through the
consumer’s account or by mail or electronically in a
readily useable format that allows for data portability.
Added:
If the business has an online privacy notice, it is required

to include: (i) a description of the consumer rights under
1798.110, 115, and 125 and one or more designated
methods for submitting requests; (ii) a list of categories New requirement in new segment.
of information it has collected about consumers in the Necessitates new MyCSF requirement
13.b CCPA CCPA 1798.130(a)(5)
preceding 12-month period, as outlined in 1798.110(c); statement industry specific to CCPA.
and, (iii) a list of categories of information it has sold (191012.13bCCPAOrganizational.6)
and/or disclosed about the consumers in the preceding
12-month period, as outlined in 1798.115(c); if no
information has been sold and/or disclosed for a
business purpose during that time period, the business
should say so in the notice.
Added:
Businesses which sells personal information to third-

parties are required to provide a reasonably accessible
notice to consumers that: (i) Provides a clear and
conspicuous link on its website homepage, titled “Do
Not Sell My Personal Information”, which enables the
consumer, or person authorized, to opt-out of the sale
of personal information. The business may not require a
consumer to open an account to exercise their opt-out New requirement in new segment.
13.b CCPA right; (ii) Include a description of the consumer’s rights CCPA 1798.135(a) Necessitates new MyCSF requirement
and a separate link to the “Do Not Sell My Personal statement industry specific to CCPA.
Information” webpage in its online privacy notice or in (191013.13bCCPAOrganizational.7)
any California-specific privacy notice; (iii) Ensure that
anyone who handles consumer inquiries knows the
relevant requirements; (iv) Refrain from selling
information of a consumer who has opted-out; (v)
Respect the consumer’s decision to opt-out for at least
12 before seeking authorization to selling information
again; and, (vi) Use personal information provided in an
opt-out request only for complying with the request.
CCPA cross reference
Added:
13.b 1 CCPA 1798.100(b) Consistent with existing content
CCPA Cross Reference (19315.13b1Organizational.2)
Added:
13.b 1 CCPA 1798.110(a) Consistent with existing content
CCPA Cross Reference (19315.13b1Organizational.2)
Added:
13.d CCPA Third-parties are required to obtain explicit consumer CCPA 1798.115(d) Necessitates new MyCSF requirement
consent before selling personal information that has statement industry specific to CCPA.
been sold to them by a business. (191006.13dCCPAOrganizational.1)
Added:
Business obtain consent (opt-in) from consumers under

16 before information may be sold. The consent is New requirement in new segment.
required from the consumer if the consumer is between Necessitates new MyCSF requirement
13.d CCPA CCPA 1798.120(c)
13 and 16, or from the parent or guardian if the statement industry specific to CCPA.
consumer is younger than 13. Businesses that willfully (191008.13dCCPAOrganizational.2)
disregard age information shall be considered to know
that the consumer has the right to opt-in.
Added:
Businesses ensure that consumers who exercise any of New requirement in new segment.
13.e CCPA their rights are not discriminated against through pricing CCPA 1798.125(a) Necessitates new MyCSF requirement
or quality of goods or services. Businesses may charge a statement industry specific to CCPA.
consumer a different rate if it is reasonably related to (191009.13eCCPAOrganizational.1)
the value to the consumer of the consumer’s data.
Added:
The business provide consumers, in response to a New requirement in new segment.

13.f CCPA verified request, the right to request the categories of CCPA 1798.100(a) Necessitates new MyCSF requirement
personal information collected about them, as well as statement industry specific to CCPA.
the actual personal information collected about the (191001.13fCCPAOrganizational.1)
consumer.
Added:
After receiving a verifiable consumer request, the

business is required to provide the consumer access to
their personal information promptly and free of charge.
The personal information must be delivered via the CCPA 1798.100(c) Necessitates new MyCSF requirement
13.f CCPA statement industry specific to CCPA.
consumer's account, mail, or electronically. If provided CCPA 1798.100(d)
electronically, the personal information must be (191002.13fCCPAOrganizational.2)
portable, and to the extent feasible, in a readily useable
format. Businesses are not required to provide access to
the personal information more than twice in any 12-
month period.
Added:
Businesses that sell personal information or disclose it

for a business purpose provide consumers the right to
request. Upon receipt of a verifiable consumer request, New requirement in new segment.
the business will disclose the categories of personal CCPA 1798.115(a) Necessitates new MyCSF requirement
13.f CCPA
information collected about them, the categories of CCPA 1798.115(b) statement industry specific to CCPA.
personal information that was sold or disclosed for a (191004.13fCCPAOrganizational.3)
business purpose, the categories of third-parties to
whom the personal information was sold, and what
categories of personal information were sold to which
types of third-parties.
Added:
13.f 1 CCPA 1798.100(c) Consistent with existing content
CCPA Cross Reference (19371.13f1Organizational.4)
Added:
13.f 1 CCPA 1798.105(c) Consistent with existing content
CCPA Cross Reference (19375.13f1Organizational.8)
Updated:
13.g GDPR 19406.13fGDPROrganizational.6 N/A Updated BUID
19406.13gGDPROrganizational.6
Updated:
Personal Data
13.g 19408.13fPDPAOrganizational.2 N/A Updated BUID
Protection Act
19408.13gPDPAOrganizational.2
Added:
13.l 1 AICPA 2017 P4.3 Consistent with existing content
AICPA 2017 Cross Reference (19494.13l1Organizational.2)
Added:
13.n 1 CCPA 1798.105(a) Consistent with existing content
CCPA Cross Reference (19498.13n1Organizational.1)
Added:
13.t CCPA Businesses ensure that individuals responsible for CCPA 1798.130(a)(6) Necessitates new MyCSF requirement
handling consumer inquiries are aware of all relevant statement industry specific to CCPA.
requirements. (191014.13tCCPAOrganizational.1)

CSF v9.3 Summary of Changes PDF

Uploaded by

Copyright:

Available Formats

CSF v9.3 Summary of Changes PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CSF v9.3 Summary of Changes PDF

Uploaded by

Copyright:

Available Formats

What changes were made to the HITRUST CSF?

What changes were made to the HITRUST CSF?

What regulatory requirements were incorporated in this version of the HITRUST CSF?

What regulatory requirements were incorporated in this version of the HITRUST CSF?

Version 9.

Licensees have a formal information security program

Title 23 NYCRR 01112.00a23NYCRR500.Organizational.1 Updated BUID

Title 23 NYCRR 01113.00a23NYCRR500.Organizational.2 Updated BUID

Title 23 NYCRR 01114.00a23NYCRR500.Organizational.3 Updated BUID

Title 23 NYCRR 01115.00a23NYCRR500.Organizational.4 Updated BUID

Title 23 NYCRR 01116.00a23NYCRR500.Organizational.5 Updated BUID

Consistent with existing content

Added: Consistent with existing content

Added: Consistent with existing content

Remote access to privileged functions, e.g., server,

The organization uses automated tools to inventory

Administrators are required to access a system using

11182.01c3System.8 Updated BUID

11183.01c3System.9 Updated BUID

01.c CIS 11184.01c3System.10 N/A Updated BUID

Added: Consistent with existing content

The information system for password-based

01.d CIS 1023.01d2System.6 N/A Updated BUID

1028.01PCISystem.4 Updated BUID

Added: Consistent with existing content

11185.01e1System.3 Updated BUID

11186.01e2System.3 Updated BUID

The organization requires all remote login access

The organization identifies defined software

1192.01l1Organizational.1 Updated BUID

The organization uses virtual machines and/or air-

01.m CIS 0893.01m1Organizational.4 N/A Updated BUID

0892.01m1Organizational.3 Updated BUID

01.m CIS 0895.01m2Organizational.8 N/A Updated BUID

0896.01m2Organizational.9 Updated BUID

0897.01m2Organizational.10 Updated BUID

The organization configures all network switches for

0899.01o2Organizational.4 Updated BUID

The organization configures the information system

Added: Consistent with existing content

Where multi-factor authentication is not supported

11188.01q2Organizational.8 Updated BUID

01.q CIS 11189.01q2Organizational.8 N/A Updated BUID

1126.01q2System.PCI Updated BUID

The organization requires that users log out when the

Added: Consistent with existing content

The organization requires that individuals with

Consistent with existing content

Added: Consistent with existing content

Added: Consistent with existing content

The organization ensures that individuals requiring

02.c HIPAA 0154.02c2Organizational.4 N/A Updated BUID

The organization validates and improves awareness

1328.02e2Organizational.9 Updated BUID

Title 21 CFR 1335.02e21CFRPart11Organizational.1 Updated BUID

Added: Consistent with existing content

Consistent with existing content

Added: Consistent with existing content

Added: Consistent with existing content