Cybersecurity Framework vPA 092813

Download as xlsx, pdf, or txt
Download as xlsx, pdf, or txt
You are on page 1of 299

Step 1 - Start with Tab [Evidence-based Priority Critical Controls] applied to critical infrastructure (scope)

Step 2 - Assess Security Index using the next Tab [Security Index]
Step 3 - Use Tab [Risk Register] to align controls application and roadmap with priorities based on risk.
Step 4 - Keep applying complete controls in Tab [Framework Core] based on overall risk and cost benefit analysis.
Step 5 - Assess Security Index using the next Tab [Security Index]
Step 6 - Repeat Step1 and be vigilant.

*Tab [Evidence-based Priority Controls] will be subject to change based on guidance from DHS and contr

Have fun. Get it done. Defend our country.


Security is Everyone's Job. Think Risk.
Stop.Think.Connect.
Thanks,
Phil Agcaoili

Released publicly on 10/10/2013 aka Day 240 since EO 13,636 and PPD-21 were issued and the day this was due by
The Internet never sleeps and neither does the security community.
astructure (scope)

*From SANS CAG

Or implement Tab [Evidence-based Priority Controls]

Or implement complete CSF Controls in Tab [Framework Core vPA]

es based on risk.
k and cost benefit analysis.

guidance from DHS and controls failures analysis organizations.

d and the day this was due by NIST.


Function Category Subcategory

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER

*Based on the Cloud Security Alliance Cloud Controls Matrix (CCM) v1.4 with minor updates and NIS
https://cloudsecurityalliance.org/cm

**Hit [2] Tab in order to see completed version of CSF. Tab [1] only displays the base framework of t
the Core Security Frameworks, associated core Industrial Controls and Privacy frameworks and stand
Critical Infrastructure Sectors
Core Security Frameworks

Description

NIST
ISO/IEC 27001-2005 COBIT 4.1 SP800-53 CCS CSC
R3

ontrols Matrix (CCM) v1.4 with minor updates and NIST outline and Discussion Draft CSF groupings

n of CSF. Tab [1] only displays the base framework of the Cybersecurity Framework highlighting
e Industrial Controls and Privacy frameworks and standards that are auditable and/or have associated certifications in the indus
Evidence-based, Prioritized Key
Informative References

Controls (Based on Controls


Supplemetal Specialized
Security Frameworks
IACS Security
Privacy Standards
Standard

Failures)
AICPA
ISA 99 GAPP AICPA
NERC CIP Trust Service Criteria
IEC 62443 (Aug 2009) TS Map
(SOC 2SM Report)

Key: Evidence-based, Prioritized Key Controls

HISPI Top 20 ISO CCS CSC /


27001 Controls Verizon Aus DSD
DBIR
Failtures Sweet Spot

certifications in the industry.


Function Category Subcategory

Classification

IDENTIFY

Handling / Labeling / Security Policy

IDENTIFY
Information System Regulatory Mapping

IDENTIFY
Data Integrity

PROTECT
Network Security

PROTECT
Audit Logging / Intrusion Detection

PROTECT
Production Changes

PROTECT
Policy

DETECT

User Access Reviews

DETECT
Training / Awareness

DETECT

Management Oversight

DETECT

User Responsibility

DETECT
Workspace

DETECT

Encryption

DETECT
Vulnerability / Patch Management

DETECT

Anti-Virus / Malicious Software

DETECT
Incident Reporting

DETECT
Incident Response Legal Preparation

DETECT
eCommerce Transactions

DETECT
Portable / Mobile Devices

DETECT
Portable / Mobile Devices

DETECT
Policy

RESPOND

Incident Management

RECOVER

*Based on the Cloud Security Alliance Cloud Controls Matrix (CCM) with minor updates and NIST out
**See next tab over for evidence on how these 22 controls were identified.

***This tab will be subject to change based on guidance from DHS and controls failures analysis orga
Critical Infrastructure Sectors
Core Security Frameworks

Description

NIST
ISO/IEC 27001-2005 COBIT 4.1 SP800-53 CCS CSC
R3

Data, and objects containing data, A.7.2.1 PO 2.3 RA-2


shall be assigned a classification DS 11.6 AC-4
based on data type, jurisdiction of
origin, jurisdiction domiciled, context,
legal constraints, contractual
constraints, value, sensitivity,
criticality to the organization and
third party obligation for retention
and prevention of unauthorized
disclosure or misuse.

Polices and procedures shall be A.7.2.2 PO 2.3 AC-16


established for labeling, handling A.10.7.1 DS 11.6 MP-1
and security of data and objects A.10.7.3 MP-3
which contain data. Mechanisms for A.10.8.1 PE-16
label inheritance shall be SI-12
implemented for objects that acts as SC-9
aggregate containers for data.
Statutory, regulatory, and contractual ISO/IEC 27001:2005 ME 3.1 AC-1 CSC4
requirements shall be defined for all Clause 4.2.1 b) 2) AT-1 CSC20
elements of the information system. Clause 4.2.1 c) 1) AU-1
The organization's approach to meet Clause 4.2.1 g) CA-1
known requirements, and adapt to Clause 4.2.3 d) 6) CM-1
new mandates shall be explicitly Clause 4.3.3 CP-1
defined, documented, and kept up to Clause 5.2.1 a - f IA-1
date for each information system Clause 7.3 c) 4) IA-7
element in the organization. A.7.2.1 IR-1
Information system elements may A.15.1.1 MA-1
include data, objects, applications, A.15.1.3 MP-1
infrastructure and hardware. Each A.15.1.4 PE-1
element may be assigned a A.15.1.6 PL-1
legislative domain and jurisdiction to PM-1
facilitate proper compliance PS-1
mapping. RA-1
RA-2
SA-1
SA-6
SC-1
SC-13
SI-1
Data input and output integrity A.10.9.2 SI-10
routines (i.e., reconciliation and edit A.10.9.3 SI-11
checks) shall be implemented for A.12.2.1 SI-2
application interfaces and databases A.12.2.2 SI-3
to prevent manual or systematic A.12.2.3 SI-4
processing errors or corruption of A.12.2.4 SI-6
data. A.12.6.1 SI-7
A.15.2.1 SI-9
Network environments shall be A.10.6.1 SC-7
designed and configured to restrict A.10.6.2
connections between trusted and A.10.9.1
untrusted networks and reviewed at A.10.10.2
planned intervals, documenting the A.11.4.1
business justification for use of all A.11.4.5
services, protocols, and ports A.11.4.6
allowed, including rationale or A.11.4.7
compensating controls implemented A.15.1.4
for those protocols considered to be
insecure. Network architecture
diagrams must clearly identify high-
risk environments and data flows
that may have regulatory compliance
impacts.
Audit logs recording privileged user A.10.10.1 DS5.5 AU-1 CSC1
access activities, authorized and A.10.10.2 DS5.6 AU-2 CSC2
unauthorized access attempts, A.10.10.3 DS9.2 AU-3
system exceptions, and information A.10.10.4 AU-4
security events shall be retained, A.10.10.5 AU-5
complying with applicable policies A.11.2.2 AU-6
and regulations. Audit logs shall be A.11.5.4 AU-7
reviewed at least daily and file A.11.6.1 AU-9
integrity (host) and network intrusion A.13.1.1 AU-11
detection (IDS) tools implemented to A.13.2.3 AU-12
help facilitate timely detection, A.15.2.2 AU-14
investigation by root cause analysis A.15.1.3 SI-4
and response to incidents. Physical
and logical user access to audit logs
shall be restricted to authorized
personnel.
Changes to the production A.10.1.4 A16.1 CA-1 CSC1
environment shall be documented, A.12.5.1 A17.6 CA-6 CSC2
tested and approved prior to A.12.5.2 CA-7
implementation. Production software CM-2
and hardware changes may include CM-3
applications, systems, databases CM-5
and network devices requiring CM-6
patches, service packs, and other CM-9
updates and modifications. PL-2
PL-5
SI-2
SI-6
SI-7
Management shall approve a formal Clause 4.2.1 DS5.2 AC-1 CSC1
information security policy document Clause 5 AT-1
which shall be communicated and A.5.1.1 AU-1
published to employees, contractors A.8.2.2 CA-1
and other relevant external parties. CM-1
The Information Security Policy shall IA-1
establish the direction of the IR-1
organization and align to best MA-1
practices, regulatory, federal/state MP-1
and international laws where MP-1
applicable. The Information Security PE-1
policy shall be supported by a PL-1
strategic plan and a security program PS-1
with well defined roles and SA-1
responsibilities for leadership and SC-1
officer roles. SI-1

All levels of user access shall be A.11.2.4 DS5.3 AC-2


reviewed by management at planned DS5.4 AU-6
intervals and documented. For PM-10
access violations identified, PS-6
remediation must follow documented PS-7
access control policies and
procedures.
A security awareness training Clause 5.2.2 PO 7.4 AT-1
program shall be established for all A.8.2.2 AT-2
contractors, third party users and AT-3
employees of the organization and AT-4
mandated when appropriate. All
individuals with access to
organizational data shall receive
appropriate awareness training and
regular updates in organizational
procedures, process and policies,
relating to their function relative to
the organization.

Managers are responsible for Clause 5.2.2 DS5.3 AT-2 CSC15


maintaining awareness of and A.8.2.1 DS5.4 AT-3
complying with security policies, A.8.2.2 DS5.5 CA-1
procedures and standards that are A 11.2.4 CA-5
relevant to their area of A.15.2.1 CA-6
responsibility. CA-7
PM-10

Users shall be made aware of their Clause 5.2.2 PO 4.6 AT-2 CSC9
responsibilities for: A.8.2.2 AT-3 CSC10
• Maintaining awareness and A.11.3.1 AT-4 CSC11
compliance with published security A.11.3.2 PL-4 CSC12
policies, procedures, standards and CSC14
applicable regulatory requirements CSC15
• Maintaining a safe and secure CSC16
working environment CSC17
• Leaving unattended equipment in CSC18
a secure manner CSC19
Policies and procedures shall be Clause 5.2.2 AC-11
established for clearing visible A.8.2.2 MP-2
documents containing sensitive data A.9.1.5 MP-3
when a workspace is unattended A.11.3.1 MP-4
and enforcement of workstation A.11.3.2
session logout for a period of A.11.3.3
inactivity.

Policies and procedures shall be A.10.6.1 DS5.8 AC-18


established and mechanisms A.10.8.3 DS5.10 IA-3
implemented for encrypting sensitive A.10.8.4 DS5.11 IA-7
data in storage (e.g., file servers, A.10.9.2 SC-7
databases, and end-user A.10.9.3 SC-8
workstations) and data in A.12.3.1 SC-9
transmission (e.g., system interfaces, A.15.1.3 SC-13
over public networks, and electronic A.15.1.4 SC-16
messaging). SC-23
SI-8
Policies and procedures shall be A.12.5.1 AI6.1 CM-3
established and mechanism A.12.5.2 AI3.3 CM-4
implemented for vulnerability and A.12.6.1 DS5.9 CP-10
patch management, ensuring that RA-5
application, system, and network SA-7
device vulnerabilities are evaluated SI-1
and vendor-supplied security SI-2
patches applied in a timely manner SI-5
taking a risk-based approach for
prioritizing critical patches.

Ensure that all antivirus programs A.10.4.1 DS5.9 SA-7


are capable of detecting, removing, SC-5
and protecting against all known SI-3
types of malicious or unauthorized SI-5
software with antivirus signature SI-7
updates at least every 12 hours. SI-8
Contractors, employees and third Clause 4.3.3 DS5.6 IR-2
party users shall be made aware of Clause 5.2.2 IR-6
their responsibility to report all A.6.1.3 IR-7
information security events in a A.8.2.1 SI-4
timely manner. Information security A.8.2.2 SI-5
events shall be reported through A.13.1.1
predefined communications A.13.1.2
channels in a prompt and expedient A.13.2.1
manner in compliance with statutory,
regulatory and contractual
requirements.
In the event a follow-up action Clause 4.3.3 DS5.6 AU-6 CSC16
concerning a person or organization Clause 5.2.2 AU-7
after an information security incident A.8.2.2 AU-9
requires legal action proper forensic A.8.2.3 AU-11
procedures including chain of A.13.2.3 IR-5
custody shall be required for A.15.1.3 IR-7
collection, retention, and IR-8
presentation of evidence to support
potential legal action subject to the
relevant jurisdiction.
Electronic commerce (e-commerce) A.7.2.1 DS 5.10 AC-14
related data traversing public A.10.6.1 5.11 AC-21
networks shall be appropriately A.10.6.2 AC-22
classified and protected from A.10.9.1 IA-8
fraudulent activity, unauthorized A.10.9.2 AU-10
disclosure or modification in such a A.15.1.4 SC-4
manner to prevent contract dispute SC-8
and compromise of data. SC-9
Policies and procedures shall be A.7.2.1 DS5.11 AC-17 CSC4
established and measures A.10.7.1 DS5.5 AC-18 CSC20
implemented to strictly limit access to A.10.7.2 AC-19
sensitive data from portable and A.10.8.3 MP-2
mobile devices, such as laptops, cell A.11.7.1 MP-4
phones, and personal digital A.11.7.2 MP-6
assistants (PDAs), which are A.15.1.4
generally higher-risk than non-
portable devices (e.g., desktop
computers at the organization’s
facilities).
Policies and procedures shall be A.7.2.1 DS5.11 AC-17
established and measures A.10.7.1 DS5.5 AC-18
implemented to strictly limit access to A.10.7.2 AC-19
sensitive data from portable and A.10.8.3 MP-2
mobile devices, such as laptops, cell A.11.7.1 MP-4
phones, and personal digital A.11.7.2 MP-6
assistants (PDAs), which are A.15.1.4
generally higher-risk than non-
portable devices (e.g., desktop
computers at the organization’s
facilities).
Policies and procedures shall be Clause 5.1 DS13.1 CM-2
established and made available for A 8.1.1 CM-3
all personnel to adequately support A.8.2.1 CM-4
services operations role. A 8.2.2 CM-5
A.10.1.1 CM-6
CM-9
MA-4
SA-3
SA-4
SA-5
SA-8
SA-10
SA-11
SA-12

Policies and procedures shall be Clause 4.3.3 DS5.6 IR-1 CSC1


established to triage security related A.13.1.1 IR-2 CSC2
events and ensure timely and A.13.2.1 IR-3
thorough incident management. IR-4
IR-5
IR-7
IR-8

ontrols Matrix (CCM) with minor updates and NIST outline and Discussion Draft CSF groupings
se 22 controls were identified.

n guidance from DHS and controls failures analysis organizations.


Evidence-based, Prioritized Key
Informative References

Controls (Based on Controls


Supplemetal Specialized
Security Frameworks
IACS Security
Privacy Standards
Standard

Failures)
AICPA
ISA 99 GAPP AICPA
NERC CIP Trust Service Criteria
IEC 62443 (Aug 2009) TS Map
(SOC 2SM Report)

CIP-003-3 1.2.3 S3.8.0 (S3.8.0) Procedures exist to


- R4 - R5 1.2.6 classify data in accordance
4.1.2 with classification policies
8.2.1 and periodically monitor and
8.2.5 C3.14.0 update such classifications
8.2.6 as necessary.

(C3.14.0) Procedures exist HISPI 20 ISO


to provide that system data 27001
are classified in accordance
with the defined
confidentiality and related
security policies.

CIP-003-3 1.1.2 S3.2.a (S3.2.a) a. Logical access


- R4 - R4.1 5.1.0 security measures to restrict
7.1.2 access to information
8.1.0 resources not deemed to be
8.2.5 public.
8.2.6
HISPI 20 ISO
27001
1.2.2 S3.1.0 (S3.1.0) Procedures exist to
1.2.4 (1) identify potential threats
1.2.6 of disruption to systems
1.2.11 operation that would impair
3.2.4 system security
5.2.1 x3.1.0 commitments and (2)
assess the risks associated
with the identified threats.

(x3.1.0) Procedures exist to


(1) identify potential threats
of disruptions to systems
operations that would impair HISPI 20 ISO
system [availability, 27001
processing integrity,
confidentiality] commitments
and (2) assess the risks
associated with the
identified threats.
CIP-003-3 1.2.6 I3.2.0 (I3.2.0) The procedures
- R4.2 related to completeness,
accuracy, timeliness, and
authorization of inputs are
I3.3.0 consistent with the
documented system
processing integrity policies.

(I3.3.0) The procedures


I3.4.0 related to completeness,
accuracy, timeliness, and
authorization of system
processing, including error
I3.5.0 correction and database
management, are consistent
with documented system
processing integrity policies.
HISPI 20 ISO
(I3.4.0) The procedures 27001
related to completeness,
accuracy, timeliness, and
authorization of outputs are
consistent with the
documented system
processing integrity policies.

(I3.5.0) There are


procedures to enable tracing
of information inputs from
their source to their final
disposition and vice versa.
CIP-004-3 8.2.5 S3.4 (S3.4) Procedures exist to
R2.2.4 protect against unauthorized
access to system resources.

HISPI 20 ISO
27001
CIP-007-3 8.2.1 S3.7 (S3.7) Procedures exist to
- R6.5 8.2.2 identify, report, and act upon
system security breaches
and other incidents.

Verizon
DBIR 2013
CIP-003-3 1.2.6 A3.16.0 (A3.16.0, S3.13.0)
- R6 S3.13.0 Procedures exist to provide
that only authorized, tested,
and documented changes
are made to the system.

CCS CSC /
Aus DSD
Sweet Spot
CIP-003-3 8.1.0 S1.1.0 (S1.1.0) The entity's security
- R1 -R1.1 8.1.1 policies are established and
- R1.2 - R2 periodically reviewed and
- R2.1 - approved by a designated
R2.2 - S1.3.0 individual or group.
R2.3
(S1.3.0) Responsibility and
accountability for developing
S2.3.0 and maintaining the entity’s
system security policies,
and changes and updates to
those policies, are assigned.

(S2.3.0) Responsibility and


HISPI 20 ISO
accountability for the entity's 27001
system security policies and
changes and updates to
those policies are
communicated to entity
personnel responsible for
implementing them.

CIP-004-3 8.2.1 S3.2.0 (S3.2.0) Procedures exist to


R2.2.2 8.2.7 restrict logical access to the
CIP-007-3 defined system including,
- R5 - but not limited to, the
R.1.3 following matters:
d. The process to make
changes to user profiles.
g. Restriction of access to
system configurations,
superuser functionality, Verizon
master passwords, powerful DBIR 2013
utilities, and security devices
(for example, firewalls).
CIP-004-3 1.2.10 S1.2.k (S1.2.k) The entity's security
- R1 - R2 - 8.2.1 policies include, but may not
R2.1 be limited to, the following
matters:
k.       Providing for training
S2.2.0 and other resources to
support its system security
policies HISPI 20 ISO
27001
(S2.2.0) The security
obligations of users and the
entity’s security
commitments to users are
communicated to authorized
users.

1.1.2 S1.2.f (S1.2.f) f. Assigning


8.2.1 responsibility and
accountability for system
availability, confidentiality,
S2.3.0 processing integrity and
related security.

(S2.3.0) Responsibility and HISPI 20 ISO


accountability for the entity’s
27001
system security policies and
changes and updates to
those policies are
communicated to entity
personnel responsible for
implementing them.

1.2.10 S2.3.0 (S2.3.0) Responsibility and


8.2.1 accountability for the entity’s
system availability,
confidentiality, processing
integrity and security
policies and changes and
HISPI 20 ISO
updates to those policies 27001
are communicated to entity
personnel responsible for
implementing them.
8.2.3 S3.3.0 (S3.3.0) Procedures exist to
restrict physical access to
the defined system
including, but not limited to,
facilities, backup media, and
S3.4.0 other system components
such as firewalls, routers,
and servers. HISPI 20 ISO
27001
(S3.4.0) Procedures exist to
protect against unauthorized
access to system resources.

CIP-003-3 8.1.1 C3.12.0 (C3.12.0, S3.6.0) Encryption


- R4.2 8.2.1 S3.6.0 or other equivalent security
8.2.5 techniques are used to
protect transmissions of
user authentication and
S3.4 other confidential
information passed over the
Internet or other public
networks.

(S3.4) Procedures exist to


protect against unauthorized HISPI 20 ISO
access to system resources. 27001
CIP-004-3 1.2.6 S3.10.0 (S3.10.0) Design,
R4 - 4.1 - 8.2.7 acquisition, implementation,
4.2 configuration, modification,
CIP-005- and management of
3a - R1 - infrastructure and software
R1.1 are consistent with defined
CIP-007-3 system security policies to
- R3 - R3.1 enable authorized access
- R8.4 and to prevent unauthorized
access.
CCS CSC /
Aus DSD
Sweet Spot

CIP-007-3 8.2.2 (S3.5.0) Procedures exist to


- R4 - R4.1 S3.5.0 protect against infection by
- R4.2 computer viruses, malicious
codes, and unauthorized
software. Verizon
DBIR 2013
CIP-003-3 1.2.7 A2.3.0 (A2.3.0, C2.3.0, I2.3.0,
- R4.1 1.2.10 C2.3.0 S2.3.0) Responsibility and
CIP-004-3 7.1.2 I2.3.0 accountability for the entity’s
R3.3 7.2.2 S2.3.0 system availability,
7.2.4 confidentiality of data,
10.2.4 processing integrity and
S2.4 related security policies and
changes and updates to
those policies are
communicated to entity
C3.6.0 personnel responsible for
implementing them.

(S2.4) The process for


informing the entity about
breaches of the system
security and for submitting
complaints is communicated HISPI 20 ISO
to authorized users. 27001
(C3.6.0) The entity has
procedures to obtain
assurance or representation
that the confidentiality
policies of third parties to
whom information is
transferred and upon which
the entity relies are in
conformity with the entity’s
defined system
confidentiality and related
security policies and that the
third party is in compliance
with its policies.
CIP-004-3 1.2.7 S2.4.0 (S2.4.0) The process for
R3.3 informing the entity about
system availability issues,
confidentiality issues,
processing integrity issues,
security issues and
C3.15.0 breaches of the system
security and for submitting
complaints is communicated
to authorized users.

(C3.15.0) Procedures exist


to provide that issues of
noncompliance with defined HISPI 20 ISO
confidentiality and related 27001
security policies are
promptly addressed and that
corrective measures are
taken on a timely basis.
3.2.4 S3.6 (S3.6) Encryption or other
4.2.3 equivalent security
7.1.2 techniques are used to
7.2.1 protect transmissions of
7.2.2 user authentication and
8.2.1 I13.3.a-e other confidential
8.2.5 information passed over the
Internet or other public
networks.

(I13.3.a-e) The procedues


I3.4.0 related to completeness,
accuracy, timeliness, and
authorization of system
processing, including error
correction and database
management, are consistent HISPI 20 ISO
with documented system 27001
processing integrity policies.

(I3.4.0) The procedures


related to completeness,
accuracy, timeliness, and
authorization of outputs are
consistent with the
documented system
processing integrity
policiies.
CIP-007-3 1.2.6 S3.4 (S3.4) Procedures exist to
- R7.1 3.2.4 protect against unauthorized
8.2.6 access to system resources.

HISPI 20 ISO
27001
CIP-007-3 1.2.6 S3.4 (S3.4) Procedures exist to
- R7.1 3.2.4 protect against unauthorized
8.2.6 access to system resources.

HISPI 20 ISO
27001
8.2.1 (S2.3.0) Responsibility and
S2.3.0 accountability for the entity’s
system availability,
confidentiality of data,
processing integrity, system
security and related security
policies and changes and
updates to those policies
are communicated to entity
personnel responsible for
implementing them.

HISPI 20 ISO
27001

CIP-007-3 1.2.4 IS3.7.0 (IS3.7.0) Procedures exist to


- R6.1 1.2.7 identify, report, and act upon
CIP-008-3 7.1.2 system security breaches
- R1 7.2.2 and other incidents.
7.2.4
10.2.1
Verizon
10.2.4 S3.9.0 DBIR 2013
(S3.9.0) Procedures exist to
provide that issues of
noncompliance with system
availability, confidentiality of
data, processing integrity
and related security policies
Key: Evidence-based, Prioritized Key Controls are promptly addressed and
that corrective measures are
HISPI Top 20 ISO taken on a timely basis.
Verizon CCS CSC
27001 Controls
Failtures DBIR Sweetspot
*This Tab is subject to change based on new evidence on controls failures

From: Privacy Rights Clearinghouse and Datalossdb.org


613.5B records have been reported lost since 2005
HISPI has analyzed these public sources for several years and have identified key ISO 27001 Annex A control failures

(A) 2012 HISPI Top 20 ISO\IEC 27001:2005 Annex A Mitigating Controls Failures Q4'2012

*Several of the top 10 were m

Work in progress:
****(D) Will add 2013 Mandi
*****(E) Will add 2013 Trustw
******(F) Will add 2012 Micr

(B) 2012 and 2013 Verizon DBIR http://www.verizonenterprise.com/DBIR/2013/


(C) SANS Quick Wins http://www.sans.org/critical-security-controls/guidelines.php

Australian DSD Sweet Spot http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm


Top 4 Strategies to Mitigate Targeted Cyber Intrusions: Mandatory Requirement Explained 7/13

(D) 2013 Mandiant APT1 Report and Digital Appendix & Indicators
(E) Will add 2013 Trustwave Global Security Report (GSR)
(F) Will add 2012 Microsoft Security Intelligence Report (SIR) Volume 14
7001 Annex A control failures

*Several of the top 10 were missing in the NIST Discussion Preliminary Draft released prior to Dallas work shop

Work in progress:
****(D) Will add 2013 Mandiant APT1 Report and Digital Appendix & Indicators
*****(E) Will add 2013 Trustwave Global Security Report (GSR)
******(F) Will add 2012 Microsoft Security Intelligence Report (SIR) Volume 14
*Identity controls failed
* hysical security controls failed
Detection failed

ment Explained 7/13 http://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm


las work shop
Illustrative Example Security Capabiliity Maturity Model Index (based on Wikipedia with Security added)

CSF Domain Risk Index (SCMMI 0-5) Goal (Target State) Risks (See Risk Register)
IDENTIFY 2 4.25
PROTECT 2.5 3.25
DETECT 2 3.5
RESPOND 1.25 3.75 Security Capability Mat
RECOVER 2 3 SCMMI Index 1 - Initial

CSF Security Index


RECOVER

RESPOND
SCMMI Index 2 - Repea
DETECT

PROTECT

IDENTIFY

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5

Risk Index (SCMMI 0-5) Goal (Target State)


OR SCMMI Index 3 - Define

CSF Security Index


IDENTIFY
5
4.25

2
RECOVER
3.25
PROTECT SCMMI Index 4 - Quanti
3 2.5
2

0
1.25
2

3.75 3.5

OR RESPOND DETECT SCMMI Index 5 - Optim


Risk Index (SCMMI 0-5) Goal (Target State)
RESPOND DETECT

Risk Index (SCMMI 0-5) Goal (Target State)


ecurity added)

Security Capability Maturity Model Index


SCMMI Index 1 - Initial / Ad-hoc

Index 1 is an immature state. Security is characterized as ad hoc, and occasionally even


chaotic. Few security practices are defined, and success depends on individual effort.
Here there is no objective basis for judging security quality or for solving security
problems. Therefore security quality is difficult to predict. Activities intended to
enhance security such as reviews and testing are often curtailed or eliminated when
other actitivites fall behind schedule.
SCMMI Index 2 - Repeatable / Managed (Risk Informed)

Index 2 is a managed state. Managed, as the word means, the security capabilities are
defined at this level. Basic security capabilities and principles are established to track
security, risks, cost, schedule and functionality. The necessary security and risk
management discipline are in place to repeat earlier success on security capbilities.
Effective security practices can be characterized as practiced, documented, enforced,
trained, measured, and able to improve.
SCMMI Index 3 - Defined

Index 3 is a defined state, and looks at building security capabilities and organizational
level security capabilities using the strong base set at SCMMI 2. Index 3 is, when an
organization will have security practices for Requirements gathering (Test
Requirements Gathering), Design & Build (Strategize and Prepare Test Cases / Scripts),
Reviews, Testing (Execute Test Cases / Scripts) etc, defined at organization level.
Information and artifacts of previous security capabilities are available for re-use
within the organization through mechanisms of knowledge sharing.
Index
SCMMI Index 4 - 4Quantitatively
in SCMMI is aManaged
very critical step. It is called “Quantitatively Managed” state. At
this state, the organization has achieved all the in SCMMI 2, 3 and 4. They key attribute
of SCMMI 4 is sub-category performance. The selected sub-categories are controlled
using statistical and other quantitative techniques. At Index 4, security practices
happen through Quantitative techniques. Quantitative objectives are based on the
needs of the client, end users, organization and process improvement. Quality and
process performances are understood in statistical terms and are managed throughout
the life of the capabilities.For the various capabilities measures of practice
performance are collected and statistically analyzed. Special Causes of practice
performance are identified and corrected to prevent future occurrences. The crucial
difference between Level 3 and 4 is Predictability. At Level 4, performance of practices
are quantitatively predictable.
SCMMI Index 5 - Optimizing
Index 5 is an Optimizing state that focuses on continually improving security practices
performance through both incremental and innovative improvements. The effects of
deployed practice improvements are measured and evaluated. A critical distinction
between SCMMI 4 and 5, is the type of practice variation that is addressed. At SCMMI
4, we look at special cause of variation. At SCMMI 5, we are concerned with addressing
common causes of variation and changing the security practices (E.g. Defect & Problem
Prevention)
Example Risk Management Methodologies to Implement
NIST SP 800-37 Risks identified by security, com
ISO 31000 / ISO 27005 the 4 pillars of the COSO Enterp

Step 1 - Identify risks


Step 2 - Prioritize risk findings in Risk Register
Step 3 - Establish security roadmap towards addressing identified risks
Step 4 - Obtain executive level approval and funding for roadmap
Step 5 - Continuously assess program using Security Index
Step 6 - Repeat Step 1

Risk Register
CSF Domain Risks (List of risks by CSF Functions)
IDENTIFY
PROTECT
DETECT
RESPOND
RECOVER

Example Roadmap
*Set based on prioritized issues in Risk Register
Risks identified by security, compliance, privacy, and risk management teams tend to follow
the 4 pillars of the COSO Enterprise Risk Management (COSO ERM) model below.
CSA
Function Category Subcategory CCM 1.4
Control ID

Program RI-01

Assessments RI-02

Risk Management
Mitigation / Acceptance RI-03

Risk Management

Business / Policy Change Impacts RI-04

Third Party Access RI-05


Ownership / Stewardship DG-01

Classification DG-02

Handling / Labeling / Security Policy DG-03


Retention Policy DG-04

Data Governance Secure Disposal DG-05

Non-Production Data DG-06


Information Leakage DG-07

I
D
E
N
T
I
F
Y Risk Assessments DG-08

Non-Disclosure Agreements LG-01


Third Party Agreements LG-02

Legal

Background Screening HR-01

Human Resources
Security
Employment Agreements HR-02

Human Resources
Security

Employment Termination HR-03

Audit Planning CO-01


Independent Audits CO-02

Third Party Audits CO-03

Compliance
Compliance

Contact / Authority Maintenance CO-04

Information System Regulatory Mapping CO-05

Intellectual Property CO-06

Customer Access Requirements SA-01


User ID Credentials SA-02

Data Security / Integrity SA-03


Application Security SA-04

Data Integrity SA-05


Production / Non-Production SA-06
Environments

Remote User Multi-Factor Authentication SA-07

Security
Architecture
Network Security SA-08

Security
Architecture

Segmentation SA-09
Wireless Security SA-10
Shared Networks SA-11

Clock Synchronization SA-12


Equipment Identification SA-13

Audit Logging / Intrusion Detection SA-14

P
R
Mobile Code SA-15
O
T
E
C
T
New Development / Acquisition RM-01

Production Changes RM-02


Quality Testing RM-03

Release
Management

Outsourced Development RM-04


Unauthorized Software Installations RM-05
Policy FS-01

User Access FS-02


Controlled Access Points FS-03

Secure Area Authorization FS-04

Facility Security
Unauthorized Persons Entry FS-05

Off-Site Authorization FS-06

Off-Site Equipment FS-07


Asset Management FS-08

Management Program IS-01


Management Support / Involvement IS-02

Policy IS-03

Baseline Requirements IS-04


Policy Reviews IS-05

Policy Enforcement IS-06

User Access Policy IS-07


User Access Restriction / Authorization IS-08

User Access Revocation IS-09


User Access Reviews IS-10

Training / Awareness IS-11

Industry Knowledge / Benchmarking IS-12

Roles / Responsibilities IS-13

Management Oversight IS-14


Segregation of Duties IS-15

User Responsibility IS-16

Workspace IS-17

D
E
T Information
E Security
C
T
E
T Information
E Security
C
T
Encryption IS-18

Encryption Key Management IS-19


Vulnerability / Patch Management IS-20

Anti-Virus / Malicious Software IS-21

Incident Management IS-22


Incident Reporting IS-23

Incident Response Legal Preparation IS-24

Incident Response Metrics IS-25


Acceptable Use IS-26

Asset Returns IS-27

eCommerce Transactions IS-28

Audit Tools Access IS-29

Diagnostic / Configuration Ports Access IS-30


Network / Infrastructure Services IS-31
Portable / Mobile Devices IS-32

Source Code Access Restriction IS-33

Utility Programs Access IS-34


Policy OP-01

Documentation OP-02

R
E
S
P Operations
Management
O
N
D
Capacity / Resource Planning OP-03

Equipment Maintenance OP-04

Management Program RS-01


Impact Analysis RS-02

Business Continuity Planning RS-03

R
E
C
O Resiliency
V
E
R
Business Continuity Testing RS-04

Environmental Risks RS-05

Equipment Location RS-06

Equipment Power Failures RS-07


Power / Telecommunications RS-08

*Based on the Cloud Security Alliance Cloud Controls Matrix (CCM) and NIST outline C
Critical Infrastructure Sectors (Key Control F

CSA CCM 1.4 Critical Defense


Commercial Emergency
Chemical Communications Manufactu Dams Industrial
Description Facilities Services
ring Base

Organizations shall develop and


maintain an enterprise risk
management framework to manage
risk to an acceptable level.

Aligned with the enterprise-wide


framework, formal risk assessments
shall be performed at least annually,
or at planned intervals, determining
the likelihood and impact of all
identified risks, using qualitative and
quantitative methods. The likelihood
and impact associated with inherent
and residual risk should be
determined independently,
considering all risk categories (e.g.,
audit results, threat and vulnerability
analysis, and regulatory
compliance).
Risks shall be mitigated to an
acceptable level. Acceptance levels
based on risk criteria shall be
established and documented in
accordance with reasonable
resolution time frames and executive
approval.

Risk assessment results shall


include updates to security policies,
procedures, standards and controls
to ensure they remain relevant and
effective.

The identification, assessment, and


prioritization of risks posed by
business processes requiring third
party access to the organization's
information systems and data shall
be followed by coordinated
application of resources to minimize,
monitor, and measure likelihood and
impact of unauthorized or
inappropriate access. Compensating
controls derived from the risk
analysis shall be implemented prior
to provisioning access.
All data shall be designated with
stewardship with assigned
responsibilities defined, documented
and communicated.

Data, and objects containing data,


shall be assigned a classification
based on data type, jurisdiction of
origin, jurisdiction domiciled, context,
legal constraints, contractual
constraints, value, sensitivity,
criticality to the organization and
third party obligation for retention
and prevention of unauthorized
disclosure or misuse.

Polices and procedures shall be


established for labeling, handling
and security of data and objects
which contain data. Mechanisms for
label inheritance shall be
implemented for objects that acts as
aggregate containers for data.
(v1.0) Policies and procedures for
data retention and storage shall be
established and backup or
redundancy mechanisms
implemented to ensure compliance
with regulatory, statutory, contractual
or business requirements. Testing
the recovery of disk or tape backups
must be implemented at planned
intervals.

(v1.1) Policies and procedures for


data retention and storage shall be
established and backup or
redundancy mechanisms
implemented to ensure compliance
with regulatory, statutory, contractual
or business requirements. Testing
the recovery of backups must be
implemented at planned intervals.

Policies and procedures shall be


established and mechanisms
implemented for the secure disposal
and complete removal of data from
all storage media, ensuring data is
not recoverable by any computer
forensic means.

Production data shall not be


replicated or used in non-production
environments.
Security mechanisms shall be
implemented to prevent data
leakage.

Risk assessments associated with


data governance requirements shall
be conducted at planned intervals
considering the following:
• Awareness of where sensitive data
is stored and transmitted across
applications, databases, servers and
network infrastructure
• Compliance with defined retention
periods and end-of-life disposal
requirements
• Data classification and protection
from unauthorized use, access, loss,
destruction, and falsification

Requirements for non-disclosure or


confidentiality agreements reflecting
the organization's needs for the
protection of data and operational
details shall be identified,
documented and reviewed at
planned intervals.
Third party agreements that directly,
or indirectly, impact the
organizations information assets or
data are required to include explicit
coverage of all relevant security
requirements. This includes
agreements involving processing,
accessing, communicating, hosting
or managing the organization's
information assets, or adding or
terminating services or products to
existing information. Assets
agreements provisions shall include
security (e.g., encryption, access
controls, and leakage prevention)
and integrity controls for data
exchanged to prevent improper
disclosure, alteration or destruction.

Pursuant to local laws, regulations,


ethics and contractual constraints all
employment candidates, contractors
and third parties will be subject to
background verification proportional
to the data classification to be
accessed, the business
requirements and acceptable risk.
(v1.0) Prior to granting individuals
physical or logical access to facilities,
systems or data, employees,
contractors, third party users and
customers shall contractually agree
and sign the terms and conditions of
their employment or service contract,
which must explicitly include the
parties responsibility for information
security.

(v1.1) Prior to granting individuals


physical or logical access to facilities,
systems or data, employees,
contractors, third party users and
tenants and/or customers shall
contractually agree and sign
equivalent terms and conditions
regarding information security
responsibilities in employment or
service contract.

Roles and responsibilities for


performing employment termination
or change in employment
procedures shall be assigned,
documented and communicated.

Audit plans, activities and


operational action items focusing on
data duplication, access, and data
boundary limitations shall be
designed to minimize the risk of
business process disruption. Audit
activities must be planned and
agreed upon in advance by
stakeholders.
Independent reviews and
assessments shall be performed at
least annually, or at planned
intervals, to ensure the organization
is compliant with policies,
procedures, standards and
applicable regulatory requirements
(i.e., internal/external audits,
certifications, vulnerability and
penetration testing)

Third party service providers shall


demonstrate compliance with
information security and
confidentiality, service definitions
and delivery level agreements
included in third party contracts.
Third party reports, records and
services shall undergo audit and
review, at planned intervals, to
govern and maintain compliance with
the service delivery agreements.
Liaisons and points of contact with
local authorities shall be maintained
in accordance with business and
customer requirements and
compliance with legislative,
regulatory, and contractual
requirements. Data, objects,
applications, infrastructure and
hardware may be assigned
legislative domain and jurisdiction to
facilitate proper compliance points of
contact.

Statutory, regulatory, and contractual


requirements shall be defined for all
elements of the information system.
The organization's approach to meet
known requirements, and adapt to
new mandates shall be explicitly
defined, documented, and kept up to
date for each information system
element in the organization.
Information system elements may
include data, objects, applications,
infrastructure and hardware. Each
element may be assigned a
legislative domain and jurisdiction to
facilitate proper compliance
mapping.

Policy, process and procedure shall


be established and implemented to
safeguard intellectual property and
the use of proprietary software within
the legislative jurisdiction and
contractual constraints governing the
organization.

Prior to granting customers access


to data, assets and information
systems, all identified security,
contractual and regulatory
requirements for customer access
shall be addressed and remediated.
Implement and enforce (through
automation) user credential and
password controls for applications,
databases and server and network
infrastructure, requiring the following
minimum standards:
• User identity verification prior to
password resets.
• If password reset initiated by
personnel other than user (i.e.,
administrator), password must be
immediately changed by user upon
first use.
• Timely access revocation for
terminated users.
• Remove/disable inactive user
accounts at least every 90 days.
• Unique user IDs and disallow
group, shared, or generic accounts
and passwords.
• Password expiration at least every
90 days.
• Minimum password length of at
least seven (7) characters.
• Strong passwords containing both
numeric and alphabetic characters.
• Allow password re-use after the
last four (4) passwords used.
• User ID lockout after not more than
six (6) attempts.
• User ID lockout duration to a
minimum of 30 minutes or until
administrator enables the user ID.
• Re-enter password to reactivate
terminal after session idle time for
more than 15 minutes.
• Maintain user activity logs for
Policies and procedures shall be
established and mechanisms
implemented to ensure security (e.g.,
encryption, access controls, and
leakage prevention) and integrity of
data exchanged between one or
more system interfaces, jurisdictions,
or with a third party shared services
provider to prevent improper
disclosure, alteration or destruction
complying with legislative, regulatory,
and contractual requirements.
Applications shall be designed in
accordance with industry accepted
security standards (i.e., OWASP for
web applications) and complies with
applicable regulatory and business
requirements.

Data input and output integrity


routines (i.e., reconciliation and edit
checks) shall be implemented for
application interfaces and databases
to prevent manual or systematic
processing errors or corruption of
data.
Production and non-production
environments shall be separated to
prevent unauthorized access or
changes to information assets.

Multi-factor authentication is required


for all remote user access.
Network environments shall be
designed and configured to restrict
connections between trusted and
untrusted networks and reviewed at
planned intervals, documenting the
business justification for use of all
services, protocols, and ports
allowed, including rationale or
compensating controls implemented
for those protocols considered to be
insecure. Network architecture
diagrams must clearly identify high-
risk environments and data flows
that may have regulatory compliance
impacts.

System and network environments


are separated by firewalls to ensure
the following requirements are
adhered to:
• Business and customer
requirements
• Security requirements
• Compliance with legislative,
regulatory, and contractual
requirements
• Separation of production and non-
production environments
• Preserve protection and isolation
of sensitive data
Policies and procedures shall be
established and mechanisms
implemented to protect wireless
network environments, including the
following:
• Perimeter firewalls implemented
and configured to restrict
unauthorized traffic
• Security settings enabled with
strong encryption for authentication
and transmission, replacing vendor
default settings (e.g., encryption
keys, passwords, SNMP community
strings, etc.).
• Logical and physical user access
to wireless network devices
restricted to authorized personnel
• The capability to detect the
presence of unauthorized (rogue)
wireless network devices for a timely
disconnect from the network
Access to systems with shared
network infrastructure shall be
restricted to authorized personnel in
accordance with security policies,
procedures and standards. Networks
shared with external entities shall
have a documented plan detailing
the compensating controls used to
separate network traffic between
organizations.

An external accurate, externally


agreed upon, time source shall be
used to synchronize the system
clocks of all relevant information
processing systems within the
organization or explicitly defined
security domain to facilitate tracing
and reconstitution of activity
timelines. Note: specific legal
jurisdictions and orbital storage and
relay platforms (US GPS & EU
Galileo Satellite Network) may
mandate a reference clock that
differs in synchronization with the
organizations domicile time
reference, in this event the
jurisdiction or platform is treated as
an explicitly defined security domain.
Automated equipment identification
shall be used as a method of
connection authentication. Location-
aware technologies may be used to
validate connection authentication
integrity based on known equipment
location.

Audit logs recording privileged user


access activities, authorized and
unauthorized access attempts,
system exceptions, and information
security events shall be retained,
complying with applicable policies
and regulations. Audit logs shall be
reviewed at least daily and file
integrity (host) and network intrusion
detection (IDS) tools implemented to
help facilitate timely detection,
investigation by root cause analysis
and response to incidents. Physical
and logical user access to audit logs
shall be restricted to authorized
personnel.

Mobile code shall be authorized


before its installation and use, and
the configuration shall ensure that
the authorized mobile code operates
according to a clearly defined
security policy. All unauthorized
mobile code shall be prevented from
executing.
Policies and procedures shall be
established for management
authorization for development or
acquisition of new applications,
systems, databases, infrastructure,
services, operations, and facilities.

Changes to the production


environment shall be documented,
tested and approved prior to
implementation. Production software
and hardware changes may include
applications, systems, databases
and network devices requiring
patches, service packs, and other
updates and modifications.
A program for the systematic
monitoring and evaluation to ensure
that standards of quality are being
met shall be established for all
software developed by the
organization. Quality evaluation and
acceptance criteria for information
systems, upgrades, and new
versions shall be established,
documented and tests of the
system(s) shall be carried out both
during development and prior to
acceptance to maintain security.
Management shall have a clear
oversight capacity in the quality
testing process with the final product
being certified as "fit for purpose"
(the product should be suitable for
the intended purpose) and "right first
time" (mistakes should be
eliminated) prior to release.

A program for the systematic


monitoring and evaluation to ensure
that standards of quality are being
met shall be established for all
outsourced software development.
The development of all outsourced
software shall be supervised and
monitored by the organization and
must include security requirements,
independent security review of the
outsourced environment by a
certified individual, certified security
training for outsourced software
developers, and code reviews.
Certification for the purposes of this
control shall be defined as either a
ISO/IEC 17024 accredited
certification or a legally recognized
license or certification in the
legislative jurisdiction the
organization outsourcing the
development has chosen as its
domicile.
Policies and procedures shall be
established and mechanisms
implemented to restrict the
installation of unauthorized software.
Policies and procedures shall be
established for maintaining a safe
and secure working environment in
offices, rooms, facilities and secure
areas.

Physical access to information


assets and functions by users and
support personnel shall be restricted.
Physical security perimeters (fences,
walls, barriers, guards, gates,
electronic surveillance, physical
authentication mechanisms,
reception desks and security patrols)
shall be implemented to safeguard
sensitive data and information
systems.

Ingress and egress to secure areas


shall be constrained and monitored
by physical access control
mechanisms to ensure that only
authorized personnel are allowed
access.
Ingress and egress points such as
service areas and other points where
unauthorized personnel may enter
the premises shall be monitored,
controlled and, if possible, isolated
from data storage and processing
facilities to percent unauthorized
data corruption, compromise and
loss.

Authorization must be obtained prior


to relocation or transfer of hardware,
software or data to an offsite
premises.

Policies and procedures shall be


established for securing and asset
management for the use and secure
disposal of equipment maintained
and used outside the organization's
premise.
A complete inventory of critical
assets shall be maintained with
ownership defined and documented.

An Information Security
Management Program (ISMP) has
been developed, documented,
approved, and implemented that
includes administrative, technical,
and physical safeguards to protect
assets and data from loss, misuse,
unauthorized access, disclosure,
alteration, and destruction. The
security program should address, but
not be limited to, the following areas
insofar as they relate to the
characteristics of the business:
• Risk management
• Security policy
• Organization of information
security
• Asset management
• Human resources security
• Physical and environmental
security
• Communications and operations
management
• Access control
• Information systems acquisition,
development, and maintenance
Executive and line management
shall take formal action to support
information security through clear
documented direction, commitment,
explicit assignment and verification
of assignment execution

Management shall approve a formal


information security policy document
which shall be communicated and
published to employees, contractors
and other relevant external parties.
The Information Security Policy shall
establish the direction of the
organization and align to best
practices, regulatory, federal/state
and international laws where
applicable. The Information Security
policy shall be supported by a
strategic plan and a security program
with well defined roles and
responsibilities for leadership and
officer roles.

Baseline security requirements shall


be established and applied to the
design and implementation of
(developed or purchased)
applications, databases, systems,
and network infrastructure and
information processing that comply
with policies, standards and
applicable regulatory requirements.
Compliance with security baseline
requirements must be reassessed at
least annually or upon significant
changes.
Management shall review the
information security policy at planned
intervals or as a result of changes to
the organization to ensure its
continuing effectiveness and
accuracy.

A formal disciplinary or sanction


policy shall be established for
employees who have violated
security policies and procedures.
Employees shall be made aware of
what action might be taken in the
event of a violation and stated as
such in the policies and procedures.

User access policies and procedures


shall be documented, approved and
implemented for granting and
revoking normal and privileged
access to applications, databases,
and server and network
infrastructure in accordance with
business, security, compliance and
service level agreement (SLA)
requirements.
Normal and privileged user access to
applications, systems, databases,
network configurations, and sensitive
data and functions shall be restricted
and approved by management prior
to access granted.

Timely deprovisioning, revocation or


modification of user access to the
organizations systems, information
assets and data shall be
implemented upon any change in
status of employees, contractors,
customers, business partners or third
parties. Any change in status is
intended to include termination of
employment, contract or agreement,
change of employment or transfer
within the organization.
All levels of user access shall be
reviewed by management at planned
intervals and documented. For
access violations identified,
remediation must follow documented
access control policies and
procedures.

A security awareness training


program shall be established for all
contractors, third party users and
employees of the organization and
mandated when appropriate. All
individuals with access to
organizational data shall receive
appropriate awareness training and
regular updates in organizational
procedures, process and policies,
relating to their function relative to
the organization.

Industry security knowledge and


benchmarking through networking,
specialist security forums, and
professional associations shall be
maintained.

Roles and responsibilities of


contractors, employees and third
party users shall be documented as
they relate to information assets and
security.

Managers are responsible for


maintaining awareness of and
complying with security policies,
procedures and standards that are
relevant to their area of
responsibility.
Policies, process and procedures
shall be implemented to enforce and
assure proper segregation of duties.
In those events where user-role
conflict of interest constraint exist,
technical controls shall be in place to
mitigate any risks arising from
unauthorized or unintentional
modification or misuse of the
organization's information assets.

Users shall be made aware of their


responsibilities for:
• Maintaining awareness and
compliance with published security
policies, procedures, standards and
applicable regulatory requirements
• Maintaining a safe and secure
working environment
• Leaving unattended equipment in
a secure manner

Policies and procedures shall be


established for clearing visible
documents containing sensitive data
when a workspace is unattended
and enforcement of workstation
session logout for a period of
inactivity.
Policies and procedures shall be
established and mechanisms
implemented for encrypting sensitive
data in storage (e.g., file servers,
databases, and end-user
workstations) and data in
transmission (e.g., system interfaces,
over public networks, and electronic
messaging).

Policies and procedures shall be


established and mechanisms
implemented for effective key
management to support encryption
of data in storage and in
transmission.
Policies and procedures shall be
established and mechanism
implemented for vulnerability and
patch management, ensuring that
application, system, and network
device vulnerabilities are evaluated
and vendor-supplied security
patches applied in a timely manner
taking a risk-based approach for
prioritizing critical patches.

Ensure that all antivirus programs


are capable of detecting, removing,
and protecting against all known
types of malicious or unauthorized
software with antivirus signature
updates at least every 12 hours.

Policies and procedures shall be


established to triage security related
events and ensure timely and
thorough incident management.
Contractors, employees and third
party users shall be made aware of
their responsibility to report all
information security events in a
timely manner. Information security
events shall be reported through
predefined communications
channels in a prompt and expedient
manner in compliance with statutory,
regulatory and contractual
requirements.

In the event a follow-up action


concerning a person or organization
after an information security incident
requires legal action proper forensic
procedures including chain of
custody shall be required for
collection, retention, and
presentation of evidence to support
potential legal action subject to the
relevant jurisdiction.

Mechanisms shall be put in place to


monitor and quantify the types,
volumes, and costs of information
security incidents.
Policies and procedures shall be
established for the acceptable use of
information assets.

Employees, contractors and third


party users must return all assets
owned by the organization within a
defined and documented time frame
once the employment, contract or
agreement has been terminated.

Electronic commerce (e-commerce)


related data traversing public
networks shall be appropriately
classified and protected from
fraudulent activity, unauthorized
disclosure or modification in such a
manner to prevent contract dispute
and compromise of data.

Access to, and use of, audit tools


that interact with the organizations
information systems shall be
appropriately segmented and
restricted to prevent compromise
and misuse of log data.

User access to diagnostic and


configuration ports shall be restricted
to authorized individuals and
applications.
Network and infrastructure service
level agreements (in-house or
outsourced) shall clearly document
security controls, capacity and
service levels, and business or
customer requirements.
Policies and procedures shall be
established and measures
implemented to strictly limit access to
sensitive data from portable and
mobile devices, such as laptops, cell
phones, and personal digital
assistants (PDAs), which are
generally higher-risk than non-
portable devices (e.g., desktop
computers at the organization’s
facilities).

Access to application, program or


object source code shall be
restricted to authorized personnel on
a need to know basis. Records shall
be maintained regarding the
individual granted access, reason for
access and version of source code
exposed.

Utility programs capable of


potentially overriding system, object,
network, virtual machine and
application controls shall be
restricted.
Policies and procedures shall be
established and made available for
all personnel to adequately support
services operations role.

Information system documentation


(e.g., administrator and user guides,
architecture diagrams, etc.) shall be
made available to authorized
personnel to ensure the following:
• Configuring, installing, and
operating the information system
• Effectively using the system’s
security features
The availability, quality, and
adequate capacity and resources
shall be planned, prepared, and
measured to deliver the required
system performance in accordance
with regulatory, contractual and
business requirements. Projections
of future capacity requirements shall
be made to mitigate the risk of
system overload.

Policies and procedures shall be


established for equipment
maintenance ensuring continuity and
availability of operations.

Policy, process and procedures


defining business continuity and
disaster recovery shall be put in
place to minimize the impact of a
realized risk event on the
organization to an acceptable level
and facilitate recovery of information
assets (which may be the result of,
for example, natural disasters,
accidents, equipment failures, and
deliberate actions) through a
combination of preventive and
recovery controls, in accordance with
regulatory, statutory, contractual,
and business requirements and
consistent with industry standards.
This Resiliency management
program shall be communicated to
all organizational participants with a
need to know basis prior to adoption
and shall also be published, hosted,
stored, recorded and disseminated
to multiple facilities which must be
accessible in the event of an
incident.
There shall be a defined and
documented method for determining
the impact of any disruption to the
organization which must incorporate
the following:
• Identify critical products and
services
• Identify all dependencies, including
processes, applications, business
partners and third party service
providers
• Understand threats to critical
products and services
• Determine impacts resulting from
planned or unplanned disruptions
and how these vary over time
• Establish the maximum tolerable
period for disruption
• Establish priorities for recovery
• Establish recovery time objectives
for resumption of critical products
and services within their maximum
tolerable period of disruption
• Estimate the resources required
for resumption

A consistent unified framework for


business continuity planning and
plan development shall be
established, documented and
adopted to ensure all business
continuity plans are consistent in
addressing priorities for testing and
maintenance and information
security requirements. Requirements
for business continuity plans include
the following:
• Defined purpose and scope,
aligned with relevant dependencies
• Accessible to and understood by
those who will use them
• Owned by a named person(s) who
is responsible for their review,
update and approval
• Defined lines of communication,
roles and responsibilities
• Detailed recovery procedures,
manual work-around and reference
information
• Method for plan invocation
Business continuity plans shall be
subject to test at planned intervals or
upon significant organizational or
environmental changes to ensure
continuing effectiveness.

Physical protection against damage


from natural causes and disasters as
well as deliberate attacks including
fire, flood, atmospheric electrical
discharge, solar induced
geomagnetic storm, wind,
earthquake, tsunami, explosion,
nuclear mishap, volcanic activity,
biological hazard, civil unrest,
mudslide, tectonic activity, and other
forms of natural or man-made
disaster shall be anticipated,
designed and countermeasures
applied.

To reduce the risks from


environmental threats, hazards and
opportunities for unauthorized
access equipment shall be located
away from locations subject to high
probability environmental risks and
supplemented by redundant
equipment located a reasonable
distance.

Security mechanisms and


redundancies shall be implemented
to protect equipment from utility
service outages (e.g., power failures,
network disruptions, etc.).
Telecommunications equipment,
cabling and relays transceving data
or supporting services shall be
protected from interception or
damage and designed with
redundancies, alternative power
source and alternative routing.

loud Controls Matrix (CCM) and NIST outline CSF (San Diego)
re Sectors (Key Control Failures by Sector and Breach Statistics)

Nuclear
Food and Healthcare Transporta Water and
Financial Government Information Reactors,
Energy
Services
Agricultur
Facilities
and Public
Technology Materials,
tion Wastewate COBIT 4.1
e Health Systems r Systems
and Waste

Electricity

PO 9.1

PO 9.4
PO 9.5

PO 9.6

DS 2.3
DS5.1
PO 2.3

PO 2.3
DS 11.6

PO 2.3
DS 11.6
DS 4.1
DS 4.2
DS 4.5
DS 4.9
DS 11.6

DS 11.4
DS 11.6

PO 9.1
PO 9.2
PO 9.4
DS 5.7
DS5.11

PO 7.6
DS 2.1

PO 7.8

ME 2.1
ME 2.2
PO 9.5
PO 9.6
DS5.5
ME2.5
ME 3.1
PO 9.6

ME 2.6
DS 2.1
DS 2.4
ME 3.1

ME 3.1
DS5.3
DS5.4

DS5.11
AI2.4
DS5.7
DS5.10
DS5.5
DS5.7
DS5.8
DS5.10
DS5.7
DS5.7

DS5.5
DS5.6
DS9.2
A12
A16.1

A16.1
A17.6
PO 8.1
DS5.7
DS 12.1
DS 12.4
DS 4.9
DS 12.3

DS 12.2
DS 12.3
DS 12.3
R2 DS5.2
R2 DS5.5
DS5.1

DS5.2

AI2.1
AI2.2
AI3.3
DS2.3
DS11.6
DS 5.2
DS 5.4

PO 7.7

DS 5.4
DS5.4

DS 5.4
DS5.3
DS5.4

PO 7.4

DS5.1

DS5.3
DS5.4
DS5.5
DS 5.4

PO 4.6
DS5.8
DS5.10
DS5.11

DS5.8
AI6.1
AI3.3
DS5.9

DS5.9

DS5.6
DS5.6

DS5.6

DS 4.9
DS 5.3

DS 5.10
5.11

DS 5.7

DS5.7
DS5.10
DS5.11
DS5.5

DS5.7
DS13.1

DS 9
DS 13.1
DS 3

A13.3

PO 9.1
PO 9.2
DS 4.2
NIST FedRAMP Security Controls
HIPAA / HITECH Act ISO/IEC 27001-2005 SP800-53 (Final Release, Jan 2012)
R3 --LOW IMPACT LEVEL--

45 CFR 164.308 (a)(8) Clause 4.2.1 c) through g) AC-4 NIST SP 800-53 R3 AC-1
45 CFR 164.308(a)(1)(ii)(B) Clause 4.2.2 b) CA-2 NIST SP 800-53 R3 AT-1
Clause 5.1 f) CA-6 NIST SP 800-53 R3 AU-1
Clause 7.2 & 7.3 PM-9 NIST SP 800-53 R3 CA-1
A.6.2.1 RA-1 NIST SP 800-53 R3 CA-6
A.12.6.1 NIST SP 800-53 R3 CA-7
A.14.1.2 NIST SP 800-53 R3 PL-1
A.15.2.1 NIST SP 800-53 R3 RA-1
A.15.2.2 NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 RA-3

45 CFR 164.308 (a)(1)(ii)(A) Clause 4.2.1 c) through g) PL-5 NIST SP 800-53 R3 CM-1
Clause 4.2.3 d) RA-2 NIST SP 800-53 R3 RA-1
Clause 5.1 f) RA-3 NIST SP 800-53 R3 RA-2
Clause 7.2 & 7.3 NIST SP 800-53 R3 RA-3
A.6.2.1
A.12.5.2
A.12.6.1
A.14.1.2
A.15.1.1
A.15.2.1
A.15.2.2
45 CFR 164.308 (a)(1)(ii)(B) Clause 4.2.1 c) through g) CA-5 NIST SP 800-53 R3 CA-5
Clause 4.2.2 b) CM-4 NIST SP 800-53 R3 CP-1
Clause 4.3.1 NIST SP 800-53 R3 RA-1
Clause 5.1 f)
Clause 7.3
A.6.2.1
A.12.5.2
A.12.6.1
A.15.1.1
A.15.2.1
A.15.2.2

Clause 4.2.3 CP-2 NIST SP 800-53 R3 AC-1


Clause 4.2.4 RA-2 NIST SP 800-53 R3 AT-1
Clause 4.3.1 RA-3 NIST SP 800-53 R3 AU-1
Clause 5 NIST SP 800-53 R3 CA-1
Clause 7 NIST SP 800-53 R3 CM-1
A.5.1.2 NIST SP 800-53 R3 CP-1
A.10.1.2 NIST SP 800-53 R3 IA-1
A.10.2.3 NIST SP 800-53 R3 IR-1
A.14.1.2 NIST SP 800-53 R3 MA-1
A.15.2.1 NIST SP 800-53 R3 MP-1
A.15.2.2 NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-3
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1

A.6.2.1 CA-3 NIST SP 800-53 R3 AC-1


A.8.3.3 MA-4 NIST SP 800-53 R3 AT-1
A.11.1.1 RA-3 NIST SP 800-53 R3 AU-1
A.11.2.1 NIST SP 800-53 R3 CA-1
A.11.2.4 NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-5
NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1
45 CFR 164.308 (a)(2) A.6.1.3 CA-2 NIST SP 800-53 R3 CA-2
A.7.1.2 PM-5 NIST SP 800-53 R3 CA-2 (1)
A.15.1.4 PS-2 NIST SP 800-53 R3 PS-2
RA-2 NIST SP 800-53 R3 RA-2
SA-2 NIST SP 800-53 R3 SA-2

A.7.2.1 RA-2 NIST SP 800-53 R3 RA-2


AC-4

A.7.2.2 AC-16 NIST SP 800-53 R3 AC-1


A.10.7.1 MP-1 NIST SP 800-53 R3 MP-1
A.10.7.3 MP-3 NIST SP 800-53 R3 PE-1
A.10.8.1 PE-16 NIST SP 800-53 R3 PE-16
SI-12 NIST SP 800-53 R3 SI-1
SC-9 NIST SP 800-53 R3 SI-12
45 CFR 164.308 (a)(7)(ii)(A) Clause 4.3.3 CP-2 NIST SP 800-53 R3 CP-2
45 CFR 164.310 (d)(2)(iv) A.10.5.1 CP-6 NIST SP 800-53 R3 CP-9
45 CFR 164.308(a)(7)(ii)(D) A.10.7.3 CP-7
45 CFR 164.316(b)(2)(i) CP-8
(New) CP-9
SI-12
AU-11

45 CFR 164.310 (d)(2)(i) A.9.2.6 MP-6 NIST SP 800-53 R3 MP-6


45 CFR 164.310 (d)(2)(ii) A.10.7.2 PE-1 NIST SP 800-53 R3 PE-1

45 CFR 164.308(a)(4)(ii)(B) A.7.1.3 SA-11


A.10.1.4 CM-04
A.12.4.2
A.12.5.1
A.10.6.2 AC-2 NIST SP 800-53 R3 AC-1
A.12.5.4 AC-3 NIST SP 800-53 R3 AC-2
AC-4 NIST SP 800-53 R3 AC-3
AC-6
AC-11
AU-13
PE-19
SC-28
SA-8
SI-7

45 CFR 164.308(a)(1)(ii)(A) Clause 4.2.1 c) & g) CA-3 NIST SP 800-53 R3 CA-3


45 CFR 164.308(a)(8) Clause 4.2.3 d) RA-2 NIST SP 800-53 R3 RA-2
Clause 4.3.1 & 4.3.3 RA-3 NIST SP 800-53 R3 RA-3
Clause 7.2 & 7.3 MP-8 NIST SP 800-53 R3 SI-12
A.7.2 PM-9
A.15.1.1 SI-12
A.15.1.3
A.15.1.4

ISO/IEC 27001:2005 PL-4 NIST SP 800-53 R3 PL-4


Annex A.6.1.5 PS-6 NIST SP 800-53 R3 PS-6
SA-9 NIST SP 800-53 R3 SA-9
45 CFR 164.308 (a)(4)(ii)(A) A.6.2.3 CA-3 NIST SP 800-53 R3 CA-3
45 CFR 164.308 (b)(1) A10.2.1 MP-5 NIST SP 800-53 R3 PS-7
45 CFR 164.308 (b)(2)(i) A.10.8.2 PS-7 NIST SP 800-53 R3 SA-6
45 CFR 164.308 (b)(2)(ii) A.11.4.6 SA-6 NIST SP 800-53 R3 SA-7
45 CFR 164.308 (b)(2)(iii) A.11.6.1 SA-7 NIST SP 800-53 R3 SA-9
45 CFR 164.308 (b)(3) A.12.3.1 SA-9
45 CFR 164.308 (b)(4) A.12.5.4
45 CFR 164.312(e)(2)(i)
45 CFR 164.312 (c)(1)
45 CFR 164.312(e)(2)(ii)
45 CFR 164.314 (a)(1)(i)
45 CFR 164.314 (a)(1)(ii)(A)
45 CFR 164.314 (a)(2)(i)
45 CFR 164.314 (a)(2)(i)(A)
45 CFR 164.314 (a)(2)(i)(B)
45 CFR 164.314 (a)(2)(i)(C)
45 CFR 164.314 (a)(2)(i)(D)
45 CFR 164.314 (a)(2)(ii)(A)
45 CFR 164.314 (a)(2)(ii)(A)
(1)
45 CFR 164.314 (a)(2)(ii)(A)
(2)
45 CFR 164.314 (a)(2)(ii)(B)
45 CFR 164.314 (a)(2)(ii)(C)
45 CFR 164.314 (b)(1)
45 CFR 164.314 (b)(2)
45 CFR 164.314 (b)(2)(i)
45 CFR 164.314 (b)(2)(ii)
45 CFR 164.314 (b)(2)(iii)
45 CFR 164.314 (b)(2)(iv)

A.8.1.2 PS-2 NIST SP 800-53 R3 PS-2


PS-3 NIST SP 800-53 R3 PS-3
45 CFR 164.310(a)(1) A.6.1.5 PL-4 NIST SP 800-53 R3 PS-1
45 CFR 164.308(a)(4)(i) A.8.1.3 PS-6 NIST SP 800-53 R3 PS-2
PS-7 NIST SP 800-53 R3 PS-6
NIST SP 800-53 R3 PS-7

45 CFR 164.308 (a)(3)(ii)(C) A.8.3.1 PS-4 NIST SP 800-53 R3 PS-2


PS-5 NIST SP 800-53 R3 PS-4
NIST SP 800-53 R3 PS-5
NIST SP 800-53 R3 PS-6
NIST SP 800-53 R3 PS-8

45 CFR 164.312(b) Clause 4.2.3 e) CA-2 NIST SP 800-53 R3 CA-2


Clause 4.2.3b CA-7 NIST SP 800-53 R3 CA-2 (1)
Clause 5.1 g PL-6 NIST SP 800-53 R3 CA-7
Clause 6
A.15.3.1
45 CFR 164.308 (a)(8) Clause 4.2.3e CA-1 NIST SP 800-53 R3 CA-1
45 CFR 164.308(a)(1)(ii)(D) Clause 5.1 g CA-2 NIST SP 800-53 R3 CA-2
Clause 5.2.1 d) CA-6 NIST SP 800-53 R3 CA-2 (1)
Clause 6 RA-5 NIST SP 800-53 R3 CA-6
A.6.1.8 NIST SP 800-53 R3 RA-5

45 CFR 164.308(b)(1) A.6.2.3 CA-3 NIST SP 800-53 R3 CA-3


45 CFR 164.308 (b)(4) A.10.2.1 SA-9 NIST SP 800-53 R3 SA-9
A.10.2.2 SA-12 NIST SP 800-53 R3 SC-7
A.10.6.2 SC-7
A.6.1.6 AT-5 NIST SP 800-53 R3 IR-6
A.6.1.7 IR-6 NIST SP 800-53 R3 SI-5
SI-5

ISO/IEC 27001:2005 AC-1 NIST SP 800-53 R3 AC-1


Clause 4.2.1 b) 2) AT-1 NIST SP 800-53 R3 AT-1
Clause 4.2.1 c) 1) AU-1 NIST SP 800-53 R3 AU-1
Clause 4.2.1 g) CA-1 NIST SP 800-53 R3 CA-1
Clause 4.2.3 d) 6) CM-1 NIST SP 800-53 R3 CM-1
Clause 4.3.3 CP-1 NIST SP 800-53 R3 CP-1
Clause 5.2.1 a - f IA-1 NIST SP 800-53 R3 IA-1
Clause 7.3 c) 4) IA-7 NIST SP 800-53 R3 IA-7
A.7.2.1 IR-1 NIST SP 800-53 R3 IR-1
A.15.1.1 MA-1 NIST SP 800-53 R3 MA-1
A.15.1.3 MP-1 NIST SP 800-53 R3 MP-1
A.15.1.4 PE-1 NIST SP 800-53 R3 PE-1
A.15.1.6 PL-1 NIST SP 800-53 R3 PL-1
PM-1 NIST SP 800-53 R3 PS-1
PS-1 NIST SP 800-53 R3 RA-1
RA-1 NIST SP 800-53 R3 RA-2
RA-2 NIST SP 800-53 R3 SA-1
SA-1 NIST SP 800-53 R3 SA-6
SA-6 NIST SP 800-53 R3 SC-1
SC-1 NIST SP 800-53 R3 SC-13
SC-13 NIST SP 800-53 R3 SI-1
SI-1

Clause 4.2.1 SA-6 NIST SP 800-53 R3 SA-6


A.6.1.5 SA-7 NIST SP 800-53 R3 SA-7
A.7.1.3 PM-5
A.10.8.2
A.12.4.3
A.15.1.2

A.6.2.1 CA-1 NIST SP 800-53 R3 CA-1


A.6.2.2 CA-2 NIST SP 800-53 R3 CA-2
A.11.1.1 CA-5 NIST SP 800-53 R3 CA-2 (1)
CA-6 NIST SP 800-53 R3 CA-5
NIST SP 800-53 R3 CA-6
45 CFR 164.308(a)(5)(ii)(c) A.8.3.3 AC-1 NIST SP 800-53 R3 AC-1
45 CFR 164.308 (a)(5)(ii)(D) A.11.1.1 AC-2 NIST SP 800-53 R3 AC-2
45 CFR 164.312 (a)(2)(i) A.11.2.1 AC-3 NIST SP 800-53 R3 AC-3
45 CFR 164.312 (a)(2)(iii) A.11.2.3 AC-11 NIST SP 800-53 R3 AU-2
45 CFR 164.312 (d) A.11.2.4 AU-2 NIST SP 800-53 R3 AU-11
A.11.5.5 AU-11 NIST SP 800-53 R3 IA-1
IA-1 NIST SP 800-53 R3 IA-2
IA-2 NIST SP 800-53 R3 IA-2 (1)
IA-5 NIST SP 800-53 R3 IA-5
IA-6 NIST SP 800-53 R3 IA-5 (1)
IA-8 NIST SP 800-53 R3 IA-6
SC-10 NIST SP 800-53 R3 IA-8

A.10.8.1 AC-1 NIST SP 800-53 R3 AC-1


A.10.8.2 AC-4 NIST SP 800-53 R3 SC-1
A.11.1.1 SC-1 NIST SP 800-53 R3 SC-13
A.11.6.1 SC-16
A.11.4.6
A.12.3.1
A.12.5.4
A.15.1.4
45 CFR 164.312(e)(2)(i) A.11.5.6 SC-2 NIST SP 800-53 R3 SC-5
A.11.6.1 SC-3 NIST SP 800-53 R3 SC-6
A.12.2.1 SC-4 NIST SP 800-53 R3 SC-7
A.12.2.2 SC-5 NIST SP 800-53 R3 SC-12
A.12.2.3 SC-6 NIST SP 800-53 R3 SC-13
A.12.2.4 SC-7 NIST SP 800-53 R3 SC-14
A.12.5.2 SC-8
A.12.5.4 SC-9
A.12.5.5 SC-10
A.12.6.1 SC-11
A.15.2.1 SC-12
SC-13
SC-14
SC-17
SC-18
SC-20
SC-21
SC-22
SC-23

45 CFR 164.312 (c)(1) A.10.9.2 SI-10 NIST SP 800-53 R3 SI-2


45 CFR 164.312 (c)(2) A.10.9.3 SI-11 NIST SP 800-53 R3 SI-3
45 CFR 164.312(e)(2)(i) A.12.2.1 SI-2
A.12.2.2 SI-3
A.12.2.3 SI-4
A.12.2.4 SI-6
A.12.6.1 SI-7
A.15.2.1 SI-9
A.10.1.4 SC-2
A.10.3.2
A.11.1.1
A.12.5.1
A.12.5.2
A.12.5.3

A.11.1.1 AC-17 NIST SP 800-53 R3 AC-17


A.11.4.1 AC-20 NIST SP 800-53 R3 AC-20
A.11.4.2 IA-1 NIST SP 800-53 R3 IA-1
A.11.4.6 IA-2 NIST SP 800-53 R3 IA-2
A.11.7.1 MA-4 NIST SP 800-53 R3 IA-2 (1)
NIST SP 800-53 R3 MA-4
A.10.6.1 SC-7 NIST SP 800-53 R3 CM-7
A.10.6.2 NIST SP 800-53 R3 SC-7
A.10.9.1
A.10.10.2
A.11.4.1
A.11.4.5
A.11.4.6
A.11.4.7
A.15.1.4

45 CFR 164.308 (a)(4)(ii)(A) A.11.4.5 AC-4 NIST SP 800-53 R3 SC-7


A.11.6.1 SC-2
A.11.6.2 SC-3
A.15.1.4 SC-7
45 CFR 164.312 (e)(1)(2)(ii) A.7.1.1 AC-1 NIST SP 800-53 R3 AC-1
45 CFR 164.308(a)(5)(ii)(D) A.7.1.2 AC-18 NIST SP 800-53 R3 AC-18
45 CFR 164.312(e)(1) A.7.1.3 CM-6 NIST SP 800-53 R3 CM-6
45 CFR 164.312(e)(2)(ii) A.9.2.1 PE-4 NIST SP 800-53 R3 SC-7
A.9.2.4 SC-3
A.10.6.1 SC-7
A.10.6.2
A.10.8.1
A.10.8.3
A.10.8.5
A.10.10.2
A.11.2.1
A.11.4.3
A.11.4.5
A.11.4.6
A.11.4.7
A.12.3.1
A.12.3.2
45 CFR 164.312 (a)(1) A.10.8.1 PE-4 NIST SP 800-53 R3 PL-2
A.11.1.1 SC-4 NIST SP 800-53 R3 SC-1
A.11.6.2 SC-7 NIST SP 800-53 R3 SC-7
A.11.4.6

A.10.10.1 AU-1 NIST SP 800-53 R3 AU-1


A.10.10.6 AU-8 NIST SP 800-53 R3 AU-8
A.11.4.3 IA-3 NIST SP 800-53 R3 IA-4
IA-4

45 CFR 164.308 (a)(1)(ii)(D) A.10.10.1 AU-1 NIST SP 800-53 R3 AU-1


45 CFR 164.312 (b) A.10.10.2 AU-2 NIST SP 800-53 R3 AU-2
45 CFR 164.308(a)(5)(ii)© A.10.10.3 AU-3 NIST SP 800-53 R3 AU-3
A.10.10.4 AU-4 NIST SP 800-53 R3 AU-4
A.10.10.5 AU-5 NIST SP 800-53 R3 AU-5
A.11.2.2 AU-6 NIST SP 800-53 R3 AU-6
A.11.5.4 AU-7 NIST SP 800-53 R3 AU-9
A.11.6.1 AU-9 NIST SP 800-53 R3 AU-11
A.13.1.1 AU-11 NIST SP 800-53 R3 AU-12
A.13.2.3 AU-12 NIST SP 800-53 R3 PE-2
A.15.2.2 AU-14 NIST SP 800-53 R3 PE-3
A.15.1.3 SI-4

A.10.4.2 SC-18
A.12.2.2
A.6.1.4 CA-1 NIST SP 800-53 R3 CA-1
A.6.2.1 CM-1 NIST SP 800-53 R3 CM-1
A.12.1.1 CM-9 NIST SP 800-53 R3 PL-1
A.12.4.1 PL-1 NIST SP 800-53 R3 PL-2
A.12.4.2 PL-2 NIST SP 800-53 R3 SA-1
A.12.4.3 SA-1 NIST SP 800-53 R3 SA-3
A.12.5.5 SA-3 NIST SP 800-53 R3 SA-4
A.15.1.3 SA-4
A.15.1.4

45 CFR 164.308 (a)(5)(ii)(C) A.10.1.4 CA-1 NIST SP 800-53 R3 CA-1


45 CFR 164.312 (b) A.12.5.1 CA-6 NIST SP 800-53 R3 CA-6
A.12.5.2 CA-7 NIST SP 800-53 R3 CA-7
CM-2 NIST SP 800-53 R3 CM-2
CM-3 NIST SP 800-53 R3 CM-6
CM-5 NIST SP 800-53 R3 PL-2
CM-6 NIST SP 800-53 R3 PL-5
CM-9 NIST SP 800-53 R3 SI-2
PL-2
PL-5
SI-2
SI-6
SI-7
A.6.1.3 CM-1 NIST SP 800-53 R3 CM-1
A.10.1.1 CM-2 NIST SP 800-53 R3 CM-2
A.10.1.4 SA-3 NIST SP 800-53 R3 SA-3
A.10.3.2 SA-4 NIST SP 800-53 R3 SA-4
A.12.1.1 SA-5 NIST SP 800-53 R3 SA-5
A.12.2.1 SA-8
A.12.2.2 SA-10
A.12.2.3 SA-11
A.12.2.4 SA-13
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2

A.6.1.8 SA-4 NIST SP 800-53 R3 SA-4


A.6.2.1 SA-5 NIST SP 800-53 R3 SA-5
A.6.2.3 SA-8 NIST SP 800-53 R3 SA-9
A.10.1.4 SA-9
A.10.2.1 SA-10
A.10.2.2 SA-11
A.10.2.3 SA-12
A.10.3.2 SA-13
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.5.5
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2
A.10.1.3 CM-1 NIST SP 800-53 R3 CM-1
A.10.4.1 CM-2 NIST SP 800-53 R3 CM-2
A.11.5.4 CM-3 NIST SP 800-53 R3 CM-7
A.11.6.1 CM-5 NIST SP 800-53 R3 CM-8
A.12.4.1 CM-7 NIST SP 800-53 R3 SA-6
A.12.5.3 CM-8 NIST SP 800-53 R3 SA-7
CM-9 NIST SP 800-53 R3 SI-1
SA-6 NIST SP 800-53 R3 SI-3
SA-7
SI-1
SI-3
SI-4
SI-7
45 CFR 164.310 (a)(1) A.5.1.1 CA-2 NIST SP 800-53 R3 CA-2
45 CFR 164.310 (a)(2)(ii) A.9.1.3 PE-1 NIST SP 800-53 R3 CA-2 (1)
45 CFR 164.308(a)(3)(ii)(A) A.9.1.5 PE-6 NIST SP 800-53 R3 PE-1
45 CFR 164.310 (a)(2)(iii) PE-7 NIST SP 800-53 R3 PE-6
(New) PE-8 NIST SP 800-53 R3 PE-7
NIST SP 800-53 R3 PE-8

45 CFR 164.310(a)(1) A.9.1.1 PE-2 NIST SP 800-53 R3 PE-2


45 CFR 164.310(a)(2)(ii) A.9.1.2 PE-3 NIST SP 800-53 R3 PE-3
45 CFR 164.310(b) PE-4 NIST SP 800-53 R3 PE-6
45 CFR 164.310 ( c) (New) PE-5
PE-6
A.9.1.1 PE-2 NIST SP 800-53 R3 PE-2
PE-3 NIST SP 800-53 R3 PE-3
PE-6 NIST SP 800-53 R3 PE-6
PE-18

A.9.1.1 PE-2 NIST SP 800-53 R3 PE-2


A.9.1.2 PE-3 NIST SP 800-53 R3 PE-3
PE-6 NIST SP 800-53 R3 PE-6
PE-7 NIST SP 800-53 R3 PE-7
PE-8 NIST SP 800-53 R3 PE-8
PE-18
A.9.1.6 PE-7 NIST SP 800-53 R3 PE-7
PE-16 NIST SP 800-53 R3 PE-16
PE-18

45 CFR 164.310 (d)(1) A.9.2.7 MA-1 NIST SP 800-53 R3 MA-1


A.10.1.2 MA-2 NIST SP 800-53 R3 MA-2
PE-16 NIST SP 800-53 R3 PE-16

45 CFR 164.310 (c ) A.9.2.5 AC-17 NIST SP 800-53 R3 AC-17


45 CFR 164.310 (d)(1) A.9.2.6 MA-1 NIST SP 800-53 R3 MA-1
45 CFR 164.310 (d)(2)(i) PE-1 NIST SP 800-53 R3 PE-1
PE-16 NIST SP 800-53 R3 PE-16
PE-17
45 CFR 164.310 (d)(2)(iii) A.7.1.1 CM-8 NIST SP 800-53 R3 CM-8
A.7.1.2

45 CFR 164.308(a)(1)(i) Clause 4.2 PM-1


45 CFR 164.308(a)(1)(ii)(B) Clause 5 PM-2
45 CFR 164.316(b)(1)(i) A.6.1.1 PM-3
45 CFR 164.308(a)(3)(i) A.6.1.2 PM-4
(New) A.6.1.3 PM-5
45 CFR 164.306(a) (New) A.6.1.4 PM-6
A.6.1.5 PM-7
A.6.1.6 PM-8
A.6.1.7 PM-9
A.6.1.8 PM-10
PM-11
45 CFR 164.316 (b)(2)(ii) Clause 5 CM-1 NIST SP 800-53 R3 CM-1
45 CFR 164.316 (b)(2)(iii) A.6.1.1 PM-1
PM-11

45 CFR 164.316 (a) Clause 4.2.1 AC-1 NIST SP 800-53 R3 AC-1


45 CFR 164.316 (b)(1)(i) Clause 5 AT-1 NIST SP 800-53 R3 AT-1
45 CFR 164.316 (b)(2)(ii) A.5.1.1 AU-1 NIST SP 800-53 R3 AU-1
45 CFR 164.308(a)(2) A.8.2.2 CA-1 NIST SP 800-53 R3 CA-1
CM-1 NIST SP 800-53 R3 CM-1
IA-1 NIST SP 800-53 R3 IA-1
IR-1 NIST SP 800-53 R3 IR-1
MA-1 NIST SP 800-53 R3 MA-1
MP-1 NIST SP 800-53 R3 MP-1
MP-1 NIST SP 800-53 R3 PE-1
PE-1 NIST SP 800-53 R3 PL-1
PL-1 NIST SP 800-53 R3 PS-1
PS-1 NIST SP 800-53 R3 SA-1
SA-1 NIST SP 800-53 R3 SC-1
SC-1 NIST SP 800-53 R3 SI-1
SI-1

A.12.1.1 CM-2 NIST SP 800-53 R3 CM-2


A.15.2.2 SA-2 NIST SP 800-53 R3 SA-2
SA-4 NIST SP 800-53 R3 SA-4
45 CFR 164.316 (b)(2)(iii) Clause 4.2.3 f) AC-1 NIST SP 800-53 R3 AC-1
45 CFE 164.306€ A.5.1.2 AT-1 NIST SP 800-53 R3 AT-1
AU-1 NIST SP 800-53 R3 AU-1
CA-1 NIST SP 800-53 R3 CA-1
CM-1 NIST SP 800-53 R3 CM-1
CP-1 NIST SP 800-53 R3 CP-1
IA-1 NIST SP 800-53 R3 IA-1
IA-5 NIST SP 800-53 R3 IA-5
IR-1 NIST SP 800-53 R3 IA-5 (1)
MA-1 NIST SP 800-53 R3 IR-1
MP-1 NIST SP 800-53 R3 MA-1
PE-1 NIST SP 800-53 R3 MP-1
PL-1 NIST SP 800-53 R3 PE-1
PM-1 NIST SP 800-53 R3 PL-1
PS-1 NIST SP 800-53 R3 PS-1
RA-1 NIST SP 800-53 R3 RA-1
SA-1 NIST SP 800-53 R3 SA-1
SC-1 NIST SP 800-53 R3 SC-1
SI-1 NIST SP 800-53 R3 SI-1

45 CFR 164.308 (a)(1)(ii)(C) A.8.2.3 PL-4 NIST SP 800-53 R3 PL-4


PS-1 NIST SP 800-53 R3 PS-1
PS-8 NIST SP 800-53 R3 PS-8

45 CFR 164.308 (a)(3)(i) A.11.1.1 AC-1 NIST SP 800-53 R3 AC-1


45 CFR 164.312 (a)(1) A.11.2.1 IA-1 NIST SP 800-53 R3 IA-1
45 CFR 164.312 (a)(2)(ii) A.11.2.4
45 CFR 164.308(a)(4)(ii)(B) A.11.4.1
45 CFR 164.308(a)(4)(ii)(c ) A.11.5.2
A.11.6.1
45 CFR 164.308 (a)(3)(i) A.11.2.1 AC-3 NIST SP 800-53 R3 AC-3
45 CFR 164.308 (a)(3)(ii)(A) A.11.2.2 AC-5 NIST SP 800-53 R3 IA-2
45 CFR 164.308 (a)(4)(i) A.11.4.1 AC-6 NIST SP 800-53 R3 IA-2 (1)
45 CFR 164.308 (a)(4)(ii)(B) A 11.4.2 IA-2 NIST SP 800-53 R3 IA-4
45 CFR 164.308 (a)(4)(ii)(C) A.11.6.1 IA-4 NIST SP 800-53 R3 IA-5
45 CFR 164.312 (a)(1) IA-5 NIST SP 800-53 R3 IA-5 (1)
IA-8 NIST SP 800-53 R3 IA-8
MA-5 NIST SP 800-53 R3 MA-5
PS-6 NIST SP 800-53 R3 PS-6
SA-7 NIST SP 800-53 R3 SA-7
SI-9

45 CFR 164.308(a)(3)(ii)(C) ISO/IEC 27001:2005 AC-2 NIST SP 800-53 R3 AC-2


A.8.3.3 PS-4 NIST SP 800-53 R3 PS-4
A.11.1.1 PS-5 NIST SP 800-53 R3 PS-5
A.11.2.1
A.11.2.2
45 CFR 164.308 (a)(3)(ii)(B) A.11.2.4 AC-2 NIST SP 800-53 R3 AC-2
45 CFR 164.308 (a)(4)(ii)(C) AU-6 NIST SP 800-53 R3 AU-6
PM-10 NIST SP 800-53 R3 PS-6
PS-6 NIST SP 800-53 R3 PS-7
PS-7

45 CFR 164.308 (a)(5)(i) Clause 5.2.2 AT-1 NIST SP 800-53 R3 AT-1


45 CFR 164.308 (a)(5)(ii)(A) A.8.2.2 AT-2 NIST SP 800-53 R3 AT-2
AT-3 NIST SP 800-53 R3 AT-3
AT-4 NIST SP 800-53 R3 AT-4

A.6.1.7 AT-5 NIST SP 800-53 R3 SI-5


SI-5

Clause 5.1 c) AT-3 NIST SP 800-53 R3 PL-4


A.6.1.2 PL-4 NIST SP 800-53 R3 PS-1
A.6.1.3 PM-10 NIST SP 800-53 R3 PS-2
A.8.1.1 PS-1 NIST SP 800-53 R3 PS-6
PS-6 NIST SP 800-53 R3 PS-7
PS-7

Clause 5.2.2 AT-2 NIST SP 800-53 R3 AT-2


A.8.2.1 AT-3 NIST SP 800-53 R3 AT-3
A.8.2.2 CA-1 NIST SP 800-53 R3 AT-4
A 11.2.4 CA-5 NIST SP 800-53 R3 CA-1
A.15.2.1 CA-6 NIST SP 800-53 R3 CA-5
CA-7 NIST SP 800-53 R3 CA-6
PM-10 NIST SP 800-53 R3 CA-7
45 CFR 164.308 (a)(1)(ii)(D) A.10.1.3 AC-1 NIST SP 800-53 R3 AC-1
45 CFR 164.308 (a)(3)(ii)(A) AC-2 NIST SP 800-53 R3 AC-2
45 CFR 164.308(a)(4)(ii)(A) AC-5 NIST SP 800-53 R3 AU-1
45 CFR 164.308 (a)(5)(ii)(C) AC-6 NIST SP 800-53 R3 AU-2
45 CFR 164.312 (b) AU-1 NIST SP 800-53 R3 AU-6
AU-6
SI-1
SI-4

45 CFR 164.308 (a)(5)(ii)(D) Clause 5.2.2 AT-2 NIST SP 800-53 R3 AT-2


A.8.2.2 AT-3 NIST SP 800-53 R3 AT-3
A.11.3.1 AT-4 NIST SP 800-53 R3 AT-4
A.11.3.2 PL-4 NIST SP 800-53 R3 PL-4

Clause 5.2.2 AC-11 NIST SP 800-53 R3 MP-1


A.8.2.2 MP-2 NIST SP 800-53 R3 MP-2
A.9.1.5 MP-3
A.11.3.1 MP-4
A.11.3.2
A.11.3.3
45 CFR 164.312 (a)(2)(iv) A.10.6.1 AC-18 NIST SP 800-53 R3 AC-1
45 CFR 164.312 (e)(1) A.10.8.3 IA-3 NIST SP 800-53 R3 AC-18
45 CFR 164.312 (e)(2)(ii) A.10.8.4 IA-7 NIST SP 800-53 R3 IA-7
A.10.9.2 SC-7 NIST SP 800-53 R3 SC-1
A.10.9.3 SC-8 NIST SP 800-53 R3 SC-7
A.12.3.1 SC-9 NIST SP 800-53 R3 SC-13
A.15.1.3 SC-13
A.15.1.4 SC-16
SC-23
SI-8

45 CFR 164.312 (a)(2)(iv) Clause 4.3.3 SC-12 NIST SP 800-53 R3 SC-12


45 CFR 164.312(e)(1) A.10.7.3 SC-13 NIST SP 800-53 R3 SC-13
A.12.3.2 SC-17
A.15.1.6 SC-28
45 CFR 164.308 (a)(1)(i)(ii) A.12.5.1 CM-3 NIST SP 800-53 R3 CM-4
(A) A.12.5.2 CM-4 NIST SP 800-53 R3 RA-5
45 CFR 164.308 (a)(1)(i)(ii) A.12.6.1 CP-10 NIST SP 800-53 R3 SI-1
(B) RA-5 NIST SP 800-53 R3 SI-2
45 CFR 164.308 (a)(5)(i)(ii) SA-7 NIST SP 800-53 R3 SI-5
(B) SI-1
SI-2
SI-5

45 CFR 164.308 (a)(5)(ii)(B) A.10.4.1 SA-7 NIST SP 800-53 R3 SC-5


SC-5 NIST SP 800-53 R3 SI-3
SI-3 NIST SP 800-53 R3 SI-5
SI-5
SI-7
SI-8

45 CFR 164.308 (a)(1)(i) Clause 4.3.3 IR-1 NIST SP 800-53 R3 IR-1


45 CFR 164.308 (a)(6)(i) A.13.1.1 IR-2 NIST SP 800-53 R3 IR-2
A.13.2.1 IR-3 NIST SP 800-53 R3 IR-4
IR-4 NIST SP 800-53 R3 IR-5
IR-5 NIST SP 800-53 R3 IR-6
IR-7 NIST SP 800-53 R3 IR-7
IR-8
45 CFR 164.312 (a)(6)(ii) Clause 4.3.3 IR-2 NIST SP 800-53 R3 IR-2
16 CFR 318.3 (a) Clause 5.2.2 IR-6 NIST SP 800-53 R3 IR-6
16 CFR 318.5 (a) A.6.1.3 IR-7 NIST SP 800-53 R3 IR-7
45 CFR 160.410 (a)(1) A.8.2.1 SI-4 NIST SP 800-53 R3 SI-5
A.8.2.2 SI-5
A.13.1.1
A.13.1.2
A.13.2.1

45 CFR 164.308 (a)(6)(ii) Clause 4.3.3 AU-6 NIST SP 800-53 R3 AU-6


Clause 5.2.2 AU-7 NIST SP 800-53 R3 AU-9
A.8.2.2 AU-9 NIST SP 800-53 R3 AU-11
A.8.2.3 AU-11 NIST SP 800-53 R3 IR-5
A.13.2.3 IR-5 NIST SP 800-53 R3 IR-7
A.15.1.3 IR-7 NIST SP 800-53 R3 IR-8
IR-8

45 CFR 164.308 (a)(1)(ii)(D) A.13.2.2 IR-4 NIST SP 800-53 R3 IR-4


IR-5 NIST SP 800-53 R3 IR-5
IR-8 NIST SP 800-53 R3 IR-8
45 CFR 164.310 (b) A.7.1.3 AC-8 NIST SP 800-53 R3 AC-2
AC-20 NIST SP 800-53 R3 AC-8
PL-4 NIST SP 800-53 R3 AC-20
NIST SP 800-53 R3 PL-4

45 CFR 164.308 (a)(3)(ii)(C) A.7.1.1 PS-4 NIST SP 800-53 R3 PS-4


A.7.1.2
A.8.3.2

45 CFR 164.312(e)(1) A.7.2.1 AC-14 NIST SP 800-53 R3 AC-1


45 CFR 164.312(e)(2)(i) A.10.6.1 AC-21 NIST SP 800-53 R3 AC-2
A.10.6.2 AC-22 NIST SP 800-53 R3 AC-22
A.10.9.1 IA-8 NIST SP 800-53 R3 AU-1
A.10.9.2 AU-10
A.15.1.4 SC-4
SC-8
SC-9

A.15.3.2 AU-9 NIST SP 800-53 R3 AU-9


AU-11
AU-14

A.10.6.1 CM-7 NIST SP 800-53 R3 CM-7


A.11.1.1 MA-3 NIST SP 800-53 R3 MA-4
A.11.4.4 MA-4 NIST SP 800-53 R3 MA-5
A.11.5.4 MA-5
A.6.2.3 SC-20 NIST SP 800-53 R3 CA-3
A.10.6.2 SC-21 NIST SP 800-53 R3 SA-9
SC-22
SC-23
SC-24
45 CFR 164.310 (d)(1) A.7.2.1 AC-17 NIST SP 800-53 R3 AC-17
A.10.7.1 AC-18 NIST SP 800-53 R3 AC-18
A.10.7.2 AC-19 NIST SP 800-53 R3 AC-19
A.10.8.3 MP-2 NIST SP 800-53 R3 MP-2
A.11.7.1 MP-4 NIST SP 800-53 R3 MP-6
A.11.7.2 MP-6
A.15.1.4

Clause 4.3.3 CM-5


A.12.4.3 CM-6
A.15.1.3

A.11.4.1 AC-5 NIST SP 800-53 R3 CM-7


A 11.4.4 AC-6
A.11.5.4 CM-7
SC-3
SC-19
Clause 5.1 CM-2 NIST SP 800-53 R3 CM-2
A 8.1.1 CM-3 NIST SP 800-53 R3 CM-4
A.8.2.1 CM-4 NIST SP 800-53 R3 CM-6
A 8.2.2 CM-5 NIST SP 800-53 R3 MA-4
A.10.1.1 CM-6 NIST SP 800-53 R3 SA-3
CM-9 NIST SP 800-53 R3 SA-4
MA-4 NIST SP 800-53 R3 SA-5
SA-3
SA-4
SA-5
SA-8
SA-10
SA-11
SA-12

Clause 4.3.3 CP-9 NIST SP 800-53 R3 CP-9


A.10.7.4 CP-10 NIST SP 800-53 R3 CP-10
SA-5 NIST SP 800-53 R3 SA-5
SA-10
SA-11
A.10.3.1 SA-4 NIST SP 800-53 R3 SA-4

45 CFR 164.310 (a)(2)(iv) A.9.2.4 MA-2 NIST SP 800-53 R3 MA-2


MA-3 NIST SP 800-53 R3 MA-4
MA-4 NIST SP 800-53 R3 MA-5
MA-5
MA-6

45 CFR 164.308 (a)(7)(i) Clause 4.3.2 CP-1 NIST SP 800-53 R3 CP-1


45 CFR 164.308 (a)(7)(ii)(C) A.14.1.1 CP-2 NIST SP 800-53 R3 CP-2
A 14.1.4
45 CFR 164.308 (a)(7)(ii)(E) ISO/IEC 27001:2005 RA-3 NIST SP 800-53 R3 CP-1
A.14.1.2 NIST SP 800-53 R3 CP-2
A 14.1.4 NIST SP 800-53 R3 RA-3

45 CFR 164.308 (a)(7)(i) Clause 5.1 CP-1 NIST SP800-53 R3 CP-1


45 CFR 164.308 (a)(7)(ii)(B) A.6.1.2 CP-2 NIST SP800-53 R3 CP-2
45 CFR 164.308 (a)(7)(ii)(C) A.14.1.3 CP-3 NIST SP800-53 R3 CP-3
45 CFR 164.308 (a)(7)(ii)(E) A.14.1.4 CP-4 NIST SP800-53 R3 CP-4
45 CFR 164.310 (a)(2)(i) CP-6 NIST SP800-53 R3 CP-9
45 CFR 164.312 (a)(2)(ii) CP-7 NIST SP800-53 R3 CP-10
CP-8
CP-9
CP-10
PE-17
45 CFR 164.308 (a)(7)(ii)(D) A.14.1.5 CP-2 NIST SP800-53 R3 CP-2
CP-3 NIST SP800-53 R3 CP-3
CP-4 NIST SP800-53 R3 CP-4

45 CFR 164.308 (a)(7)(i) A.9.1.4 PE-1 NIST SP800-53 R3 PE-1


45 CFR 164.310(a)(2)(ii) A.9.2.1 PE-13 NIST SP800-53 R3 PE-13
PE-14 NIST SP800-53 R3 PE-14
PE-15 NIST SP800-53 R3 PE-15
PE-18

45 CFR 164.310 (c) A.9.2.1 PE-1 NIST SP800-53 R3 PE-1


PE-5 NIST SP800-53 R3 PE-14
PE-14 NIST SP800-53 R3 PE-15
PE-15
PE-18

A.9.2.2 CP-8 NIST SP800-53 R3 PE-1


A.9.2.3 PE-1 NIST SP800-53 R3 PE-12
A 9.2.4 PE-9 NIST SP800-53 R3 PE-13
PE-10 NIST SP800-53 R3 PE-14
PE-11
PE-12
PE-13
PE-14
A.9.2.2 PE-1 NIST SP800-53 R3 PE-1
A.9.2.3 PE-4 NIST SP800-53 R3 PE-13
PE-13 NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PE-13 (3)
BITS BITS
FedRAMP Security Shared Shared GAPP
Controls PCI DSS Jericho AICPA
Assessme Assessme (Aug NERC CIP
(Final Release, Jan 2012) v2.0 Forum TS Map
--MODERATE IMPACT LEVEL--
nts nts 2009)
SIG v6.0 AUP v5.0

NIST SP 800-53 R3 AC-1 12.1.2 A.1, L.1 L.2 1.2.4 CIP-009-3 S3.1
NIST SP 800-53 R3 AT-1 - R4
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-6
NIST SP 800-53 R3 CA-7 x3.1.0
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 RA-3
NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
NIST SP 800-53 R3 CM-1

NIST SP 800-53 R3 RA-1 12.1.2 C.2.1, I.1 1.2.4 CIP-002-3 S3.1


NIST SP 800-53 R3 RA-2 I.4.1, I.5, I.4 1.2.5 - R1.1 -
NIST SP 800-53 R3 RA-3 G.15.1.3, R1.2
I.3 CIP-005-
3a - R1 -
R1.2 x3.1.0
CIP-009-3
- R.1.1

S4.3.0
NIST SP 800-53 R3 CA-5 I.3, L.9, I.4 CIP-009-3 S3.1
NIST SP 800-53 R3 CP-1 L.10 L.2 - R1.2
NIST SP 800-53 R3 RA-1

x3.1.0

NIST SP 800-53 R3 AC-1 12.1.3 B.1.1, B.2 CIP-009-3


NIST SP 800-53 R3 AT-1 B.1.2, G.21 - R2
NIST SP 800-53 R3 AU-1 B.1.6, L.2
NIST SP 800-53 R3 CA-1 B.1.7.2,
NIST SP 800-53 R3 CM-1 G.2, L.9,
NIST SP 800-53 R3 CP-1 L.10
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-3
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1

NIST SP 800-53 R3 AC-1 12.8.1 B.1.1, B.1 7.1.1 S3.1


NIST SP 800-53 R3 AT-1 12.8.2 B.1.2, H.2 7.1.2
NIST SP 800-53 R3 AU-1 12.8.3 D.1.1, E.1, 7.2.1
NIST SP 800-53 R3 CA-1 12.8.4 F.1.1, 7.2.2
NIST SP 800-53 R3 CM-1 H.1.1, 7.2.3
NIST SP 800-53 R3 CP-1 K.1.1, 7.2.4 x3.1.0
NIST SP 800-53 R3 IA-1 E.6.2,
NIST SP 800-53 R3 IA-4 E.6.3
NIST SP 800-53 R3 IA-5
NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)
NIST SP 800-53 R3 IA-5 (7)
NIST SP 800-53 R3 IA-8
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 CA-2 C.2.5.1, 6.2.1 Command CIP-007-3 S2.2.0
NIST SP 800-53 R3 CA-2 (1) C.2.5.2, ment #6 - R1.1 -
NIST SP 800-53 R3 PS-2 D.1.3, L.7 Command R1.2
NIST SP 800-53 R3 RA-2 ment #10
NIST SP 800-53 R3 SA-2 S2.3.0

S3.8.0

NIST SP 800-53 R3 RA-2 9.7.1 D.1.3, 1.2.3 Command CIP-003-3 S3.8.0


NIST SP 800-53 R3 AC-4 9.10 D.2.2 1.2.6 ment #9 - R4 - R5
12.3 4.1.2
8.2.1
8.2.5 C3.14.0
8.2.6

NIST SP 800-53 R3 AC-1 9.5 D.2.2 G.13 1.1.2 Command CIP-003-3 S3.2.a
NIST SP 800-53 R3 AC-16 9.6 5.1.0 ment #8 - R4 - R4.1
NIST SP 800-53 R3 MP-1 9.7.1 7.1.2 Command
NIST SP 800-53 R3 MP-3 9.7.2 8.1.0 ment #9
NIST SP 800-53 R3 PE-16 9.10 8.2.5 Command
NIST SP 800-53 R3 SC-9 8.2.6 ment #10
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 SI-12
NIST SP 800-53 R3 CP-2 3.1 D.2.2.9 5.1.0 Command CIP-003-3 A3.3.0
NIST SP 800-53 R3 CP-2 (1) 3.1.1 5.1.1 ment #11 - R4.1
NIST SP 800-53 R3 CP-2 (2) 3.2 5.2.2
NIST SP 800-53 R3 CP-6 9.9.1 8.2.6
NIST SP 800-53 R3 CP-6 (1) 9.5
NIST SP 800-53 R3 CP-6 (3) 9.6 A3.4.0
NIST SP 800-53 R3 CP-7 10.7
NIST SP 800-53 R3 CP-7 (1)
NIST SP 800-53 R3 CP-7 (2)
NIST SP 800-53 R3 CP-7 (3) I3.20.0
NIST SP 800-53 R3 CP-7 (5)
NIST SP 800-53 R3 CP-8
NIST SP 800-53 R3 CP-8 (1)
NIST SP 800-53 R3 CP-8 (2) I3.21.0
NIST SP 800-53 R3 CP-9
NIST SP 800-53 R3 CP-9 (1)
NIST SP 800-53 R3 CP-9 (3)

NIST SP 800-53 R3 MP-6 3.1.1 D.2.2.10, 5.1.0 Command CIP-007-3 C3.5.0


NIST SP 800-53 R3 MP-6 (4) 9.10 D.2.2.11, 5.2.3 ment #11 - R7 - R7.1
NIST SP 800-53 R3 PE-1 9.10.1 D.2.2.14, - R7.2
9.10.2 R7.3
3.1 S3.4.0

NIST SP 800-53 R3 SA-11 6.4.3 I.2.18 1.2.6 Command CIP-003-3 C3.5.0


NIST SP 800-53 R3 SA-11 ment #9 - R6
(1) Command
ment #10
Command S3.4.0
ment #11

C3.21.0
NIST SP 800-53 R3 AC-2 1.2 I.2.18 7.2.1 Command C3.5.0
NIST SP 800-53 R3 AC-2 (1) 6.5.5 8.1.0 ment #4
NIST SP 800-53 R3 AC-2 (2) 11.1 8.1.1 Command
NIST SP 800-53 R3 AC-2 (3) 11.2 8.2.1 ment #5
NIST SP 800-53 R3 AC-2 (4) 11.3 8.2.2 Command S3.4.0
NIST SP 800-53 R3 AC-2 (7) 11.4 8.2.5 ment #6
NIST SP 800-53 R3 AC-3 A.1 8.2.6 Command
NIST SP 800-53 R3 AC-3 (3) ment #7
NIST SP 800-53 R3 AC-4 Command
NIST SP 800-53 R3 AC-6 ment #8
NIST SP 800-53 R3 AC-6 (1) Command
NIST SP 800-53 R3 AC-6 (2) ment #9
NIST SP 800-53 R3 AC-11 Command
NIST SP 800-53 R3 AC-11 ment #10
(1) Command
NIST SP 800-53 R3 SA-8 ment #11
NIST SP 800-53 R3 SC-28
NIST SP 800-53 R3 SI-7
NIST SP 800-53 R3 SI-7 (1)

NIST SP 800-53 R3 CA-3 12.1 L.4, L.5, 1.2.4 Command S3.1.0


NIST SP 800-53 R3 RA-2 12.1.2 L.6, L.7 8.2.1 ment #1
NIST SP 800-53 R3 RA-3 Command
NIST SP 800-53 R3 SI-12 ment #2
Command
ment #3 C3.14.0
Command
ment #6
Command
ment #7 S1.2.b-c
Command
ment #9
Command
ment #10
Command
ment #11

NIST SP 800-53 R3 PL-4 12.8.2 C.2.5 1.2.5 Command S4.1.0


NIST SP 800-53 R3 PS-6 12.8.3 ment #6
NIST SP 800-53 R3 SA-9 12.8.4 Command
NIST SP 800-53 R3 SA-9 (1) ment #7
Command
ment #8
Command
ment #9
NIST SP 800-53 R3 CA-3 2.4 C.2.4, C.2 1.2.5 Command S2.2.0
NIST SP 800-53 R3 MP-5 12.8.2 C.2.6, ment #1
NIST SP 800-53 R3 MP-5 (2) G.4.1, Command
NIST SP 800-53 R3 MP-5 (4) G.16.3 ment #4
NIST SP 800-53 R3 PS-7 Command
NIST SP 800-53 R3 SA-6 ment #5 A3.6.0
NIST SP 800-53 R3 SA-7 Command
NIST SP 800-53 R3 SA-9 ment #6
NIST SP 800-53 R3 SA-9 (1) Command
ment #7
Command C3.6.0
ment #8

NIST SP 800-53 R3 PS-2 12.7 E.2 E.2 1.2.9 Command CIP-004-3


NIST SP 800-53 R3 PS-3 12.8.3 ment #2 - R2.2 S3.11.0
Command
ment #3
Command
ment #6
Command
ment #9
NIST SP 800-53 R3 PS-1 12.4 E.3.5 C.1 1.2.9 Command S2.2.0
NIST SP 800-53 R3 PS-2 12.8.2 8.2.6 ment #6
NIST SP 800-53 R3 PS-6 Command
NIST SP 800-53 R3 PS-7 ment #7

NIST SP 800-53 R3 PS-2 E.6 8.2.2 Command S3.2.d


NIST SP 800-53 R3 PS-4 10.2.5 ment #6
NIST SP 800-53 R3 PS-5 Command
NIST SP 800-53 R3 PS-6 ment #7
NIST SP 800-53 R3 PS-8

S3.8.e

NIST SP 800-53 R3 CA-2 2.1.2.b L.1, L.2, 10.2.5 Command S4.1.0


NIST SP 800-53 R3 CA-2 (1) L.7, L.9, ment #1
NIST SP 800-53 R3 CA-7 L.11 Command
NIST SP 800-53 R3 CA-7 (2) ment #2 S4.2.0
NIST SP 800-53 R3 PL-6 Command
ment #3
NIST SP 800-53 R3 CA-1 11.2 L.2, L.4, 1.2.5 Command CIP-003-3 S4.1.0
NIST SP 800-53 R3 CA-2 11.3 L.7, L.9, 1.2.7 ment #1 - R1.3 -
NIST SP 800-53 R3 CA-2 (1) 6.6 L.11 4.2.1 Command R4.3
NIST SP 800-53 R3 CA-6 12.1.2.b 8.2.7 ment #2 CIP-004-3 S4.2.0
NIST SP 800-53 R3 RA-5 10.2.3 Command R4 - R4.2
NIST SP 800-53 R3 RA-5 (1) 10.2.5 ment #3 CIP-005-
NIST SP 800-53 R3 RA-5 (2) 3a - R1 -
NIST SP 800-53 R3 RA-5 (3) R1.1 -
NIST SP 800-53 R3 RA-5 (6) R1.2
NIST SP 800-53 R3 RA-5 (9)

NIST SP 800-53 R3 CA-3 2.4 C.2.4,C.2. C.2 1.2.11 Command


NIST SP 800-53 R3 SA-9 12.8.2 6, G.4.1, 4.2.3 ment #1
NIST SP 800-53 R3 SA-9 (1) 12.8.3 G.4.2, L.2, 7.2.4 Command
NIST SP 800-53 R3 SA-12 12.8.4 L.4, L.7, 10.2.3 ment #2
NIST SP 800-53 R3 SC-7 Appendix L.11 10.2.4 Command S2.2.0
NIST SP 800-53 R3 SC-7 (1) A ment #3
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3) C2.2.0
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7
(12)
NIST SP 800-53 R3 SC-7 C3.6
(13)
NIST SP 800-53 R3 SC-7
(18)
NIST SP 800-53 R3 IR-6 11.1.e L1 1.2.7 Command CIP-001- S4.3.0
NIST SP 800-53 R3 IR-6 (1) 12.5.3 10.1.1 ment #1 1a R3 - R4
NIST SP 800-53 R3 SI-5 12.9 10.2.4 Command
ment #2
Command
ment #3 x4.4.0

NIST SP 800-53 R3 AC-1 3.1.1 L.1, L.2, 1.2.2 Command S3.1.0


NIST SP 800-53 R3 AT-1 3.1 L.4, L.7, 1.2.4 ment #1
NIST SP 800-53 R3 AU-1 L.9 1.2.6 Command
NIST SP 800-53 R3 CA-1 1.2.11 ment #2
NIST SP 800-53 R3 CM-1 3.2.4 Command
NIST SP 800-53 R3 CP-1 5.2.1 ment #3 x3.1.0
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-7
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SA-6
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13
(1)
NIST SP 800-53 R3 SI-1

NIST SP 800-53 R3 SA-6 L.4 Command S3.10.0


NIST SP 800-53 R3 SA-7 ment #1
Command
ment #2
Command
ment #3
S3.13.0

NIST SP 800-53 R3 CA-1 C.2.1, 1.2.2 Command S3.2.a


NIST SP 800-53 R3 CA-2 C.2.3, 1.2.6 ment #6
NIST SP 800-53 R3 CA-2 (1) C.2.4, 6.2.1 Command
NIST SP 800-53 R3 CA-5 C.2.6.1, 6.2.2 ment #7
NIST SP 800-53 R3 CA-6 H.1 Command
ment #8
NIST SP 800-53 R3 AC-1 8.1 E.6.2, B.1 Command CIP-004-3 S3.2.b
NIST SP 800-53 R3 AC-2 8.2, E.6.3, H.5 ment #6 R2.2.3
NIST SP 800-53 R3 AC-3 8.3 H.1.1, Command CIP-007-3
NIST SP 800-53 R3 AC-11 8.4 H.1.2, H.2, ment #7 - R5.2 -
NIST SP 800-53 R3 AC-11 8.5 H.3.2, H.4, Command R5.3.1 -
(1) 10.1, H.4.1, ment #8 R5.3.2 -
NIST SP 800-53 R3 AU-2 12.2, H.4.5, Command R5.3.3
NIST SP 800-53 R3 AU-2 (3) 12.3.8 H.4.8 ment #9
NIST SP 800-53 R3 AU-2 (4)
NIST SP 800-53 R3 AU-11
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-2
NIST SP 800-53 R3 IA-2 (1)
NIST SP 800-53 R3 IA-2 (2)
NIST SP 800-53 R3 IA-2 (3)
NIST SP 800-53 R3 IA-2 (8)
NIST SP 800-53 R3 IA-5
NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)
NIST SP 800-53 R3 IA-5 (7)
NIST SP 800-53 R3 IA-6
NIST SP 800-53 R3 IA-8
NIST SP 800-53 R3 SC-10

NIST SP 800-53 R3 AC-1 2.3 G.8.2.0.2, B.1 1.1.0 All S3.4


NIST SP 800-53 R3 AC-4 3.4.1 G.8.2.0.3, 1.2.2
NIST SP 800-53 R3 SC-1 4.1 G.12.1, 1.2.6
NIST SP 800-53 R3 SC-8 4.1.1 G.12.4, 4.2.3
6.1 G.12.9, 5.2.1
6.3.2a G.12.10, 7.1.2
6.5c G.16.2, 7.2.1
8.3 G.19.2.1, 7.2.2
10.5.5 G.19.3.2, 7.2.3
11.5 G.9.4, 7.2.4
G.17.2, 8.2.1
G.17.3, 8.2.2
G.17.4, 8.2.3
G.20.1 8.2.5
9.2.1
NIST SP 800-53 R3 SA-8 6.5 G.16.3, I.3 I.4 1.2.6 Command CIP-007-3 S3.10.0
NIST SP 800-53 R3 SC-2 ment #1 - R5.1
NIST SP 800-53 R3 SC-4 Command
NIST SP 800-53 R3 SC-5 ment #2
NIST SP 800-53 R3 SC-6 Command
NIST SP 800-53 R3 SC-7 ment #4
NIST SP 800-53 R3 SC-7 (1) Command S3.10.0
NIST SP 800-53 R3 SC-7 (2) ment #5
NIST SP 800-53 R3 SC-7 (3) Command
NIST SP 800-53 R3 SC-7 (4) ment #11
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7
(12)
NIST SP 800-53 R3 SC-7
(13)
NIST SP 800-53 R3 SC-7
(18)
NIST SP 800-53 R3 SC-8
NIST SP 800-53 R3 SC-8 (1)
NIST SP 800-53 R3 SC-9
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 SC-10
NIST SP 800-53 R3 SC-11
NIST SP 800-53 R3 SC-12
NIST SP 800-53 R3 SC-12
(2)
NIST SP 800-53 R3 SC-12
(5)
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13
(1)
NIST SP 800-53 R3 SC-14
NIST SP 800-53 R3 SC-17
NIST SP 800-53 R3 SC-18
NIST SP 800-53 R3 SI-2 6.3.1 G.16.3, I.3 I.4 1.2.6 Command CIP-003-3 I3.2.0
NIST SP 800-53 R3 SI-2 (2) 6.3.2 ment #1 - R4.2
NIST SP 800-53 R3 SI-3 Command
NIST SP 800-53 R3 SI-3 (1) ment #9
NIST SP 800-53 R3 SI-3 (2) Command I3.3.0
NIST SP 800-53 R3 SI-3 (3) ment #11
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5) I3.4.0
NIST SP 800-53 R3 SI-4 (6)
NIST SP 800-53 R3 SI-6
NIST SP 800-53 R3 SI-7
NIST SP 800-53 R3 SI-7 (1) I3.5.0
NIST SP 800-53 R3 SI-9
NIST SP 800-53 R3 SI-10
NIST SP 800-53 R3 SI-11
NIST SP 800-53 R3 SC-2 6.4.1 I.2.7.1, B.1 1.2.6 Command S3.4
6.4.2 I.2.20, ment #1
I.2.17, Command
I.2.22.2, ment #10
I.2.22.4, Command
I.2.22.10- ment #11
14, H.1.1

NIST SP 800-53 R3 AC-17 8.3 H.1.1, B.1 8.2.2 Command CIP-004-3 S3.2.b
NIST SP 800-53 R3 AC-17 G.9.13, ment #6 R3.1
(1) G.9.20, Command
NIST SP 800-53 R3 AC-17 G.9.21 ment #7
(2) Command
NIST SP 800-53 R3 AC-17 ment #8
(3)
NIST SP 800-53 R3 AC-17
(4)
NIST SP 800-53 R3 AC-17
(5)
NIST SP 800-53 R3 AC-17
(7)
NIST SP 800-53 R3 AC-17
(8)
NIST SP 800-53 R3 AC-20
NIST SP 800-53 R3 AC-20
(1)
NIST SP 800-53 R3 AC-20
(2)
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IA-2
NIST SP 800-53 R3 IA-2 (1)
NIST SP 800-53 R3 IA-2 (2)
NIST SP 800-53 R3 IA-2 (3)
NIST SP 800-53 R3 IA-2 (8)
NIST SP 800-53 R3 MA-4
NIST SP 800-53 R3 MA-4 (1)
NIST SP 800-53 R3 MA-4 (2)
NIST SP 800-53 R3 CM-7 1.1 G.9.17, G.2 8.2.5 Command CIP-004-3 S3.4
NIST SP 800-53 R3 CM-7 1.1.2 G.9.7, G.4 ment #1 R2.2.4
(1) 1.1.3 G.10, G.15 Command
NIST SP 800-53 R3 SC-7 1.1.5 G.9.11, G.16 ment #2
NIST SP 800-53 R3 SC-7 (1) 1.1.6 G.14.1, G.17 Command
NIST SP 800-53 R3 SC-7 (2) 1.2 G.15.1, G.18 ment #3
NIST SP 800-53 R3 SC-7 (3) 1.2.1 G.9.2, I.3 Command
NIST SP 800-53 R3 SC-7 (4) 2.2.2 G.9.3, ment #9
NIST SP 800-53 R3 SC-7 (5) 2.2.3 G.9.13 Command
NIST SP 800-53 R3 SC-7 (7) ment #10
NIST SP 800-53 R3 SC-7 (8) Command
NIST SP 800-53 R3 SC-7 ment #11
(12)
NIST SP 800-53 R3 SC-7
(13)
NIST SP 800-53 R3 SC-7
(18)

NIST SP 800-53 R3 AC-4 1.1 G.9.2, G.17 Command CIP-004-3 S3.4


NIST SP 800-53 R3 SC-2 1.2 G.9.3, ment #1 R3
NIST SP 800-53 R3 SC-7 1.2.1 G.9.13 Command
NIST SP 800-53 R3 SC-7 (1) 1.3 ment #2
NIST SP 800-53 R3 SC-7 (2) 1.4 Command
NIST SP 800-53 R3 SC-7 (3) ment #3
NIST SP 800-53 R3 SC-7 (4) Command
NIST SP 800-53 R3 SC-7 (5) ment #9
NIST SP 800-53 R3 SC-7 (7) Command
NIST SP 800-53 R3 SC-7 (8) ment #10
NIST SP 800-53 R3 SC-7 Command
(12) ment #11
NIST SP 800-53 R3 SC-7
(13)
NIST SP 800-53 R3 SC-7
(18)
NIST SP 800-53 R3 AC-1 1.2.3 E.3.1, D.1 8.2.5 Command CIP-004-3 S3.4
NIST SP 800-53 R3 AC-18 2.1.1 F.1.2.4, B.3 ment #1 R3
NIST SP 800-53 R3 AC-18 4.1 F.1.2.5, F.1 Command CIP-007-3
(1) 4.1.1 F.1.2.6, G.4 ment #2 - R6.1
NIST SP 800-53 R3 AC-18 11.1 F.1.2.8, G.15 Command
(2) 9.1.3 F.1.2. 9, G.17 ment #3
NIST SP 800-53 R3 CM-6 F.1.2.10, G.18 Command
NIST SP 800-53 R3 CM-6 F.1.2.11, ment #4
(1) F.1.2.12, Command
NIST SP 800-53 R3 CM-6 F.1.2.13, ment #5
(3) F.1.2.14, Command
NIST SP 800-53 R3 PE-4 F.1.2.15, ment #9
NIST SP 800-53 R3 SC-7 F.1.2.24, Command
NIST SP 800-53 R3 SC-7 (1) F.1.3, ment #10
NIST SP 800-53 R3 SC-7 (2) F.1.4.2, Command
NIST SP 800-53 R3 SC-7 (3) F1.4.6, ment #11
NIST SP 800-53 R3 SC-7 (4) F.1.4.7,
NIST SP 800-53 R3 SC-7 (5) F.1.6,
NIST SP 800-53 R3 SC-7 (7) F.1.7,F.1.8
NIST SP 800-53 R3 SC-7 (8) , F.2.13,
NIST SP 800-53 R3 SC-7 F.2.14,
(12) F.2.15,
NIST SP 800-53 R3 SC-7 F.2.16,
(13) F.2.17,
NIST SP 800-53 R3 SC-7 F.2.18
(18) G.9.17,
G.9.7,
G.10,
G.9.11,
G.14.1,
G.15.1,
G.9.2,
G.9.3,
G.9.13
NIST SP 800-53 R3 PE-4 1.3.5 D.1.1, E.1, B.1 8.2.5 Command CIP-004-3 S3.4
NIST SP 800-53 R3 PL-2 2.4 F.1.1, ment #5 R3 - R3.2
NIST SP 800-53 R3 SC-1 H.1.1 Command
NIST SP 800-53 R3 SC-4 ment #6
NIST SP 800-53 R3 SC-7 Command
NIST SP 800-53 R3 SC-7 (1) ment #7
NIST SP 800-53 R3 SC-7 (2) Command
NIST SP 800-53 R3 SC-7 (3) ment #9
NIST SP 800-53 R3 SC-7 (4) Command
NIST SP 800-53 R3 SC-7 (5) ment #10
NIST SP 800-53 R3 SC-7 (7) Command
NIST SP 800-53 R3 SC-7 (8) ment #11
NIST SP 800-53 R3 SC-7
(12)
NIST SP 800-53 R3 SC-7
(13)
NIST SP 800-53 R3 SC-7
(18)

NIST SP 800-53 R3 AU-1 10.4 G.13, G.7 S3.7


NIST SP 800-53 R3 AU-8 G.14.8, G.8
NIST SP 800-53 R3 AU-8 (1) G.15.5,
G.16.8,
G.17.6,
G.18.3,
G.19.2.6,
G.19.3.1
NIST SP 800-53 R3 IA-3 D.1.1, D.1 Command S3.2.a
NIST SP 800-53 R3 IA-4 D.1.3 ment #1
NIST SP 800-53 R3 IA-4 (4) Command
ment #2
Command
ment #3
Command
ment #5
Command
ment #8

NIST SP 800-53 R3 AU-1 10.1 G.14.7, G.7 8.2.1 Command CIP-007-3 S3.7
NIST SP 800-53 R3 AU-2 10.2 G.14.8, G.8 8.2.2 ment #6 - R6.5
NIST SP 800-53 R3 AU-2 (3) 10.3 G.14.9, G.9 Command
NIST SP 800-53 R3 AU-2 (4) 10.5 G.14.10,G. J.1 ment #7
NIST SP 800-53 R3 AU-3 10.6 14.11, L.2 Command
NIST SP 800-53 R3 AU-3 (1) 10.7 G.14.12, ment #11
NIST SP 800-53 R3 AU-4 11.4 G.15.5,
NIST SP 800-53 R3 AU-5 12.5.2 G.15.7,
NIST SP 800-53 R3 AU-6 12.9.5 G.15.8,
NIST SP 800-53 R3 AU-6 (1) G.16.8,
NIST SP 800-53 R3 AU-6 (3) G.16.9,
NIST SP 800-53 R3 AU-7 G.16.10,
NIST SP 800-53 R3 AU-7 (1) G.15.9,
NIST SP 800-53 R3 AU-9 G.17.5,
NIST SP 800-53 R3 AU-11 G.17.7,
NIST SP 800-53 R3 AU-12 G.17.8,
NIST SP 800-53 R3 PE-2 G.17.6,
NIST SP 800-53 R3 PE-3 G.17.9,
NIST SP 800-53 R3 SI-4 G.18.2,
NIST SP 800-53 R3 SI-4 (2) G.18.3,
NIST SP 800-53 R3 SI-4 (4) G.18.5,
NIST SP 800-53 R3 SI-4 (5) G.18.6,
NIST SP 800-53 R3 SI-4 (6) G.19.2.6,
NIST SP 800-53 R3 SC-18 G.19.3.1,
G.9.6.2,
G.9.6.3,
G.9.6.4,
G.9.19,
H.2.16,
H.3.3, J.1,
J.2, L.5,
L.9, L.10

G.20.12, Command S3.4.0


I.2.5 ment #1
Command
ment #2 S3.10.0
Command
ment #3
Command
ment #5
Command
ment #11
NIST SP 800-53 R3 CA-1 6.3.2 I.1.1, I.1.2, I.2 1.2.6 Command S3.12.0
NIST SP 800-53 R3 CM-1 I.2. 7.2, ment #1
NIST SP 800-53 R3 CM-9 I.2.8, I.2.9, Command
NIST SP 800-53 R3 PL-1 I.2.10, ment #2
NIST SP 800-53 R3 PL-2 I.2.13, Command S3.10.0
NIST SP 800-53 R3 SA-1 I.2.14, ment #3
NIST SP 800-53 R3 SA-3 I.2.15,
NIST SP 800-53 R3 SA-4 I.2.18,
NIST SP 800-53 R3 SA-4 (1) I.2.22.6,
NIST SP 800-53 R3 SA-4 (4) L.5 S3.13.0
NIST SP 800-53 R3 SA-4 (7)

NIST SP 800-53 R3 CA-1 1.1.1 I.2.17, 1.2.6 Command CIP-003-3 A3.16.0


NIST SP 800-53 R3 CA-6 6.3.2 I.2.20, ment #1 - R6 S3.13.0
NIST SP 800-53 R3 CA-7 6.4 I.2.22 Command
NIST SP 800-53 R3 CA-7 (2) 6.1 ment #2
NIST SP 800-53 R3 CM-2 Command
NIST SP 800-53 R3 CM-2 ment #3
(1) Command
NIST SP 800-53 R3 CM-2 ment #11
(3)
NIST SP 800-53 R3 CM-2
(5)
NIST SP 800-53 R3 CM-3
NIST SP 800-53 R3 CM-3
(2)
NIST SP 800-53 R3 CM-5
NIST SP 800-53 R3 CM-5
(1)
NIST SP 800-53 R3 CM-5
(5)
NIST SP 800-53 R3 CM-6
NIST SP 800-53 R3 CM-6
(1)
NIST SP 800-53 R3 CM-6
(3)
NIST SP 800-53 R3 CM-9
NIST SP 800-53 R3 PL-2
NIST SP 800-53 R3 PL-5
NIST SP 800-53 R3 SI-2
NIST SP 800-53 R3 SI-2 (2)
NIST SP 800-53 R3 SI-6
NIST SP 800-53 R3 SI-7
NIST SP 800-53 R3 SI-7 (1)
NIST SP 800-53 R3 CM-1 1.1.1 C.1.7, G.1, 9.1.0 Command A3.13.0
NIST SP 800-53 R3 CM-2 6.1 G.6, I.1, 9.1.1 ment #1 C3.16.0
NIST SP 800-53 R3 CM-2 6.4 I.4.5, 9.2.1 Command I3.14.0
(1) I.2.18, 9.2.2 ment #2 S3.10.0
NIST SP 800-53 R3 CM-2 I.22.1, Command
(3) I.22.3, ment #3
NIST SP 800-53 R3 CM-2 I.22.6, S3.13
(5) I.2.23,
NIST SP 800-53 R3 SA-3 I.2.22.2,
NIST SP 800-53 R3 SA-4 I.2.22.4,
NIST SP 800-53 R3 SA-4 (1) I.2.22.7.
NIST SP 800-53 R3 SA-4 (4) I.2.22.8,
NIST SP 800-53 R3 SA-4 (7) I.2.22.9,
NIST SP 800-53 R3 SA-5 I.2.22.10,
NIST SP 800-53 R3 SA-5 (1) I.2.22.11,
NIST SP 800-53 R3 SA-5 (3) I.2.22.12,
NIST SP 800-53 R3 SA-8 I.2.22.13,
NIST SP 800-53 R3 SA-10 I.2.22.14,I.
NIST SP 800-53 R3 SA-11 2.20,
NIST SP 800-53 R3 SA-11 I.2.17,
(1) I.2.7.1, I.3,
J.2.10, L.9

NIST SP 800-53 R3 SA-4 3.6.7 C.2.4, G.4, C.2 Command S3.10.0


NIST SP 800-53 R3 SA-4 (1) 6.4.5.2 G6, I.1, I.1 ment #1
NIST SP 800-53 R3 SA-4 (4) 7.1.3 I.4.4, I.4.5, I.2 Command
NIST SP 800-53 R3 SA-4 (7) 8.5.1 I.2.7.2, I.4 ment #2
NIST SP 800-53 R3 SA-5 9.1 I.2.8, I.2.9, Command
NIST SP 800-53 R3 SA-5 (1) 9.1.2 I.2.15, ment #3
NIST SP 800-53 R3 SA-5 (3) 9.2b I.2.18, S3.13
NIST SP 800-53 R3 SA-8 9.3.1 I.2.22.6,
NIST SP 800-53 R3 SA-9 10.5.2 I.2.7.1,
NIST SP 800-53 R3 SA-9 (1) 11.5 I.2.13,
NIST SP 800-53 R3 SA-10 12.3.1 I.2.14,
NIST SP 800-53 R3 SA-11 12.3.3 I.2.17,
NIST SP 800-53 R3 SA-11 I.2.20,
(1) I.2.22.2,
NIST SP 800-53 R3 SA-12 I.2.22.4,
I.2.22.7,
I.2.22.8,
I.2.22.9,
I.2.22.10,
I.2.22.11,
I.2.22.12,
I.2.22.13,
I.2.22.14,
I.3,
J.1.2.10,
L.7, L.9,
L.10
NIST SP 800-53 R3 CM-1 G.2.13, G.1 3.2.4 Command A3.6.0
NIST SP 800-53 R3 CM-2 G.20.2,G.2 I.2 8.2.2 ment #1
NIST SP 800-53 R3 CM-2 0.4, Command
(1) G.20.5, ment #2
NIST SP 800-53 R3 CM-2 G.7, G.7.1, Command
(3) G.12.11, ment #3 S3.5.0
NIST SP 800-53 R3 CM-2 H.2.16, Command
(5) I.2.22.1, ment #5
NIST SP 800-53 R3 CM-3 I.2.22.3, Command S3.13.0
NIST SP 800-53 R3 CM-3 I.2.22.6, ment #11
(2) I.2.23
NIST SP 800-53 R3 CM-5
NIST SP 800-53 R3 CM-5
(1)
NIST SP 800-53 R3 CM-5
(5)
NIST SP 800-53 R3 CM-7
NIST SP 800-53 R3 CM-7
(1)
NIST SP 800-53 R3 CM-8
NIST SP 800-53 R3 CM-8
(1)
NIST SP 800-53 R3 CM-8
(3)
NIST SP 800-53 R3 CM-8
(5)
NIST SP 800-53 R3 CM-9
NIST SP 800-53 R3 SA-6
NIST SP 800-53 R3 SA-7
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 SI-3
NIST SP 800-53 R3 SI-3 (1)
NIST SP 800-53 R3 SI-3 (2)
NIST SP 800-53 R3 SI-3 (3)
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 CA-2 9.1 F.1.1, F.2 8.1.0 Command A3.6.0
NIST SP 800-53 R3 CA-2 (1) 9.2 F.1.2 8.1.1 ment #1
NIST SP 800-53 R3 PE-1 9.3 F.1.3, 8.2.1 Command
NIST SP 800-53 R3 PE-6 9.4 F.1.4, ment #2
NIST SP 800-53 R3 PE-6 (1) F1.5, Command
NIST SP 800-53 R3 PE-7 F.1.6, ment #3
NIST SP 800-53 R3 PE-7 (1) F.1.7, Command
NIST SP 800-53 R3 PE-8 F.1.8, ment #5
F.1.9,
F.2.1,
F.2.2,
F.2.3,
F.2.4,
F.2.5,
F2.6,
F.2.7,
F.2.8,
F.2.9,
F.2.10,
F.2.11,
F.2.12,
F.2.13,
F.2.14,
F.2.15,
F.2.16,
F.2.17,
F.2.18,F.2.
19, F.2.20

NIST SP 800-53 R3 PE-2 9.1 F.1.2.3, H.6 8.2.1 Command CIP-006- A3.6.0
NIST SP 800-53 R3 PE-3 F.1.2.4, 8.2.2 ment #1 3c R1.2 -
NIST SP 800-53 R3 PE-4 F.1.2.5, 8.2.3 Command R1.3 -
NIST SP 800-53 R3 PE-5 F.1.2.6, ment #2 R1.4 -R2 -
NIST SP 800-53 R3 PE-6 F.1.2.8, Command R2.2
NIST SP 800-53 R3 PE-6 (1) F.1.2. 9, ment #3
F.1.2.10, Command
F.1.2.11, ment #5
F.1.2.12,
F.1.2.13,
F.1.2.14,
F.1.2.15,
F.1.2.24,
F.1.4.2,
F1.4.6,
F.1.4.7,
F.1.7,
F.1.8,
F.2.13,
F.2.14,
F.2.15,
F.2.16,
F.2.17,
F.2.18
NIST SP 800-53 R3 PE-2 9.1 F.1.2.3, F.2 8.2.3 Command CIP-006- A3.6.0
NIST SP 800-53 R3 PE-3 F.1.2.4, ment #1 3c R1.2 -
NIST SP 800-53 R3 PE-6 F.1.2.5, Command R1.3 -
NIST SP 800-53 R3 PE-6 (1) F.1.2.6, ment #2 R1.4 -
NIST SP 800-53 R3 PE-18 F.1.2.8, Command R1.6 -
F.1.2. 9, ment #3 R1.6.1 -
F.1.2.10, Command R2 - R2.2
F.1.2.11, ment #5
F.1.2.12,
F.1.2.13,
F.1.2.14,
F.1.2.15,
F.1.2.24,
F.1.3,
F.1.4.2,
F1.4.6,
F.1.4.7,
F.1.6,
F.1.7,F.1.8
, F.2.13,
F.2.14,
F.2.15,
F.2.16,
F.2.17,
F.2.18

NIST SP 800-53 R3 PE-2 9.1 F.1.2.3, F.2 8.2.3 Command CIP-006- A3.6.0
NIST SP 800-53 R3 PE-3 9.1.1 F.1.2.4, ment #1 3c R1.2 -
NIST SP 800-53 R3 PE-6 9.1.2 F.1.2.5, Command R1.3 -
NIST SP 800-53 R3 PE-6 (1) 9.1.3 F.1.2.6, ment #2 R1.4 -
NIST SP 800-53 R3 PE-7 9.2 F.1.2.8, Command R1.6 -
NIST SP 800-53 R3 PE-7 (1) F.1.2. 9, ment #3 R1.6.1 -
NIST SP 800-53 R3 PE-8 F.1.2.10, Command R2 - R2.2
NIST SP 800-53 R3 PE-18 F.1.2.11, ment #5
F.1.2.12,
F.1.2.13,
F.1.2.14,
F.1.2.15,
F.1.2.24,
F.1.3,
F.1.4.2,
F1.4.6,
F.1.4.7,
F.1.6,
F.1.7,F.1.8
, F.2.13,
F.2.14,
F.2.15,
F.2.16,
F.2.17,
F.2.18
NIST SP 800-53 R3 PE-7 F.1.2.3, F.2 8.2.3 Command CIP-006- A3.6.0
NIST SP 800-53 R3 PE-7 (1) F.1.2.4, ment #1 3c R1.2 -
NIST SP 800-53 R3 PE-16 F.1.2.5, Command R1.3 -
NIST SP 800-53 R3 PE-18 F.1.2.6, ment #2 R1.4
F.1.2.8, Command
F.1.2. 9, ment #3
F.1.2.10, Command
F.1.2.11, ment #5
F.1.2.12,
F.1.2.13,
F.1.2.14,
F.1.2.15,
F.1.2.24,
F.1.3,
F.1.4.2,
F1.4.6,
F.1.4.7,
F.1.6,
F.1.7,F.1.8
, F.2.13,
F.2.14,
F.2.15,
F.2.16,
F.2.17,
F.2.18

NIST SP 800-53 R3 MA-1 9.8 F.2.18 G.21 8.2.5 Command S3.2.f


NIST SP 800-53 R3 MA-2 9.9 8.2.6 ment #6
NIST SP 800-53 R3 MA-2 (1) Command
NIST SP 800-53 R3 PE-16 ment #7 C3.9.0

NIST SP 800-53 R3 AC-17 9.8 F.2.18, Command S3.4


NIST SP 800-53 R3 AC-17 9.9 F.2.19, ment #4
(1) 9.10 Command
NIST SP 800-53 R3 AC-17 ment #5
(2) Command
NIST SP 800-53 R3 AC-17 ment #11
(3)
NIST SP 800-53 R3 AC-17
(4)
NIST SP 800-53 R3 AC-17
(5)
NIST SP 800-53 R3 AC-17
(7)
NIST SP 800-53 R3 AC-17
(8)
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 PE-17
NIST SP 800-53 R3 CM-8 9.9.1 D.1.1, D.1 Command S3.1.0
NIST SP 800-53 R3 CM-8 12.3.3 D.2.1. ment #6
(1) 12.3.4 D.2.2, Command
NIST SP 800-53 R3 CM-8 ment #7
(3) Command
NIST SP 800-53 R3 CM-8 ment #8 C3.14.0
(5)

S1.2.b-c

12.1 A.1, B.1 8.2.1 Command CIP-001-


12.2 ment #1 1a - R1 - x1.2.
Command R2
ment #2 CIP-003-3
- R1 - R1.1
- R4
CIP-006-
3c R1
NIST SP 800-53 R3 CM-1 12.5 C.1 8.2.1 Command CIP-003-3 S1.3.0
ment #3 - R1 - R1.1
Command
ment #6

NIST SP 800-53 R3 AC-1 12.1 B.1 8.1.0 Command CIP-003-3 S1.1.0


NIST SP 800-53 R3 AT-1 12.2 8.1.1 ment #1 - R1 -R1.1
NIST SP 800-53 R3 AU-1 Command - R1.2 - R2
NIST SP 800-53 R3 CA-1 ment #2 - R2.1 -
NIST SP 800-53 R3 CM-1 Command R2.2 - S1.3.0
NIST SP 800-53 R3 IA-1 ment #3 R2.3
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1 S2.3.0
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1

NIST SP 800-53 R3 CM-2 1.1 L.2, L.5, L.2 1.2.6 Command S1.1.0
NIST SP 800-53 R3 CM-2 1.1.1 L.7 L.8, 8.2.1 ment #2
(1) 1.1.2 L.9, L.10 8.2.7 Command
NIST SP 800-53 R3 CM-2 1.1.3 ment #4
(3) 1.1.4 Command S1.2.0(a-i)
NIST SP 800-53 R3 CM-2 1.1.5 ment #5
(5) 1.1.6 Command
NIST SP 800-53 R3 SA-2 2.2 ment #11
NIST SP 800-53 R3 SA-4 2.2.1
NIST SP 800-53 R3 SA-4 (1) 2.2.2
NIST SP 800-53 R3 SA-4 (4) 2.2.3
NIST SP 800-53 R3 SA-4 (7) 2.2.4
NIST SP 800-53 R3 AC-1 12.1.3 B.1.33. B.2 1.2.1 Command CIP-003-3 S1.1.0
NIST SP 800-53 R3 AT-1 B.1.34, 8.2.7 ment #1 - R3.2 -
NIST SP 800-53 R3 AU-1 10.2.3 Command R3.3 -
NIST SP 800-53 R3 CA-1 ment #2 R1.3
NIST SP 800-53 R3 CM-1 Command R3 - R3.1 -
NIST SP 800-53 R3 CP-1 ment #3 R3.2 -
NIST SP 800-53 R3 IA-1 R3.3
NIST SP 800-53 R3 IA-5
NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)
NIST SP 800-53 R3 IA-5 (7)
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 RA-1
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SI-1

NIST SP 800-53 R3 PL-4 B.1.5 10.2.4 Command S3.9


NIST SP 800-53 R3 PS-1 ment #6
NIST SP 800-53 R3 PS-8 Command
ment #7
S2.4.0

NIST SP 800-53 R3 AC-1 3.5.1 B.1.8, B.1 8.1.0 Command CIP-007-3 S3.2.0
NIST SP 800-53 R3 IA-1 8.5.1 B.1.21, ment #6 - R5.1 -
12.5.4 B.1.28, Command R5.1.2
E.6.2, ment #7
H.1.1, Command
K.1.4.5, ment #8
NIST SP 800-53 R3 AC-3 7.1 H.2.4, 8.2.2 Command CIP-003-3 S3.2.0
NIST SP 800-53 R3 AC-3 (3) 7.1.1 H.2.5, ment #6 - R5.1.1 -
NIST SP 800-53 R3 AC-5 7.1.2 Command R5.3
NIST SP 800-53 R3 AC-6 7.1.3 ment #7 CIP-004-3
NIST SP 800-53 R3 AC-6 (1) 7.2.1 Command R2.3
NIST SP 800-53 R3 AC-6 (2) 7.2.2 ment #8 CIP-007-3
NIST SP 800-53 R3 IA-2 8.5.1 Command R5.1 -
NIST SP 800-53 R3 IA-2 (1) 12.5.4 ment #9 R5.1.2
NIST SP 800-53 R3 IA-2 (2) Command
NIST SP 800-53 R3 IA-2 (3) ment #10
NIST SP 800-53 R3 IA-2 (8)
NIST SP 800-53 R3 IA-4
NIST SP 800-53 R3 IA-4 (4)
NIST SP 800-53 R3 IA-5
NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)
NIST SP 800-53 R3 IA-5 (7)
NIST SP 800-53 R3 IA-8
NIST SP 800-53 R3 MA-5
NIST SP 800-53 R3 PS-6
NIST SP 800-53 R3 SA-7
NIST SP 800-53 R3 SI-9

NIST SP 800-53 R3 AC-2 8.5.4 E.6.2, H.2 8.2.1 Command CIP-004-3 S3.2.0
NIST SP 800-53 R3 AC-2 (1) 8.5.5 E.6.3 ment #6 R2.2.3
NIST SP 800-53 R3 AC-2 (2) Command CIP-007-3
NIST SP 800-53 R3 AC-2 (3) ment #7 - R5.1.3
NIST SP 800-53 R3 AC-2 (4) Command -R5.2.1 -
NIST SP 800-53 R3 AC-2 (7) ment #8 R5.2.3
NIST SP 800-53 R3 PS-4
NIST SP 800-53 R3 PS-5
NIST SP 800-53 R3 AC-2 H.2.6, 8.2.1 Command CIP-004-3 S3.2.0
NIST SP 800-53 R3 AC-2 (1) H.2.7, 8.2.7 ment #6 R2.2.2
NIST SP 800-53 R3 AC-2 (2) H.2.9, Command CIP-007-3
NIST SP 800-53 R3 AC-2 (3) ment #7 - R5 -
NIST SP 800-53 R3 AC-2 (4) Command R.1.3
NIST SP 800-53 R3 AC-2 (7) ment #8
NIST SP 800-53 R3 AU-6 Command
NIST SP 800-53 R3 AU-6 (1) ment #10
NIST SP 800-53 R3 AU-6 (3)
NIST SP 800-53 R3 PS-6
NIST SP 800-53 R3 PS-7

NIST SP 800-53 R3 AT-1 12.6 E.4 E.1 1.2.10 Command CIP-004-3 S1.2.k
NIST SP 800-53 R3 AT-2 12.6.1 8.2.1 ment #3 - R1 - R2 -
NIST SP 800-53 R3 AT-3 12.6.2 Command R2.1
NIST SP 800-53 R3 AT-4 ment #6

S2.2.0

NIST SP 800-53 R3 SI-5 C.1.8 Command


ment #1 S4.3.0
Command
ment #2
Command
ment #3

NIST SP 800-53 R3 PL-4 B.1.5, B.1 1.2.9 Command


NIST SP 800-53 R3 PS-1 D.1.1,D.1. 8.2.1 ment #6 S1.2.f
NIST SP 800-53 R3 PS-2 3.3, E.1, Command
NIST SP 800-53 R3 PS-6 F.1.1, ment #7
NIST SP 800-53 R3 PS-7 H.1.1, Command
K.1.2 ment #8

NIST SP 800-53 R3 AT-2 12.6.1 E.4 E.1 1.1.2 Command S1.2.f


NIST SP 800-53 R3 AT-3 12.6.2 8.2.1 ment #6
NIST SP 800-53 R3 AT-4 Command
NIST SP 800-53 R3 CA-1 ment #7
NIST SP 800-53 R3 CA-5 Command S2.3.0
NIST SP 800-53 R3 CA-6 ment #8
NIST SP 800-53 R3 CA-7
NIST SP 800-53 R3 CA-7 (2)
NIST SP 800-53 R3 AC-1 6.4.2 G.2.13. 8.2.2 Command CIP-007-3 S3.2.a
NIST SP 800-53 R3 AC-2 G.3, ment #6 R5.1.1
NIST SP 800-53 R3 AC-2 (1) G.20.1, Command
NIST SP 800-53 R3 AC-2 (2) G.20.2, ment #7
NIST SP 800-53 R3 AC-2 (3) G.20.5 Command
NIST SP 800-53 R3 AC-2 (4) ment #8
NIST SP 800-53 R3 AC-2 (7) Command
NIST SP 800-53 R3 AC-5 ment #10
NIST SP 800-53 R3 AC-6
NIST SP 800-53 R3 AC-6 (1)
NIST SP 800-53 R3 AC-6 (2)
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 AU-2
NIST SP 800-53 R3 AU-6
NIST SP 800-53 R3 AU-6 (1)
NIST SP 800-53 R3 AU-6 (3)
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)

NIST SP 800-53 R3 AT-2 8.5.7 E.4 E.1 1.2.10 Command S2.3.0


NIST SP 800-53 R3 AT-3 12.6.1 8.2.1 ment #5
NIST SP 800-53 R3 AT-4 Command
NIST SP 800-53 R3 PL-4 ment #6
Command
ment #7

NIST SP 800-53 R3 AC-11 E.4 E.1 8.2.3 Command S3.3.0


NIST SP 800-53 R3 MP-1 ment #5
NIST SP 800-53 R3 MP-2 Command
NIST SP 800-53 R3 MP-2 (1) ment #6
NIST SP 800-53 R3 MP-3 Command
NIST SP 800-53 R3 MP-4 ment #7 S3.4.0
NIST SP 800-53 R3 MP-4 (1) Command
ment #11
NIST SP 800-53 R3 AC-18 2.1.1 G.10.4, G.4 8.1.1 Command CIP-003-3 C3.12.0
NIST SP 800-53 R3 AC-18 3.4 G.11.1, G.15 8.2.1 ment #4 - R4.2 S3.6.0
(1) 3.4.1 G.11.2, I.3 8.2.5 Command
NIST SP 800-53 R3 AC-18 4.1 G.12.1, ment #5
(2) 4.1.1 G.12.2, Command
NIST SP 800-53 R3 IA-7 4.2 G.12.4, ment #9 S3.4
NIST SP 800-53 R3 SC-7 G.12.10, Command
NIST SP 800-53 R3 SC-7 (4) G.14.18, ment #10
NIST SP 800-53 R3 SC-8 G.14.19, Command
NIST SP 800-53 R3 SC-8 (1) G.16.2, ment #11
NIST SP 800-53 R3 SC-9 G.16.18,
NIST SP 800-53 R3 SC-9 (1) G.16.19,
NIST SP 800-53 R3 SC-13 G.17.16,
NIST SP 800-53 R3 SC-13 G.17.17,
(1) G.18.13,
NIST SP 800-53 R3 SC-23 G.18.14,
NIST SP 800-53 R3 SC-28 G.19.1.1,
NIST SP 800-53 R3 SI-8 G.20.14

NIST SP 800-53 R3 SC-12 3.4.1 L.6 8.1.1 Command S3.6.0


NIST SP 800-53 R3 SC-12 3.5 8.2.1 ment #9
(2) 3.5.1 8.2.5 Command
NIST SP 800-53 R3 SC-12 3.5.2 ment #10
(5) 3.6 Command
NIST SP 800-53 R3 SC-13 3.6.1 ment #11 S3.4
NIST SP 800-53 R3 SC-13 3.6.2
(1) 3.6.3
NIST SP 800-53 R3 SC-17 3.6.4
3.6.5
3.6.6
3.6.7
3.6.8
NIST SP 800-53 R3 CM-3 2.2 G.15.2, I.3 I.4 1.2.6 Command CIP-004-3 S3.10.0
NIST SP 800-53 R3 CM-3 6.1 8.2.7 ment #4 R4 - 4.1 -
(2) 6.2 Command 4.2
NIST SP 800-53 R3 CM-4 6.3.2 ment #5 CIP-005-
NIST SP 800-53 R3 RA-5 6.4.5 3a - R1 -
NIST SP 800-53 R3 RA-5 (1) 6.5 R1.1
NIST SP 800-53 R3 RA-5 (2) 6.6 CIP-007-3
NIST SP 800-53 R3 RA-5 (3) 11.2 - R3 - R3.1
NIST SP 800-53 R3 RA-5 (6) 11.2.1 - R8.4
NIST SP 800-53 R3 RA-5 (9) 11.2.2
NIST SP 800-53 R3 SI-1 11.2.3
NIST SP 800-53 R3 SI-2
NIST SP 800-53 R3 SI-2 (2)
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-5

NIST SP 800-53 R3 SC-5 5.1 G.7 8.2.2 Command CIP-007-3


NIST SP 800-53 R3 SI-3 5.1.1 ment #4 - R4 - R4.1 S3.5.0
NIST SP 800-53 R3 SI-3 (1) 5.2 Command - R4.2
NIST SP 800-53 R3 SI-3 (2) ment #5
NIST SP 800-53 R3 SI-3 (3)
NIST SP 800-53 R3 SI-5
NIST SP 800-53 R3 SI-7
NIST SP 800-53 R3 SI-7 (1)
NIST SP 800-53 R3 SI-8

NIST SP 800-53 R3 IR-1 12.9 J.1.1, J.1.2 J.1 1.2.4 Command CIP-007-3 IS3.7.0
NIST SP 800-53 R3 IR-2 12.9.1 1.2.7 ment #2 - R6.1
NIST SP 800-53 R3 IR-3 12.9.2 7.1.2 Command CIP-008-3
NIST SP 800-53 R3 IR-4 12.9.3 7.2.2 ment #6 - R1
NIST SP 800-53 R3 IR-4 (1) 12.9.4 7.2.4 Command
NIST SP 800-53 R3 IR-5 12.9.5 10.2.1 ment #8
NIST SP 800-53 R3 IR-7 12.9.6 10.2.4 S3.9.0
NIST SP 800-53 R3 IR-7 (1)
NIST SP 800-53 R3 IR-7 (2)
NIST SP 800-53 R3 IR-8
NIST SP 800-53 R3 IR-2 12.5.2 J.1.1, E.4 J.1 1.2.7 Command CIP-003-3 A2.3.0
NIST SP 800-53 R3 IR-6 12.5.3 E.1 1.2.10 ment #2 - R4.1 C2.3.0
NIST SP 800-53 R3 IR-6 (1) 7.1.2 Command CIP-004-3 I2.3.0
NIST SP 800-53 R3 IR-7 7.2.2 ment #6 R3.3 S2.3.0
NIST SP 800-53 R3 IR-7 (1) 7.2.4 Command
NIST SP 800-53 R3 IR-7 (2) 10.2.4 ment #8
NIST SP 800-53 R3 SI-4 S2.4
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6) C3.6.0
NIST SP 800-53 R3 SI-5

NIST SP 800-53 R3 AU-6 J.1.1, J.1 1.2.7 CIP-004-3 S2.4.0


NIST SP 800-53 R3 AU-6 (1) J.1.2, E.4 E.1 R3.3
NIST SP 800-53 R3 AU-6 (3)
NIST SP 800-53 R3 AU-7
NIST SP 800-53 R3 AU-7 (1)
NIST SP 800-53 R3 AU-9
NIST SP 800-53 R3 AU-9 (2) C3.15.0
NIST SP 800-53 R3 AU-10
NIST SP 800-53 R3 AU-10
(5)
NIST SP 800-53 R3 AU-11
NIST SP 800-53 R3 IR-5
NIST SP 800-53 R3 IR-7
NIST SP 800-53 R3 IR-7 (1)
NIST SP 800-53 R3 IR-7 (2)
NIST SP 800-53 R3 IR-8
NIST SP 800-53 R3 MP-5
NIST SP 800-53 R3 MP-5 (2)
NIST SP 800-53 R3 MP-5 (4)

NIST SP 800-53 R3 IR-4 12.9.6 J.1.2 1.2.7 CIP-008-3 S3.9.0


NIST SP 800-53 R3 IR-4 (1) 1.2.10 - R1.1
NIST SP 800-53 R3 IR-5
NIST SP 800-53 R3 IR-8
C4.1.0
NIST SP 800-53 R3 AC-8 12.3.5 B.1.7, B.3 8.1.0 Command S1.2
NIST SP 800-53 R3 AC-20 D.1.3.3, ment #1
NIST SP 800-53 R3 AC-20 E.3.2, Command
(1) E.3.5.1, ment #2 S3.9
NIST SP 800-53 R3 AC-20 E.3.5.2 Command
(2) ment #3
NIST SP 800-53 R3 PL-4

NIST SP 800-53 R3 PS-4 E.6.4 D.1 5.2.3 S3.4


7.2.2
8.2.1
8.2.6

NIST SP 800-53 R3 AC-22 2.1.1 G.19.1.1, G.4 3.2.4 Command S3.6


NIST SP 800-53 R3 AU-10 4.1 G.19.1.2, G.11 4.2.3 ment #4
NIST SP 800-53 R3 AU-10 4.1.1 G.19.1.3, G.16 7.1.2 Command
(5) 4.2 G.10.8, G.18 7.2.1 ment #5
NIST SP 800-53 R3 SC-8 G.9.11, I.3 7.2.2 Command
NIST SP 800-53 R3 SC-8 (1) G.14, I.4 8.2.1 ment #9 I13.3.a-e
NIST SP 800-53 R3 SC-9 G.15.1 8.2.5 Command
NIST SP 800-53 R3 SC-9 (1) ment #10
Command
ment #11

I3.4.0

NIST SP 800-53 R3 AU-9 10.5.5 8.2.1 Command CIP-003-3 S3.2.g


NIST SP 800-53 R3 AU-9 (2) ment #2 - R5.2
Command
ment #5
Command
ment #11

NIST SP 800-53 R3 CM-7 9.1.2 H1.1, Command CIP-007-3 S3.2.g


NIST SP 800-53 R3 CM-7 H1.2, ment #3 - R2
(1) G.9.15 Command
NIST SP 800-53 R3 MA-3 ment #4
NIST SP 800-53 R3 MA-3 (1) Command
NIST SP 800-53 R3 MA-3 (2) ment #5
NIST SP 800-53 R3 MA-3 (3) Command
NIST SP 800-53 R3 MA-4 ment #6
NIST SP 800-53 R3 MA-4 (1) Command
NIST SP 800-53 R3 MA-4 (2) ment #7
NIST SP 800-53 R3 MA-5 Command
ment #8
NIST SP 800-53 R3 CA-3 C.2.6, C.2 8.2.2 Command
NIST SP 800-53 R3 CP-6 G.9.9 8.2.5 ment #6 C2.2.0
NIST SP 800-53 R3 CP-6 (1) Command
NIST SP 800-53 R3 CP-6 (3) ment #7
NIST SP 800-53 R3 CP-7 Command
NIST SP 800-53 R3 CP-7 (1) ment #8
NIST SP 800-53 R3 CP-7 (2)
NIST SP 800-53 R3 CP-7 (3)
NIST SP 800-53 R3 CP-7 (5)
NIST SP 800-53 R3 CP-8
NIST SP 800-53 R3 CP-8 (1)
NIST SP 800-53 R3 CP-8 (2)
NIST SP 800-53 R3 SA-9
NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 AC-17 9.7 G.11, G12, 1.2.6 All CIP-007-3 S3.4
NIST SP 800-53 R3 AC-17 9.7.2 G.20.13, 3.2.4 - R7.1
(1) 9.8 G.20.14 8.2.6
NIST SP 800-53 R3 AC-17 9.9
(2) 11.1
NIST SP 800-53 R3 AC-17 12.3
(3)
NIST SP 800-53 R3 AC-17
(4)
NIST SP 800-53 R3 AC-17
(5)
NIST SP 800-53 R3 AC-17
(7)
NIST SP 800-53 R3 AC-17
(8)
NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 AC-18
(1)
NIST SP 800-53 R3 AC-18
(2)
NIST SP 800-53 R3 AC-19
NIST SP 800-53 R3 AC-19
(1)
NIST SP 800-53 R3 AC-19
(2)
NIST SP 800-53 R3 AC-19
(3)
NIST SP 800-53 R3 MP-2
NIST SP 800-53 R3 MP-2 (1)
NIST SP 800-53 R3 MP-4
NIST SP 800-53 R3 MP-4 (1)
NIST SP 800-53 R3 MP-6
NIST SP 800-53 R3 MP-6 (4)

NIST SP 800-53 R3 CM-5 6.4.1 I.2.7.2, 1.2.6 Command S3.13.0


NIST SP 800-53 R3 CM-5 6.4.2 I.2.9, 6.2.1 ment #6
(1) I.2.10, Command
NIST SP 800-53 R3 CM-5 I.2.15 ment #7
(5) Command
ment #9
Command
ment #10

NIST SP 800-53 R3 AC-6 7.1.2 H.2.16 Command CIP-007-3 S3.2.g


NIST SP 800-53 R3 AC-6 (1) ment #1 - R2.1 -
NIST SP 800-53 R3 AC-6 (2) Command R2.2 -
NIST SP 800-53 R3 CM-7 ment #5 R2.3
NIST SP 800-53 R3 CM-7 Command
(1) ment #6
Command
ment #7
NIST SP 800-53 R3 CM-2 12.1 G.1.1 8.2.1 Command
NIST SP 800-53 R3 CM-2 12.2 ment #1 S2.3.0
(1) 12.3 Command
NIST SP 800-53 R3 CM-2 12.4 ment #2
(3) Command
NIST SP 800-53 R3 CM-2 ment #3
(5) Command
NIST SP 800-53 R3 CM-3 ment #6
NIST SP 800-53 R3 CM-3 Command
(2) ment #7
NIST SP 800-53 R3 CM-4
NIST SP 800-53 R3 CM-5
NIST SP 800-53 R3 CM-6
NIST SP 800-53 R3 CM-6
(1)
NIST SP 800-53 R3 CM-6
(3)
NIST SP 800-53 R3 CM-9
NIST SP 800-53 R3 MA-4
NIST SP 800-53 R3 MA-4 (1)
NIST SP 800-53 R3 MA-4 (2)
NIST SP 800-53 R3 SA-3
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-8
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11
(1)
NIST SP 800-53 R3 SA-12

NIST SP 800-53 R3 CP-9 12.1 G.1.1 1.2.6 Command CIP-005- S3.11.0


NIST SP 800-53 R3 CP-9 (1) 12.2 ment #1 3a - R1.3
NIST SP 800-53 R3 CP-9 (3) 12.3 Command CIP-007-3
NIST SP 800-53 R3 CP-10 12.4 ment #2 - R9
NIST SP 800-53 R3 CP-10 Command
(2) ment #4 A.2.1.0
NIST SP 800-53 R3 CP-10 Command
(3) ment #5
NIST SP 800-53 R3 SA-5 Command
NIST SP 800-53 R3 SA-5 (1) ment #11
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11
(1)
NIST SP 800-53 R3 SA-4 G.5 1.2.4 Command A3.2.0
NIST SP 800-53 R3 SA-4 (1) ment #1
NIST SP 800-53 R3 SA-4 (4) Command
NIST SP 800-53 R3 SA-4 (7) ment #2
Command A4.1.0
ment #3

NIST SP 800-53 R3 MA-2 F.2.19 5.2.3 Command CIP-007-3 A3.2.0


NIST SP 800-53 R3 MA-2 (1) 8.2.2 ment #2 - R6.1 -
NIST SP 800-53 R3 MA-3 8.2.3 Command R6.2 -
NIST SP 800-53 R3 MA-3 (1) 8.2.4 ment #5 R6.3 -
NIST SP 800-53 R3 MA-3 (2) 8.2.5 Command R6.4 A4.1.0
NIST SP 800-53 R3 MA-3 (3) 8.2.6 ment #11
NIST SP 800-53 R3 MA-4 8.2.7
NIST SP 800-53 R3 MA-4 (1)
NIST SP 800-53 R3 MA-4 (2)
NIST SP 800-53 R3 MA-5
NIST SP 800-53 R3 MA-6

NIST SP 800-53 R3 CP-1 12.9.1 K.1.2.9, Command A3.1.0


NIST SP 800-53 R3 CP-2 K.1.2.10, ment #1
NIST SP 800-53 R3 CP-2 (1) K.3.1 Command
NIST SP 800-53 R3 CP-2 (2) ment #2
Command
ment #3 A3.3.0

A3.4.0
NIST SP 800-53 R3 CP-1 K.2 Command CIP-007-3 A3.1.0
NIST SP 800-53 R3 CP-2 ment #1 - R8 - R8.1
NIST SP 800-53 R3 RA-3 Command - R8.2 -
ment #2 R8.3
Command
ment #3 A3.3.0

A3.4.0

NIST SP800-53 R3 CP-1 12.9.1 K.1.2.3. Command A3.1.0


NIST SP800-53 R3 CP-2 12.9.3 K.1.2.4, ment #1
NIST SP800-53 R3 CP-2 (1) 12.9.4 K.1.2.5, Command
NIST SP800-53 R3 CP-2 (2) 12.9.6 K.1.2.6, ment #2
NIST SP800-53 R3 CP-3 K.1.2.7, Command
NIST SP800-53 R3 CP-4 K.1.2.11, ment #3 A3.3.0
NIST SP800-53 R3 CP-4 (1) K.1.2.13,
NIST SP800-53 R3 CP-6 K.1.2.15
NIST SP800-53 R3 CP-6 (1)
NIST SP800-53 R3 CP-6 (3)
NIST SP800-53 R3 CP-7 A3.4.0
NIST SP800-53 R3 CP-7 (1)
NIST SP800-53 R3 CP-7 (2)
NIST SP800-53 R3 CP-7 (3)
NIST SP800-53 R3 CP-7 (5)
NIST SP800-53 R3 CP-8
NIST SP800-53 R3 CP-8 (1)
NIST SP800-53 R3 CP-8 (2)
NIST SP800-53 R3 CP-9
NIST SP800-53 R3 CP-9 (1)
NIST SP800-53 R3 CP-9 (3)
NIST SP800-53 R3 CP-10
NIST SP800-53 R3 CP-10
(2)
NIST SP800-53 R3 CP-10
(3)
NIST SP800-53 R3 PE-17
NIST SP800-53 R3 CP-2 12.9.2 K.1.3, Command A3.3
NIST SP800-53 R3 CP-2 (1) K.1.4.3, ment #1
NIST SP800-53 R3 CP-2 (2) K.1.4.6, Command
NIST SP800-53 R3 CP-3 K.1.4.7, ment #2
NIST SP800-53 R3 CP-4 K.1.4.8, Command
NIST SP800-53 R3 CP-4 (1) K.1.4.9, ment #3
K.1.4.10,
K.1.4.11,
K.1.4.12

NIST SP800-53 R3 PE-1 F.2.9, F.1 8.2.4 Command CIP-004-3 A3.1.0


NIST SP800-53 R3 PE-13 F.1.2.21, ment #1 R3.2
NIST SP800-53 R3 PE-13 F.5.1, Command
(1) F.1.5.2, ment #2
NIST SP800-53 R3 PE-13 F.2.1, Command
(2) F.2.7, ment #3 A3.2.0
NIST SP800-53 R3 PE-13 F.2.8
(3)
NIST SP800-53 R3 PE-14
NIST SP800-53 R3 PE-15
NIST SP800-53 R3 PE-18

NIST SP800-53 R3 PE-1 9.1.3 F.2.9, F.1 Command A3.1.0


NIST SP800-53 R3 PE-5 9.5 F.1.2.21, ment #1
NIST SP800-53 R3 PE-14 9.6 F.5.1, Command
NIST SP800-53 R3 PE-15 9.9 F.1.5.2, ment #2
NIST SP800-53 R3 PE-18 9.9.1 F.2.1, Command
F.2.7, ment #3 A3.2.0
F.2.8

NIST SP800-53 R3 CP-8 F.1.6, F.1 Command A3.2.0


NIST SP800-53 R3 CP-8 (1) F.1.6.1, ment #1
NIST SP800-53 R3 CP-8 (2) F.1.6.2, Command
NIST SP800-53 R3 PE-1 F.1.9.2, ment #2
NIST SP800-53 R3 PE-9 F.2.10, Command
NIST SP800-53 R3 PE-10 F.2.11, ment #3
NIST SP800-53 R3 PE-11 F.2.12
NIST SP800-53 R3 PE-12
NIST SP800-53 R3 PE-13
NIST SP800-53 R3 PE-13
(1)
NIST SP800-53 R3 PE-13
(2)
NIST SP800-53 R3 PE-13
(3)
NIST SP800-53 R3 PE-14
NIST SP800-53 R3 PE-1 F.1.6, F.1 Command A3.2.0
NIST SP800-53 R3 PE-4 F.1.6.1, ment #1
NIST SP800-53 R3 PE-13 F.1.6.2, Command
NIST SP800-53 R3 PE-13 F.1.9.2, ment #2
(1) F.2.10, Command A3.4.0
NIST SP800-53 R3 PE-13 F.2.11, ment #3
(2) F.2.12 Command
NIST SP800-53 R3 PE-13 ment #4
(3) Command
ment #9
Command
ment #11
AICPA
Trust Service Criteria (SOC 2SM Report)

(S3.1) Procedures exist to (1) identify potential threats of


disruption to systems operation that would impair system
security commitments and (2) assess the risks associated
with the identified threats.

(x3.1.0) Procedures exist to (1) identify potential threats of


disruptions to systems operation that would impair system
[availability, processing integrity, confidenitality]
commitments and (2) assess the risks associated with the
identified threats.

(S3.1) Procedures exist to (1) identify potential threats of


disruption to systems operation that would impair system
security commitments and (2) assess the risks associated
with the identified threats.

(x3.1.0) Procedures exist to (1) identify potential threats of


disruptions to systems operation that would impair system
[availability, processing integrity, confidenitality]
commitments and (2) assess the risks associated with the
identified threats.

(S4.3.0) Environmental, regulatory, and technological


changes are monitored, and their effect on system
availability, confidentiality of data, processing integrity,
and system security is assessed on a timely basis; policies
are updated for that assessment.
(S3.1) Procedures exist to (1) identify potential threats of
disruption to systems operation that would impair system
security commitments and (2) assess the risks associated
with the identified threats.

(x3.1.0) Procedures exist to (1) identify potential threats of


disruptions to systems operation that would impair system
[availability, processing integrity, confidenitality]
commitments and (2) assess the risks associated with the
identified threats.

(S3.1) Procedures exist to (1) identify potential threats of


disruption to systems operation that would impair system
security commitments and (2) assess the risks associated
with the identified threats.

(x3.1.0) Procedures exist to (1) identify potential threats of


disruptions to systems operation that would impair system
[availability, processing integrity, confidenitality]
commitments and (2) assess the risks associated with the
identified threats.
(S2.2.0) The security obligations of users and the entity’s
security commitments to users are communicated to
authorized users.

(S2.3.0) Responsibility and accountability for the entity’s


system security policies and changes and updates to
those policies are communicated to entity personnel
responsible for implementing them.

(S3.8.0) Procedures exist to classify data in accordance


with classification policies and periodically monitor and
update such classifications as necessary

(S3.8.0) Procedures exist to classify data in accordance


with classification policies and periodically monitor and
update such classifications as necessary.

(C3.14.0) Procedures exist to provide that system data are


classified in accordance with the defined confidentiality
and related security policies.

(S3.2.a) a. Logical access security measures to restrict


access to information resources not deemed to be public.
(A3.3.0) Procedures exist to provide for backup, offsite
storage, restoration, and disaster recovery consistent with
the entity’s defined system availability and related security
policies.

(A3.4.0) Procedures exist to provide for the integrity of


backup data and systems maintained to support the
entity’s defined system availability and related security
policies.

(I3.20.0) Procedures exist to provide for restoration and


disaster recovery consistent with the entity’s defined
processing integrity policies.

(I3.21.0) Procedures exist to provide for the completeness,


accuracy, and timeliness of backup data and systems.

(C3.5.0) The system procedures provide that confidential


information is disclosed to parties only in accordance with
the entity’s defined confidentiality and related security
policies.

(S3.4.0) Procedures exist to protect against unauthorized


access to system resources.

(C3.5.0) The system procedures provide that confidential


information is disclosed to parties only in accordance with
the entity’s defined confidentiality and related security
policies.

(S3.4.0) Procedures exist to protect against unauthorized


access to system resources.

(C3.21.0) Procedures exist to provide that confidential


information is protected during the system development,
testing, and change processes in accordance with defined
system confidentiality and related security policies.
(C3.5.0) The system procedures provide that confidential
information is disclosed to parties only in accordance with
the entity’s defined confidentiality and related security
policies.

(S3.4.0) Procedures exist to protect against unauthorized


access to system resources.

(S3.1.0) Procedures exist to (1) identify potential threats of


disruption to systems operation that would impair system
security commitments and (2) assess the risks associated
with the identified threats.

(C3.14.0) Procedures exist to provide that system data are


classified in accordance with the defined confidentiality
and related security policies.

(S1.2.b-c) b. Classifying data based on its criticality and


sensitivity and that classification is used to define
protection requirements, access rights and access
restrictions, and retention and destruction policies.
c. Assessing risks on a periodic basis.

(S4.1.0) The entity’s system availability, confidentiality,


processing integrity and security performance is
periodically reviewed and compared with the defined
system availability and related security policies.
(S2.2.0) The availability, confidentiality of data, processing
integrity, system security and related security obligations
of users and the entity’s availability and related security
commitments to users are communicated to authorized
users.

(A3.6.0) Procedures exist to restrict physical access to the


defined system including, but not limited to, facilities,
backup media, and other system components such as
firewalls, routers, and servers.

(C3.6.0) The entity has procedures to obtain assurance or


representation that the confidentiality policies of third
parties to whom information is transferred and upon which
the entity relies are in conformity with the entity’s defined
system confidentiality and related security policies and that
the third party is in compliance with its policies.

(S3.11.0) Procedures exist to help ensure that personnel


responsible for the design, development, implementation,
and operation of systems affecting confidentiality and
security have the qualifications and resources to fulfill their
responsibilities.
(S2.2.0) The security obligations of users and the entity's
security commitments to users are communicated to
authorized users

(S3.2.d) Procedures exist to restrict logical access to the


system and information resources maintained in the
system including, but not limited to, the following matters:
d. The process to make changes and updates to user
profiles

(S3.8.e) e. Procedures to prevent customers, groups of


individuals, or other entities from accessing confidential
information other than their own

(S4.1.0) The entity’s system security is periodically


reviewed and compared with the defined system security
policies.

(S4.2.0) There is a process to identify and address


potential impairments to the entity’s ongoing ability to
achieve its objectives in accordance with its defined
system security policies.
(S4.1.0) The entity’s system security is periodically
reviewed and compared with the defined system security
policies.

(S4.2.0) There is a process to identify and address


potential impairments to the entity’s ongoing ability to
achieve its objectives in accordance with its defined
system security policies.

Note: third party service providers are addressed under


either the carve-out method or the inclusive method as it
relates to the assessment of controls.

(S2.2.0) The security obligations of users and the entity’s


security commitments to users are communicated to
authorized users.

(C2.2.0) The system confidentiality and related security


obligations of users and the entity’s confidentiality and
related security commitments to users are communicated
to authorized users before the confidential information is
provided. This communication includes, but is not limited
to, the following matters: (see sub-criteria on TSPC tab)

(C3.6) The entity has procedures to obtain assurance or


representation that the confidentiality policies of third
parties to whom information is transferred and upon which
the entity relies are in conformity with the entity’s defined
system confidentiality and related security policies and that
the third party is in compliance with its policies.
(S4.3.0) Environmental, regulatory, and technological
changes are monitored and their effect on system security
is assessed on a timely basis and policies are updated for
that assessment.

(x4.4.0) Environmental, regulatory, and technological


changes are monitored, and their impact on system
[availability, processing integrity, confidentiality] and
security is assessed on a timely basis. System [availability,
processing integrity, confidentiality] policies and
procedures are updated for such changes as required.

(S3.1.0) Procedures exist to (1) identify potential threats of


disruption to systems operation that would impair system
security commitments and (2) assess the risks associated
with the identified threats.

(x3.1.0) Procedures exist to (1) identify potential threats of


disruptions to systems operations that would impair
system [availability, processing integrity, confidentiality]
commitments and (2) assess the risks associated with the
identified threats.

(S3.10.0) Design, acquisition, implementation,


configuration, modification, and management of
infrastructure and software are consistent with defined
system security policies to enable authorized access and
to prevent unauthorized access.

(S3.13.0) Procedures exist to provide that only authorized,


tested, and documented changes are made to the system.

(S3.2.a) a. Logical access security measures to restrict


access to information resources not deemed to be public.
(S3.2.b) b. Identification and authentication of users.

(S3.4) Procedures exist to protect against unauthorized


access to system resources.
(S3.10.0) Design, acquisition, implementation,
configuration, modification, and management of
infrastructure and software are consistent with defined
system security policies to enable authorized access and
to prevent unauthorized access.

(S3.10.0) Design, acquisition, implementation,


configuration, modification, and management of
infrastructure and software are consistent with defined
processing integrity and related security policies.

(I3.2.0) The procedures related to completeness,


accuracy, timeliness, and authorization of inputs are
consistent with the documented system processing
integrity policies.

(I3.3.0) The procedures related to completeness,


accuracy, timeliness, and authorization of system
processing, including error correction and database
management, are consistent with documented system
processing integrity policies.

(I3.4.0) The procedures related to completeness,


accuracy, timeliness, and authorization of outputs are
consistent with the documented system processing
integrity policies.

(I3.5.0) There are procedures to enable tracing of


information inputs from their source to their final
disposition and vice versa.
(S3.4) Procedures exist to protect against unauthorized
access to system resources.

(S3.2.b) b. Identification and authentication of users.


(S3.4) Procedures exist to protect against unauthorized
access to system resources.

(S3.4) Procedures exist to protect against unauthorized


access to system resources.
(S3.4) Procedures exist to protect against unauthorized
access to system resources.
(S3.4) Procedures exist to protect against unauthorized
access to system resources.

(S3.7) Procedures exist to identify, report, and act upon


system security breaches and other incidents.
(S3.2.a) a. Logical access security measures to restrict
access to information resources not deemed to be public.

(S3.7) Procedures exist to identify, report, and act upon


system security breaches and other incidents.

(S3.4.0) Procedures exist to protect against infection by


computer viruses, malicious code, and unauthorized
software.

(S3.10.0) Design, acquisition, implementation,


configuration, modification, and management of
infrastructure and software are consistent with defined
system security policies to enable authorized access and
to prevent unauthorized access.
(S3.12.0) Procedures exist to maintain system
components, including configurations consistent with the
defined system security policies.

(S3.10.0) Design, acquisition, implementation,


configuration, modification, and management of
infrastructure and software are consistent with defined
system security policies.

(S3.13.0) Procedures exist to provide that only authorized,


tested, and documented changes are made to the system.

(A3.16.0, S3.13.0) Procedures exist to provide that only


authorized, tested, and documented changes are made to
the system.
(A3.13.0, C3.16.0, I3.14.0, S3.10.0) Design, acquisition,
implementation, configuration, modification, and
management of infrastructure and software are consistent
with defined system availability, confidentiality of data,
processing integrity, systems security and related security
policies.

(S3.13) Procedures exist to provide that only authorized,


tested, and documented changes are made to the system.

(S3.10.0) Design, acquisition, implementation,


configuration, modification, and management of
infrastructure and software are consistent with defined
system availability, confidentiality of data, processing
integrity, systems security and related security policies.

(S3.13) Procedures exist to provide that only authorized,


tested, and documented changes are made to the system.
(A3.6.0) Procedures exist to restrict physical access to the
defined system including, but not limited to, facilities,
backup media, and other system components such as
firewalls, routers, and servers.

(S3.5.0) Procedures exist to protect against infection by


computer viruses, malicious code, and unauthorized
software.

(S3.13.0) Procedures exist to provide that only authorized,


tested, and documented changes are made to the system.
(A3.6.0) Procedures exist to restrict physical access to the
defined system including, but not limited to, facilities,
backup media, and other system components such as
firewalls, routers, and servers.

(A3.6.0) Procedures exist to restrict physical access to the


defined system including, but not limited to, facilities,
backup media, and other system components such as
firewalls, routers, and servers.
(A3.6.0) Procedures exist to restrict physical access to the
defined system including, but not limited to, facilities,
backup media, and other system components such as
firewalls, routers, and servers.

(A3.6.0) Procedures exist to restrict physical access to the


defined system including, but not limited to, facilities,
backup media, and other system components such as
firewalls, routers, and servers.
(A3.6.0) Procedures exist to restrict physical access to the
defined system including, but not limited to, facilities,
backup media, and other system components such as
firewalls, routers, and servers.

(S3.2.f) f. Restriction of access to offline storage, backup


data, systems, and media.

(C3.9.0) Procedures exist to restrict physical access to the


defined system including, but not limited to: facilities,
backup media, and other system components such as
firewalls, routers, and servers.

(S3.4) Procedures exist to protect against unauthorized


access to system resources.
(S3.1.0) Procedures exist to (1) identify potential threats of
disruption to systems operation that would impair system
security commitments and (2) assess the risks associated
with the identified threats.

(C3.14.0) Procedures exist to provide that system data are


classified in accordance with the defined confidentiality
and related security policies.

(S1.2.b-c) b. Classifying data based on its criticality and


sensitivity and that classification is used to define
protection requirements, access rights and access
restrictions, and retention and destruction policies.
c. Assessing risks on a periodic basis.

(x1.2.) The entity’s system [availability, processing


integrity, confidentiality and related] security policies
include, but may not be limited to, the following matters:
(S1.3.0) Responsibility and accountability for developing
and maintaining the entity’s system security policies, and
changes and updates to those policies, are assigned.

The entity has prepared an objective description of the


system and its boundaries and communicated such
description to authorized users

The security obligations of users and the entity’s security


commitments to users are communicated to authorized
users.

(S1.1.0) The entity's security policies are established and


periodically reviewed and approved by a designated
individual or group.

(S1.3.0) Responsibility and accountability for developing


and maintaining the entity’s system security policies, and
changes and updates to those policies, are assigned.

(S2.3.0) Responsibility and accountability for the entity's


system security policies and changes and updates to
those policies are communicated to entity personnel
responsible for implementing them.

(S1.1.0) The entity’s security policies are established and


periodically reviewed and approved by a designated
individual or group.

(S1.2.0(a-i)) The entity's security policies include, but may


not be limited to, the following matters:
(S1.1.0) The entity’s security policies are established and
periodically reviewed and approved by a designated
individual or group.

(S3.9) Procedures exist to provide that issues of


noncompliance with security policies are promptly
addressed and that corrective measures are taken on a
timely basis.

(S2.4.0) The security obligations of users and the entity’s


security commitments to users are communicated to
authorized users.

(S3.2.0) Procedures exist to restrict logical access to the


defined system including, but not limited to, the following
matters:
c. Registration and authorization of new users.
d. The process to make changes to user profiles.
g. Restriction of access to system configurations,
superuser functionality, master passwords, powerful
utilities, and security devices (for example, firewalls).
(S3.2.0) Procedures exist to restrict logical access to the
defined system including, but not limited to, the following
matters:
c. Registration and authorization of new users.
d. The process to make changes to user profiles.
g. Restriction of access to system configurations,
superuser functionality, master passwords, powerful
utilities, and security devices (for example, firewalls).

(S3.2.0) Procedures exist to restrict logical access to the


defined system including, but not limited to, the following
matters:
d. The process to make changes to user profiles.
g. Restriction of access to system configurations,
superuser functionality, master passwords, powerful
utilities, and security devices (for example, firewalls).
(S3.2.0) Procedures exist to restrict logical access to the
defined system including, but not limited to, the following
matters:
d. The process to make changes to user profiles.
g. Restriction of access to system configurations,
superuser functionality, master passwords, powerful
utilities, and security devices (for example, firewalls).

(S1.2.k) The entity's security policies include, but may not


be limited to, the following matters:
k.       Providing for training and other resources to support
its system security policies

(S2.2.0) The security obligations of users and the entity’s


security commitments to users are communicated to
authorized users.

(S4.3.0) Environmental, regulatory, and technological


changes are monitored, and their effect on system
availability, confidentiality, processing integrity and security
is assessed on a timely basis; policies are updated for that
assessment.

(S1.2.f) f. Assigning responsibility and accountability for


system availability, confidentiality, processing integrity and
related security.

(S1.2.f) f. Assigning responsibility and accountability for


system availability, confidentiality, processing integrity and
related security.

(S2.3.0) Responsibility and accountability for the entity’s


system security policies and changes and updates to
those policies are communicated to entity personnel
responsible for implementing them.
(S3.2.a) a. Logical access security measures to restrict
access to information resources not deemed to be public.

(S2.3.0) Responsibility and accountability for the entity’s


system availability, confidentiality, processing integrity and
security policies and changes and updates to those
policies are communicated to entity personnel responsible
for implementing them.

(S3.3.0) Procedures exist to restrict physical access to the


defined system including, but not limited to, facilities,
backup media, and other system components such as
firewalls, routers, and servers.

(S3.4.0) Procedures exist to protect against unauthorized


access to system resources.
(C3.12.0, S3.6.0) Encryption or other equivalent security
techniques are used to protect transmissions of user
authentication and other confidential information passed
over the Internet or other public networks.

(S3.4) Procedures exist to protect against unauthorized


access to system resources.

(S3.6.0) Encryption or other equivalent security techniques


are used to protect transmissions of user authentication
and other confidential information passed over the Internet
or other public networks.

(S3.4) Procedures exist to protect against unauthorized


access to system resources.
(S3.10.0) Design, acquisition, implementation,
configuration, modification, and management of
infrastructure and software are consistent with defined
system security policies to enable authorized access and
to prevent unauthorized access.

(S3.5.0) Procedures exist to protect against infection by


computer viruses, malicious codes, and unauthorized
software.

(IS3.7.0) Procedures exist to identify, report, and act upon


system security breaches and other incidents.

(S3.9.0) Procedures exist to provide that issues of


noncompliance with system availability, confidentiality of
data, processing integrity and related security policies are
promptly addressed and that corrective measures are
taken on a timely basis.
(A2.3.0, C2.3.0, I2.3.0, S2.3.0) Responsibility and
accountability for the entity’s system availability,
confidentiality of data, processing integrity and related
security policies and changes and updates to those
policies are communicated to entity personnel responsible
for implementing them.

(S2.4) The process for informing the entity about breaches


of the system security and for submitting complaints is
communicated to authorized users.

(C3.6.0) The entity has procedures to obtain assurance or


representation that the confidentiality policies of third
parties to whom information is transferred and upon which
the entity relies are in conformity with the entity’s defined
system confidentiality and related security policies and that
the third party is in compliance with its policies.

(S2.4.0) The process for informing the entity about system


availability issues, confidentiality issues, processing
integrity issues, security issues and breaches of the
system security and for submitting complaints is
communicated to authorized users.

(C3.15.0) Procedures exist to provide that issues of


noncompliance with defined confidentiality and related
security policies are promptly addressed and that
corrective measures are taken on a timely basis.

(S3.9.0) Procedures exist to provide that issues of


noncompliance with security policies are promptly
addressed and that corrective measures are taken on a
timely basis.

(C4.1.0) The entity’s system security, availability, system


integrity, and confidentiality is periodically reviewed and
compared with the defined system security, availability,
system integrity, and confidentiality policies.
(S1.2) The entity’s security policies include, but may not
be limited to, the following matters:

(S3.9) Procedures exist to provide that issues of


noncompliance with security policies are promptly
addressed and that corrective measures are taken on a
timely basis.

(S3.4) Procedures exist to protect against unauthorized


access to system resources.

(S3.6) Encryption or other equivalent security techniques


are used to protect transmissions of user authentication
and other confidential information passed over the Internet
or other public networks.

(I13.3.a-e) The procedues related to completeness,


accuracy, timeliness, and authorization of system
processing, including error correction and database
management, are consistent with documented system
processing integrity policies.

(I3.4.0) The procedures related to completeness,


accuracy, timeliness, and authorization of outputs are
consistent with the documented system processing
integrity policiies.

(S3.2.g) g. Restriction of access to system configurations,


superuser functionality, master passwords, powerful
utilities, and security devices (for example, firewalls).

(S3.2.g) g. Restriction of access to system configurations,


superuser functionality, master passwords, powerful
utilities, and security devices (for example, firewalls).
(C2.2.0) The system security, availability, system integrity,
and confidentiality and related security obligations of users
and the entity’s system security, availability, system
integrity, and confidentiality and related security
commitments to users are communicated to authorized
users.
(S3.4) Procedures exist to protect against unauthorized
access to system resources.

(S3.13.0) Procedures exist to provide that only authorized,


tested, and documented changes are made to the system.

(S3.2.g) g. Restriction of access to system configurations,


superuser functionality, master passwords, powerful
utilities, and security devices (for example, firewalls).
(S2.3.0) Responsibility and accountability for the entity’s
system availability, confidentiality of data, processing
integrity, system security and related security policies and
changes and updates to those policies are communicated
to entity personnel responsible for implementing them.

(S3.11.0) Procedures exist to provide that personnel


responsible for the design, development, implementation,
and operation of systems affecting security have the
qualifications and resources to fulfill their responsibilities.

(A.2.1.0) The entity has prepared an objective description


of the system and its boundaries and communicated such
description to authorized users.
(A3.2.0) Measures to prevent or mitigate threats have
been implemented consistent with the risk assessment
when commercially practicable.

(A4.1.0) The entity’s system availability and security


performance is periodically reviewed and compared with
the defined system availability and related security
policies.

(A3.2.0) Measures to prevent or mitigate threats have


been implemented consistent with the risk assessment
when commercially practicable.

(A4.1.0) The entity’s system availability and security


performance is periodically reviewed and compared with
the defined system availability and related security
policies.

Procedures exist to (1) identify potential threats of


disruptions to systems operation that would impair system
availability commitments and (2) assess the risks
associated with the identified threats.

Procedures exist to provide for backup, offsite storage,


restoration, and disaster recovery consistent with the
entity’s defined system availability and related security
policies.

Procedures exist to provide for the integrity of backup data


and systems maintained to support the entity’s defined
system availability and related security policies.
(A3.1.0) Procedures exist to (1) identify potential threats of
disruptions to systems operation that would impair system
availability commitments and (2) assess the risks
associated with the identified threats.

(A3.3.0) Procedures exist to provide for backup, offsite


storage, restoration, and disaster recovery consistent with
the entity’s defined system availability and related security
policies.

(A3.4.0) Procedures exist to provide for the integrity of


backup data and systems maintained to support the
entity’s defined system availability and related security
policies.

(A3.1.0) Procedures exist to (1) identify potential threats of


disruptions to systems operation that would impair system
availability commitments and (2) assess the risks
associated with the identified threats.

(A3.3.0) Procedures exist to provide for backup, offsite


storage, restoration, and disaster recovery consistent with
the entity’s defined system availability and related security
policies.

(A3.4.0) Procedures exist to provide for the integrity of


backup data and systems maintained to support the
entity’s defined system availability and related security
policies.
(A3.3) Procedures exist to provide for backup, offsite
storage, restoration, and disaster recovery consistent with
the entity’s defined system availability and related security
policies.

(A3.1.0) Procedures exist to (1) identify potential threats of


disruptions to systems operation that would impair system
availability commitments and (2) assess the risks
associated with the identified threats.

(A3.2.0) Measures to prevent or mitigate threats have


been implemented consistent with the risk assessment
when commercially practicable.

(A3.1.0) Procedures exist to (1) identify potential threats of


disruptions to systems operation that would impair system
availability commitments and (2) assess the risks
associated with the identified threats.

(A3.2.0) Measures to prevent or mitigate threats have


been implemented consistent with the risk assessment
when commercially practicable.

(A3.2.0) Measures to prevent or mitigate threats have


been implemented consistent with the risk assessment
when commercially practicable.
(A3.2.0) Measures to prevent or mitigate threats have
been implemented consistent with the risk assessment
when commercially practicable.

(A3.4.0) Procedures exist to protect against unauthorized


access to system resource.

You might also like