Sp800-53-Collaboration-Index-Template 5544

NIST Special Publication (SP) 800-53, Revsion 5, Supplement
September 21, 2020
urity and Privacy Control Collaboration Index Template
s collaboration index template supports information security and privacy program collaboration to
ensure that the objectives of both disciplines are met and that risks are appropriately managed. I
ptional tool for information security and privacy programs to identify the degree of collaboration
ded between security and privacy programs with respect to the selection and/or implementation o
rols in NIST Special Publication (SP) 800-53, Revision 5. There may be circumstances where th
ction and/or implementation of a control or control enhancement affects the ability of a security o
acy program to achieve its objectives and manage its respective risks. While the discussion sectio
highlight specific security and/or privacy considerations, they are not exhaustive.
T encourages organizations to share feedback by sending an email to [email protected] to help

rove the controls and supplemental materials.
T SP 800-53, Revision 5 can be accessed from: https://doi.org/10.6028/NIST.SP.800-53r5

Control Control Name Collaboration
Number Control Enhancement Name Index Value
Page 2
Security and Privacy Control Collaboration Index Template
AWARENESS AND TRAINING FAMILY

AC-1 Policy and Procedures
AC-2 Account Management
AC-2(1) automated system account management
AC-2(2) automated temporary and emergency account management
AC-2(3) disable accounts
AC-2(4) automated audit actions
AC-2(5) inactivity logout
AC-2(6) dynamic privilege management
AC-2(7) privileged user accounts
AC-2(8) dynamic account management
AC-2(9) restrictions on use of shared and group accounts
AC-2(10) shared and group account credential change
AC-2(11) usage conditions
AC-2(12) account monitoring for atypical usage
AC-2(13) disable accounts for high-risk individuals
AC-3 Access Enforcement
AC-3(1) restricted access to privileged function
AC-3(2) dual authorization
AC-3(3) mandatory access control
AC-3(4) discretionary access control
AC-3(5) security-relevant information
AC-3(6) protection of user and system information
AC-3(7) role-based access control
AC-3(8) revocation of access authorizations
AC-3(9) controlled release
AC-3(10) audited override of access control mechanisms
AC-3(11) restrict access to specific information types
AC-3(12) assert and enforce application access
AC-3(13) attribute-based access control
AC-3(14) individual access
3

AC-3(15) discretionary and mandatory access control
AC-4 Information Flow Enforcement
AC-4(1) object security and privacy attributes
AC-4(2) processing domains
AC-4(3) dynamic information flow control
AC-4(4) flow control of encrypted information
AC-4(5) embedded data types
AC-4(6) metadata
AC-4(7) one-way flow mechanisms
AC-4(8) security and privacy policy filters
AC-4(9) human reviews
AC-4(10) enable and disable security or privacy policy filters
AC-4(11) configuration of security or privacy policy filters
AC-4(12) data type identifiers
AC-4(13) decomposition into policy-relevant subcomponents
AC-4(14) security or privacy policy filter constraints
AC-4(15) detection of unsanctioned information
AC-4(16) information transfers on interconnected systems
AC-4(17) domain authentication
AC-4(18) security attribute binding
AC-4(19) validation of metadata
AC-4(20) approved solutions
AC-4(21) physical or logical separation of information flows
AC-4(22) access only
AC-4(23) modify non-releasable information
AC-4(24) internal normalized format
AC-4(25) data sanitization
AC-4(26) audit filtering actions
AC-4(27) redundant/independent filtering mechanisms
AC-4(28) linear filter pipelines
AC-4(29) filter orchestration engines
4

AC-4(30) filter mechanisms using multiple processes
AC-4(31) failed content transfer prevention
AC-4(32) process requirements for information transfer
AC-5 Separation of Duties
AC-6 Least Privilege
AC-6(1) authorize access to security functions
AC-6(2) non-privileged access for nonsecurity functions
AC-6(3) network access to privileged commands
AC-6(4) separate processing domains
AC-6(5) privileged accounts
AC-6(6) privileged access by non-organizational users
AC-6(7) review of user privileges
AC-6(8) privilege levels for code execution
AC-6(9) log use of privileged functions
AC-6(10) prohibit non-privileged users from executing privileged functions
AC-7 Unsuccessful Logon Attempts

AC-7(1) automatic account lock
AC-7(2) purge or wipe mobile device
AC-7(3) biometric attempt limiting
AC-7(4) use of alternate authentication factor
AC-8 System Use Notification
AC-9 Previous Logon Notification
AC-9(1) unsuccessful logons
AC-9(2) successful and unsuccessful logons
AC-9(3) notification of account changes
AC-9(4) additional logon information
AC-10 Concurrent Session Control
AC-11 Device Lock
AC-11(1) pattern-hiding displays
AC-12 Session Termination
AC-12(1) user-initiated logouts
5

AC-12(2) termination message
AC-12(3) timeout warning message
AC-13 Supervision and Review-Access Control
AC-14 Permitted Actions without Identification or Authentication
AC-14(1) necessary uses

AC-15 Automated Marking
AC-16 Security and Privacy Attributes
AC-16(1) dynamic attribute association
AC-16(2) attribute value changes by authorized individuals
AC-16(3) maintenance of attribute associations by system
AC-16(4) association of attributes by authorized individuals
AC-16(5) attribute displays on objects to be output
AC-16(6) maintenance of attribute association
AC-16(7) consistent attribute interpretation
AC-16(8) association techniques and technologies
AC-16(9) attribute reassignment – regrading mechanisms
AC-16(10) attribute configuration by authorized individuals
AC-17 Remote Access
AC-17(1) monitoring and control
AC-17(2) protection of confidentiality and integrity using encryption
AC-17(3) managed access control points
AC-17(4) privileged commands and access
AC-17(5) monitoring for unauthorized connections
AC-17(6) protection of mechanism information
AC-17(7) additional protection for security function access
AC-17(8) disable nonsecure network protocols
AC-17(9) disconnect or disable access
AC-17(10) authenticate remote commands
AC-18 Wireless Access
AC-18(1) authentication and encryption
AC-18(2) monitoring unauthorized connections
6

AC-18(3) disable wireless networking
AC-18(4) restrict configurations by users
AC-18(5) antennas and transmission power levels
AC-19 Access Control for Mobile Devices
AC-19(1) use of writable and portable storage devices
AC-19(2) use of personally owned portable storage devices
AC-19(3) use of portable storage devices with no identifiable owner
AC-19(4) restrictions for classified information
AC-19(5) full device or container-based encryption
AC-20 Use of External Systems
AC-20(1) limits on authorized use
AC-20(2) portable storage devices — restricted use
AC-20(3) non-organizationally owned systems — restricted use
AC-20(4) network accessible storage devices — prohibited use
AC-20(5) portable storage devices — prohibited use
AC-21 Information Sharing
AC-21(1) automated decision support
AC-21(2) information search and retrieval
AC-22 Publicly Accessible Content
AC-23 Data Mining Protection
AC-24 Access Control Decisions
AC-24(1) transmit access authorization information
AC-24(2) no user or process identity
AC-25 Reference Monitor
AWARENESS AND TRAINING FAMILY
AT-1 Policy and Procedures
AT-2 Literacy Training and Awareness
AT-2(1) practical exercises
AT-2(2) insider threat
AT-2(3) social engineering and mining
AT-2(4) suspicious communications and anomalous system behavior
7

AT-2(5) advanced persistent threat
AT-2(6) cyber threat environment
AT-3 Role-Based Training
AT-3(1) environmental controls
AT-3(2) physical security controls
AT-3(3) practical exercises
AT-3(4) suspicious communications and anomalous system behavior
AT-3(5) processing personally identifiable information

AT-4 Training Records
AT-5 Contacts with Security Groups and Associations
AT-6 Training Feedback
AUDIT AND ACCOUNTABILITY FAMILY
AU-1 Policy and Procedures
AU-2 Event Logging
AU-2(1) compilation of audit records from multiple sources
AU-2(2) selection of audit events by component
AU-2(3) reviews and updates
AU-2(4) privileged functions
AU-3 Content of Audit Records
AU-3(1) additional audit information
AU-3(2) centralized management of planned audit record content
AU-3(3) limit personally identifiable information elements
AU-4 Audit Log Storage Capacity
AU-4(1) transfer to alternate storage
AU-5 Response to Audit Logging Process Failures
AU-5(1) storage capacity warning
AU-5(2) real-time alerts
AU-5(3) configurable traffic volume thresholds
AU-5(4) shutdown on failure
AU-5(5) alternate audit logging capability
AU-6 Audit Record Review, Analysis, and Reporting
8

AU-6(1) automated process integration
AU-6(2) automated security alerts
AU-6(3) correlate audit record repositories
AU-6(4) central review and analysis
AU-6(5) integrated analysis of audit records
AU-6(6) correlation with physical monitoring
AU-6(7) permitted actions
AU-6(8) full text analysis of privileged commands
AU-6(9) correlation with information from nontechnical sources
AU-6(10) audit level adjustment
AU-7 Audit Record Reduction and Report Generation
AU-7(1) automatic processing
AU-7(2) automatic search and sort
AU-8 Time Stamps
AU-8(1) synchronization with authoritative time source
AU-8(2) secondary authoritative time source
AU-9 Protection of Audit Information
AU-9(1) hardware write-once media
AU-9(2) store on separate physical systems or components
AU-9(3) cryptographic protection
AU-9(4) access by subset of privileged users
AU-9(5) dual authorization
AU-9(6) read-only access
AU-9(7) store on component with different operating system
AU-10 Non-repudiation
AU-10(1) association of identities
AU-10(2) validate binding of information producer identity
AU-10(3) chain of custody
AU-10(4) validate binding of information reviewer identity
AU-10(5) digital signatures
AU-11 Audit Record Retention
9

AU-11(1) long-term retrieval capability
AU-12 Audit Record Generation
AU-12(1) system-wide and time-correlated audit trail
AU-12(2) standardized formats
AU-12(3) changes by authorized individuals
AU-12(4) query parameter audits of personally identifiable information
AU-13 Monitoring for Information Disclosure

AU-13(1) use of automated tools
AU-13(2) review of monitored sites
AU-13(3) unauthorized replication of information
AU-14 Session Audit
AU-14(1) system start-up
AU-14(2) capture and record content
AU-14(3) remote viewing and listening
AU-15 Alternate Audit Logging Capability
AU-16 Cross-Organizational Audit Logging
AU-16(1) identity preservation
AU-16(2) sharing of audit information
AU-16(3) disassociability
ASSESSMENT, AUTHORIZATION, AND MONITORING FAMILY
CA-1 Policy and Procedures
CA-2 Control Assessments
CA-2(1) independent assessors
CA-2(2) specialized assessments
CA-2(3) leveraging results from external organizations
CA-3 Information Exchange
CA-3(1) unclassified national security connections
CA-3(2) classified national security system connections
CA-3(3) unclassified non-national security system connections
CA-3(4) connections to public networks
CA-3(5) restrictions on external system connections
10

CA-3(6) transfer authorizations
CA-3(7) transitive information exchanges
CA-4 Security Certification
CA-5 Plan of Action and Milestones
CA-5(1) automation support for accuracy and currency
CA-6 Authorization
CA-6(1) joint authorization — intra-organization
CA-6(2) joint authorization — inter-organization
CA-7 Continuous Monitoring
CA-7(1) independent assessment
CA-7(2) types of assessments
CA-7(3) trend analyses
CA-7(4) risk monitoring
CA-7(5) consistency analysis
CA-7(6) automation support for monitoring
CA-8 Penetration Testing
CA-8(1) independent penetration testing agent or team
CA-8(2) red team exercises
CA-8(3) facility penetration testing
CA-9 Internal System Connections
CA-9(1) compliance checks
CONFIGURATION MANAGEMENT FAMILY
CM-1 Policy and Procedures
CM-2 Baseline Configuration
CM-2(1) reviews and updates
CM-2(2) automation support for accuracy and currency
CM-2(3) retention of previous configurations
CM-2(4) unauthorized software
CM-2(5) authorized software
CM-2(6) development and test environments
CM-2(7) configure systems and components for high-risk areas
11

CM-3 Configuration Change Control
CM-3(1) automated documentation, notification, and prohibition of changes
CM-3(2) testing, validation, and documentation of changes

CM-3(3) automated change implementation
CM-3(4) security and privacy representatives
CM-3(5) automated security response
CM-3(6) cryptography management
CM-3(7) review system changes
CM-3(8) prevent or restrict configuration changes
CM-4 Impact Analyses
CM-4(1) separate test environments
CM-4(2) verification of controls
CM-5 Access Restrictions for Change
CM-5(1) automated access enforcement and audit records
CM-5(2) review system changes
CM-5(3) signed components
CM-5(4) dual authorization
CM-5(5) privilege limitation for production and operation
CM-5(6) limit library privileges
CM-5(7) automatic implementation of security safeguards
CM-6 Configuration Settings
CM-6(1) automated management, application, and verification
CM-6(2) respond to unauthorized changes
CM-6(3) unauthorized change detection
CM-6(4) conformance demonstration
CM-7 Least Functionality
CM-7(1) periodic review
CM-7(2) prevent program execution
CM-7(3) registration compliance
CM-7(4) unauthorized software
CM-7(5) authorized software
12

CM-7(6) confined environments with limited privileges
CM-7(7) code execution in protected environments
CM-7(8) binary or machine executable code
CM-7(9) prohibiting the use of unauthorized hardware
CM-8 System Component Inventory
CM-8(1) updates during installation and removal
CM-8(2) automated maintenance
CM-8(3) automated unauthorized component detection
CM-8(4) accountability information
CM-8(5) no duplicate accounting of components
CM-8(5) no duplicate accounting of components
CM-8(6) assessed configurations and approved deviations
CM-8(7) centralized repository
CM-8(8) automated location tracking
CM-8(9) assignment of components to systems
CM-9 Configuration Management Plan
CM-9(1) assignment of responsibility
CM-10 Software Usage Restrictions
CM-10(1) open-source software
CM-11 User-Installed Software
CM-11(1) alerts for unauthorized installations
CM-11(2) software installation with privileged status
CM-11(3) automated enforcement and monitoring
CM-12 Information Location
CM-12(1) automated tools to support information location
CM-13 Data Action Mapping
CM-14 Signed Components
CONTINGENCY PLANNING FAMILY
CP-1 Policy and Procedures
CP-2 Contingency Plan
CP-2(1) coordinate with related plans
13

CP-2(2) capacity planning
CP-2(3) resume mission and business functions
CP-2(4) resume all mission and business functions
CP-2(5) continue mission and business functions
CP-2(6) alternate processing and storage sites
CP-2(7) coordinate with external service providers
CP-2(8) identify critical assets
CP-3 Contingency Training
CP-3(1) simulated events
CP-3(2) mechanisms used in training environments
CP-4 Contingency Plan Testing
CP-4(1) coordinate with related plans
CP-4(2) alternate processing site
CP-4(3) automated testing
CP-4(4) full recovery and reconstitution
CP-4(5) self-challenge
CP-5 Contingency Plan Update
CP-6 Alternate Storage Site
CP-6(1) separation from primary site
CP-6(2) recovery time and recovery point objectives
CP-6(3) accessibility
CP-7 Alternate Processing Site
CP-7(1) separation from primary site
CP-7(2) accessibility
CP-7(3) priority of service
CP-7(4) preparation for use
CP-7(5) equivalent information security safeguards
CP-7(6) inability to return to primary site
CP-8 Telecommunications Services
CP-8(1) priority of service provisions
CP-8(2) single points of failure
14

CP-8(3) separation of primary and alternate providers
CP-8(4) provider contingency plan
CP-8(5) alternate telecommunication service testing
CP-9 System Backup
CP-9(1) testing for reliability and integrity
CP-9(2) test restoration using sampling
CP-9(3) separate storage for critical information
CP-9(4) protection from unauthorized modification
CP-9(5) transfer to alternate storage site
CP-9(6) redundant secondary system
CP-9(7) dual authorization
CP-9(8) cryptographic protection
CP-10 System Recovery and Reconstitution
CP-10(1) contingency plan testing
CP-10(2) transaction recovery
CP-10(3) compensating security controls
CP-10(4) restore within time period
CP-10(5) failover capability
CP-10(6) component protection
CP-11 Alternate Communications Protocols
CP-12 Safe Mode
CP-13 Alternative Security Mechanisms
IDENTIFICATION AND AUTHENTICATION FAMILY
IA-1 Policy and Procedures
IA-2 Identification and Authentication (Organizational Users)
IA-2(1) multi-factor authentication to privileged accounts
IA-2(2) multi-factor authentication to non-privileged accounts
IA-2(3) local access to privileged accounts
IA-2(4) local access to non-privileged accounts
IA-2(5) individual authentication with group authentication
IA-2(6) access to accounts — separate device
15

IA-2(7) network access to non-privileged accounts — separate device
IA-2(8) access to accounts — replay resistant
IA-2(9) network access to non-privileged accounts — replay resistant
IA-2(10) single sign-on

IA-2(11) remote access — separate device
IA-2(12) acceptance of piv credentials
IA-2(13) out-of-band authentication
IA-3 Device Identification and Authentication
IA-3(1) cryptographic bidirectional authentication
IA-3(2) cryptographic bidirectional network authentication
IA-3(3) dynamic address allocation
IA-3(4) device attestation
IA-4 Identifier Management
IA-4(1) prohibit account identifiers as public identifiers
IA-4(2) supervisor authorization
IA-4(3) multiple forms of certification
IA-4(4) identify user status
IA-4(5) dynamic management
IA-4(6) cross-organization management
IA-4(7) in-person registration
IA-4(8) pairwise pseudonymous identifiers
IA-4(9) attribute maintenance and protection
IA-5 Authenticator Management
IA-5(1) password-based authentication
IA-5(2) public key-based authentication
IA-5(3) in-person or trusted external party registration
IA-5(4) automated support for password strength determination
IA-5(5) change authenticators prior to delivery
IA-5(6) protection of authenticators
IA-5(7) no embedded unencrypted static authenticators
16

IA-5(8) multiple system accounts
IA-5(9) federated credential management
IA-5(10) dynamic credential binding
IA-5(11) hardware token-based authentication
IA-5(12) biometric authentication performance
IA-5(13) expiration of cached authenticators
IA-5(14) managing content of pki trust stores
IA-5(15) gsa-approved products and services
IA-5(16) in-person or trusted external party authenticator issuance
IA-5(17) presentation attack detection for biometric authenticators
IA-5(18) password managers
IA-6 Authentication Feedback
IA-7 Cryptographic Module Authentication
IA-8 Identification and Authentication (Non-Organizational Users)
IA-8(1) acceptance of piv credentials from other agencies

IA-8(2) acceptance of external authenticators
IA-8(3) use of ficam-approved products
IA-8(4) use of defined profiles
IA-8(5) acceptance of piv-i credentials
IA-8(6) disassociability
IA-9 Service Identification and Authentication
IA-9(1) information exchange
IA-9(2) transmission of decisions
IA-10 Adaptive Authentication
IA-11 Re-authentication
IA-12 Identity Proofing
IA-12(1) supervisor authorization
IA-12(2) identity evidence
IA-12(3) identity evidence validation and verification
IA-12(4) in-person validation and verification
IA-12(5) address confirmation
17

IA-12(6) accept externally-proofed identities
INCIDENT RESPONSE FAMILY
IR-1 Policy and Procedures
IR-2 Incident Response Training
IR-2(1) simulated events
IR-2(2) automated training environments
IR-2(3) breach
IR-3 Incident Response Testing
IR-3(1) automated testing
IR-3(2) coordination with related plans
IR-3(3) continuous improvement
IR-4 Incident Handling
IR-4(1) automated incident handling processes
IR-4(2) dynamic reconfiguration
IR-4(3) continuity of operations
IR-4(4) information correlation
IR-4(5) automatic disabling of system
IR-4(6) insider threats
IR-4(7) insider threats — intra-organization coordination
IR-4(8) correlation with external organizations
IR-4(9) dynamic response capability
IR-4(10) supply chain coordination
IR-4(11) integrated incident response team
IR-4(12) malicious code and forensic analysis
IR-4(13) behavior analysis
IR-4(14) security operations center
IR-4(15) public relations and reputation repair
IR-5 Incident Monitoring
IR-5(1) automated tracking, data collection, and analysis
IR-6 Incident Reporting
IR-6(1) automated reporting
18

IR-6(2) vulnerabilities related to incidents
IR-6(3) supply chain coordination
IR-7 Incident Response Assistance
IR-7(1) automation support for availability of information and support
IR-7(2) coordination with external providers

IR-8 Incident Response Plan
IR-8(1) breaches
IR-9 Information Spillage Response
IR-9(1) responsible personnel
IR-9(2) training
IR-9(3) post-spill operations
IR-9(4) exposure to unauthorized personnel
MAINTENANCE FAMILY
MA-1 Policy and Procedures
MA-2 Controlled Maintenance
MA-2(1) record content
MA-2(2) automated maintenance activities
MA-3 Maintenance Tools
MA-3(1) inspect tools
MA-3(2) inspect media
MA-3(3) prevent unauthorized removal
MA-3(4) restricted tool use
MA-3(5) execution with privilege
MA-3(6) software updates and patches
MA-4 Nonlocal Maintenance
MA-4(1) logging and review
MA-4(2) document nonlocal maintenance
MA-4(3) comparable security and sanitization
MA-4(4) authentication and separation of maintenance sessions
MA-4(5) approvals and notifications
MA-4(6) cryptographic protection
19

MA-4(7) disconnect verification
MA-5 Maintenance Personnel
MA-5(1) individuals without appropriate access
MA-5(2) security clearances for classified systems
MA-5(3) citizenship requirements for classified systems
MA-5(4) foreign nationals
MA-5(5) non-system maintenance
MA-6 Timely Maintenance
MA-6(1) preventive maintenance
MA-6(2) predictive maintenance
MA-6(3) automated support for predictive maintenance
MA-7 Field Maintenance
MEDIA PROTECTION FAMILY
MP-2(1) automated restricted access
MP-2(2) cryptographic protection
MP-3 Media Marking
MP-4 Media Storage
MP-4(2) automated restricted access
MP-5 Media Transport
MP-5(1) protection outside of controlled areas
MP-5(2) documentation of activities
MP-5(3) custodians
MP-6 Media Sanitization
MP-6(1) review, approve, track, document, and verify
MP-6(2) equipment testing
MP-6(3) nondestructive techniques
MP-6(4) controlled unclassified information
MP-6(5) classified information
MP-6(6) media destruction
20

MP-6(7) dual authorization
MP-6(8) remote purging or wiping of information
MP-7 Media Use
MP-7(1) prohibit use without owner
MP-7(2) prohibit use of sanitization-resistant media
MP-8 Media Downgrading
MP-8(1) documentation of process
MP-8(2) equipment testing
MP-8(3) controlled unclassified information
MP-8(4) classified information
PHYSICAL AND ENVIRONMENTAL PROTECTION FAMILY
PE-1 Policy and Procedures
PE-2 Physical Access Authorizations
PE-2(1) access by position and role
PE-2(2) two forms of identification
PE-2(3) restrict unescorted access
PE-3 Physical Access Control
PE-3(1) system access
PE-3(2) facility and systems
PE-3(3) continuous guards
PE-3(4) lockable casings
PE-3(5) tamper protection
PE-3(6) facility penetration testing
PE-3(7) physical barriers
PE-3(8) access control vestibules
PE-4 Access Control for Transmission
PE-5 Access Control for Output Devices
PE-5(1) access to output by authorized individuals
PE-5(2) link to individual identity
PE-5(3) marking output devices
PE-6 Monitoring Physical Access
21

PE-6(1) intrusion alarms and surveillance equipment
PE-6(2) automated intrusion recognition and responses
PE-6(3) video surveillance
PE-6(4) monitoring physical access to systems
PE-7 Visitor Control
PE-8 Visitor Access Records
PE-8(1) automated records maintenance and review
PE-8(2) physical access records
PE-8(3) limit personally identifiable information elements
PE-9 Power Equipment and Cabling
PE-9(1) redundant cabling
PE-9(2) automatic voltage controls
PE-10 Emergency Shutoff
PE-10(1) accidental and unauthorized activation
PE-11 Emergency Power
PE-11(1) alternate power supply — minimal operational capability
PE-11(2) alternate power supply — self-contained
PE-12 Emergency Lighting
PE-12(1) essential mission and business functions
PE-13 Fire Protection
PE-13(1) detection systems — automatic activation and notification
PE-13(2) suppression systems — automatic activation and notification
PE-13(3) automatic fire suppression

PE-13(4) inspections
PE-14 Environmental Controls
PE-14(1) automatic controls
PE-14(2) monitoring with alarms and notifications
PE-15 Water Damage Protection
PE-15(1) automation support
PE-16 Delivery and Removal
PE-17 Alternate Work Site
22

PE-18 Location of System Components
PE-18(1) facility site
PE-19 Information Leakage
PE-19(1) national emissions and tempest policies and procedures
PE-20 Asset Monitoring and Tracking
PE-21 Electromagnetic Pulse Protection
PE-22 Component Marking
PE-23 Facility Location
PLANNING FAMILY
PL-1 Policy and Procedures
PL-2 System Security and Privacy Plans
PL-2(1) concept of operations
PL-2(2) functional architecture
PL-2(3) plan and coordinate with other organizational entities
PL-3 System Security Plan Update
PL-4 Rules of Behavior
PL-4(1) social media and external site/application usage restrictions
PL-5 Privacy Impact Assessment

PL-6 Security-Related Activity Planning
PL-7 Concept of Operations
PL-8 Security and Privacy Architectures
PL-8(1) defense in depth
PL-8(2) supplier diversity
PL-9 Central Management
PL-10 Baseline Selection
PL-11 Baseline Tailoring
PROGRAM MANAGEMENT FAMILY
PM-1 Information Security Program Plan
PM-2 Information Security Program Leadership Role
PM-3 Information Security and Privacy Resources
PM-4 Plan of Action and Milestones Process
23

PM-5 System Inventory
PM-5(1) inventory of personally identifiable information
PM-6 Measures of Performance
PM-7 Enterprise Architecture
PM-7(1) offloading
PM-8 Critical Infrastructure Plan
PM-9 Risk Management Strategy
PM-10 Authorization Process
PM-11 Mission and Business Process Definition
PM-12 Insider Threat Program
PM-13 Security and Privacy Workforce
PM-14 Testing, Training, and Monitoring
PM-15 Security and Privacy Groups and Associations
PM-16 Threat Awareness Program
PM-16(1) automated means for sharing threat intelligence
Protecting Controlled Unclassified Information on External
PM-17
Systems
PM-18 Privacy Program Plan
PM-19 Privacy Program Leadership Role
PM-20 Dissemination of Privacy Program Information
PM-20(1) privacy policies on websites, applications, and digital services
PM-21 Accounting of Disclosures

PM-22 Personally Identifiable Information Quality Management
PM-23 Data Governance Body
PM-24 Data Integrity Board
Minimization of Personally Identifiable Information Used in
PM-25 Testing, Training, and Research
PM-26 Complaint Management
PM-27 Privacy Reporting
PM-28 Risk Framing
PM-29 Risk Management Program Leadership Roles
PM-30 Supply Chain Risk Management Strategy
24

PM-30(1) suppliers of critical or mission-essential items
PM-31 Continuous Monitoring Strategy
PM-32 Purposing
PERSONNEL SECURITY FAMILY
PS-1 Policy and Procedures
PS-2 Position Risk Designation
PS-3 Personnel Screening
PS-3(1) classified Information
PS-3(2) formal indoctrination
PS-3(3) information with special protection measures
PS-3(4) citizenship requirements
PS-4 Personnel Termination
PS-4(1) post-employment requirements
PS-4(2) automated actions
PS-5 Personnel Transfer
PS-6 Access Agreements
PS-6(1) information requiring special protection
PS-6(2) classified information requiring special protection
PS-6(3) post-employment requirements
PS-7 External Personnel Security
PS-8 Personnel Sanctions
PS-9 Position Descriptions
PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY FAMILY
PT-1 Policy and Procedures
PT-2 Authority to Process Personally Identifiable Information
PT-2(1) data tagging
PT-2(2) automation
PT-3 Personally Identifiable Information Processing Purposes
PT-3(1) data tagging
PT-3(2) automation
PT-4 Consent
25

PT-4(1) tailored consent
PT-4(2) just-in-time consent
PT-4(3) revocation
PT-5 Privacy Notice
PT-5(1) just-in-time notice
PT-5(2) privacy act statements
PT-6 System of Records Notice
PT-6(1) routine uses
PT-6(2) exemption rules
PT-7 Specific Categories of Personally Identifiable Information
PT-7(1) social security numbers
PT-7(2) first amendment information
PT-8 Computer Matching Requirements
RISK ASSESSMENT FAMILY
RA-1 Policy and Procedures
RA-2 Security Categorization
RA-2(1) impact-level prioritization
RA-3 Risk Assessment
RA-3(1) supply chain risk assessment
RA-3(2) use of all-source intelligence
RA-3(3) dynamic threat awareness
RA-3(4) predictive cyber analytics
RA-4 Risk Assessment Update
RA-5 Vulnerability Monitoring and Scanning
RA-5(1) update tool capability
RA-5(2) update vulnerabilities to be scanned
RA-5(3) breadth and depth of coverage
RA-5(4) discoverable information
RA-5(5) privileged access
RA-5(6) automated trend analyses
RA-5(7) automated detection and notification of unauthorized components
26

RA-5(8) review historic audit logs
RA-5(9) penetration testing and analyses
RA-5(10) correlate scanning information
RA-5(11) public disclosure program
RA-6 Technical Surveillance Countermeasures Survey
RA-7 Risk Response
RA-8 Privacy Impact Assessments
RA-9 Criticality Analysis
RA-10 Threat Hunting
SYSTEM AND SERVICES ACQUISITION FAMILY
SA-1 Policy and Procedures
SA-2 Allocation of Resources
SA-3 System Development Life Cycle
SA-3(1) manage preproduction environment
SA-3(2) use of live or operational data
SA-3(3) technology refresh
SA-4 Acquisition Process
SA-4(1) functional properties of controls
SA-4(2) design and implementation information for controls
SA-4(3) development methods, techniques, and practices
SA-4(4) assignment of components to systems
SA-4(5) system, component, and service configurations
SA-4(6) use of information assurance products
SA-4(7) niap-approved protection profiles
SA-4(8) continuous monitoring plan for controls
SA-4(9) functions, ports, protocols, and services in use
SA-4(10) use of approved piv products
SA-4(11) system of records
SA-4(12) data ownership
SA-5 System Documentation
SA-5(1) functional properties of security controls
27

SA-5(2) security-relevant external system interfaces
SA-5(3) high-level design
SA-5(4) low-level design
SA-5(5) source code
SA-6 Software Usage Restrictions
SA-7 User-Installed Software
SA-8 Security and Privacy Engineering Principles
SA-8(1) clear abstractions
SA-8(2) least common mechanism
SA-8(3) modularity and layering
SA-8(4) partially ordered dependencies
SA-8(5) efficiently mediated access
SA-8(6) minimized sharing
SA-8(7) reduced complexity
SA-8(8) secure evolvability
SA-8(9) trusted components
SA-8(10) hierarchical trust
SA-8(11) inverse modification threshold
SA-8(12) hierarchical protection
SA-8(13) minimized security elements
SA-8(14) least privilege
SA-8(15) predicate permission
SA-8(16) self-reliant trustworthiness
SA-8(17) secure distributed composition
SA-8(18) trusted communications channels
SA-8(19) continuous protection
SA-8(20) secure metadata management
SA-8(21) self-analysis
SA-8(22) accountability and traceability
SA-8(23) secure defaults
SA-8(24) secure failure and recovery
28

SA-8(25) economic security
SA-8(26) performance security
SA-8(27) human factored security
SA-8(28) acceptable security
SA-8(29) repeatable and documented procedures
SA-8(30) procedural rigor
SA-8(31) secure system modification
SA-8(32) sufficient documentation
SA-8(33) minimization
SA-9 External System Services
SA-9(1) risk assessments and organizational approvals
SA-9(2) identification of functions, ports, protocols, and services
SA-9(3) establish and maintain trust relationship with providers
SA-9(4) consistent interests of consumers and providers
SA-9(5) processing, storage, and service location
SA-9(6) organization-controlled cryptographic keys
SA-9(7) organization-controlled integrity checking
SA-9(8) processing and storage location — u.s. jurisdiction
SA-10 Developer Configuration Management
SA-10(1) software and firmware integrity verification
SA-10(2) alternative configuration management processes
SA-10(3) hardware integrity verification
SA-10(4) trusted generation
SA-10(5) mapping integrity for version control
SA-10(6) trusted distribution
SA-10(7) security and privacy representatives
SA-11 Developer Testing and Evaluation
SA-11(1) static code analysis
SA-11(2) threat modeling and vulnerability analyses
SA-11(3) independent verification of assessment plans and evidence
SA-11(4) manual code reviews
29

SA-11(5) penetration testing
SA-11(6) attack surface reviews
SA-11(7) verify scope of testing and evaluation
SA-11(8) dynamic code analysis
SA-11(9) interactive application security testing
SA-12 Supply Chain Protection
SA-12(1) acquisition strategies, tools, and methods
SA-12(2) supplier reviews
SA-12(3) trusted shipping and warehousing
SA-12(4) diversity of suppliers
SA-12(5) limitation of harm
SA-12(6) minimizing procurement time
SA-12(7) assessments prior to selection / acceptance / update
SA-12(8) use of all-source intelligence
SA-12(9) operations security
SA-12(10) validate as genuine and not altered
SA-12(11) penetration testing / analysis of elements, processes, and actors
SA-12(12) inter-organizational agreements

SA-12(13) critical information system components
SA-12(14) identity and traceability
SA-12(15) process to address weaknesses or deficiencies
SA-13 Trustworthiness
SA-14 Criticality Analysis
SA-14(1) critical components with no viable alternative sourcing
SA-15 Development Process, Standards, and Tools
SA-15(1) quality metrics
SA-15(2) security and privacy tracking tools
SA-15(3) criticality analysis
SA-15(4) threat modeling and vulnerability analysis
SA-15(5) attack surface reduction
SA-15(6) continuous improvement
30

SA-15(7) automated vulnerability analysis
SA-15(8) reuse of threat and vulnerability information
SA-15(9) use of live data
SA-15(10) incident response plan
SA-15(11) archive system or component
SA-15(12) minimize personally identifiable information
SA-16 Developer-Provided Training
SA-17 Developer Security and Privacy Architecture and Design
SA-17(1) formal policy model
SA-17(2) security-relevant components
SA-17(3) formal correspondence
SA-17(4) informal correspondence
SA-17(5) conceptually simple design
SA-17(6) structure for testing
SA-17(7) structure for least privilege
SA-17(8) orchestration
SA-17(9) design diversity
SA-18 Tamper Resistance and Detection
SA-18(1) multiple phases of system development life cycle
SA-18(2) inspection of systems or components
SA-19 Component Authenticity
SA-19(1) anti-counterfeit training
SA-19(2) configuration control for component service and repair
SA-19(3) component disposal
SA-19(4) anti-counterfeit scanning
SA-20 Customized Development of Critical Components
SA-21 Developer Screening
SA-21(1) validation of screening
SA-22 Unsupported System Components
SA-22(1) alternative sources for continued support
SA-23 Specialization
31

SYSTEM AND COMMUNICATIONS PROTECTION FAMILY
SC-1 Policy and Procedures
SC-2 Separation of System and User Functionality
SC-2(1) interfaces for non-privileged users
SC-2(2) disassociability
SC-3 Security Function Isolation
SC-3(1) hardware separation
SC-3(2) access and flow control functions
SC-3(3) minimize nonsecurity functionality
SC-3(4) module coupling and cohesiveness
SC-3(5) layered structures
SC-4 Information in Shared System Resources
SC-4(1) security levels
SC-4(2) multilevel or periods processing
SC-5 Denial-of-Service Protection
SC-5(1) restrict ability to attack other systems
SC-5(2) capacity, bandwidth, and redundancy
SC-5(3) detection and monitoring
SC-6 Resource Availability
SC-7 Boundary Protection
SC-7(1) physically separated subnetworks
SC-7(2) public access
SC-7(3) access points
SC-7(4) external telecommunications services
SC-7(5) deny by default — allow by exception
SC-7(6) response to recognized failures
SC-7(7) split tunneling for remote devices
SC-7(8) route traffic to authenticated proxy servers
SC-7(9) restrict threatening outgoing communications traffic
SC-7(10) prevent exfiltration
SC-7(11) restrict incoming communications traffic
32

SC-7(12) host-based protection
SC-7(13) isolation of security tools, mechanisms, and support components
SC-7(14) protect against unauthorized physical connections

SC-7(15) networked privileged accesses
SC-7(16) prevent discovery of system components
SC-7(17) automated enforcement of protocol formats
SC-7(18) fail secure
SC-7(19) block communication from non-organizationally configured hosts
SC-7(20) dynamic isolation and segregation
SC-7(21) isolation of system components
SC-7(22) separate subnets for connecting to different security domains
SC-7(23) disable sender feedback on protocol validation failure
SC-7(24) personally identifiable information
SC-7(25) unclassified national security connections
SC-7(26) classified national security system connections
SC-7(27) unclassified non-national security system connections
SC-7(28) connections to public networks
SC-7(29) separate subnets to isolate functions
SC-8 Transmission Confidentiality and Integrity
SC-8(1) cryptographic protection
SC-8(2) pre- and post-transmission handling
SC-8(3) cryptographic protection for message externals
SC-8(4) conceal or randomize communications
SC-8(5) protected distribution system
SC-9 Transmission Confidentiality
SC-10 Network Disconnect
SC-11 Trusted Path
SC-11(1) irrefutable communications path
SC-12 Cryptographic Key Establishment and Management
SC-12(1) availability
33

SC-12(2) symmetric keys
SC-12(3) asymmetric keys
SC-12(4) pki certificates
SC-12(5) pki certificates / hardware tokens
SC-12(6) physical control of keys
SC-13 Cryptographic Protection
SC-13(1) fips-validated cryptography
SC-13(2) nsa-approved cryptography
SC-13(3) individuals without formal access approvals
SC-13(4) digital signatures
SC-14 Public Access Protections
SC-15 Collaborative Computing Devices and Applications
SC-15(1) physical or logical disconnect
SC-15(2) blocking inbound and outbound communications traffic
SC-15(3) disabling and removal in secure work areas
SC-15(4) explicitly indicate current participants
SC-16 Transmission of Security and Privacy Attributes
SC-16(1) integrity verification
SC-16(2) anti-spoofing mechanisms
SC-16(3) cryptographic binding
SC-17 Public Key Infrastructure Certificates
SC-18 Mobile Code
SC-18(1) identify unacceptable code and take corrective actions
SC-18(2) acquisition, development, and use
SC-18(3) prevent downloading and execution
SC-18(4) prevent automatic execution
SC-18(5) allow execution only in confined environments
SC-19 Voice over Internet Protocol
SC-20 Secure Name/Address Resolution Service (Authoritative Source)
SC-20(1) child subspaces
SC-20(2) data origin and integrity
34

Secure Name/Address Resolution Service (Recursive or Caching
SC-21 Resolver)
SC-21(1) data origin and integrity
SC-22 Architecture and Provisioning for Name/Address Resolution

Service
SC-23 Session Authenticity
SC-23(1) invalidate session identifiers at logout
SC-23(2) user-initiated logouts and message displays
SC-23(3) unique system-generated session identifiers
SC-23(4) unique session identifiers with randomization
SC-23(5) allowed certificate authorities
SC-24 Fail in Known State
SC-25 Thin Nodes
SC-26 Decoys
SC-26(1) detection of malicious code
SC-27 Platform-Independent Applications
SC-28 Protection of Information at Rest
SC-28(1) cryptographic protection
SC-28(2) offline storage
SC-28(3) cryptographic keys
SC-29 Heterogeneity
SC-29(1) virtualization techniques
SC-30 Concealment and Misdirection
SC-30(1) virtualization techniques
SC-30(2) randomness
SC-30(3) change processing and storage locations
SC-30(4) misleading information
SC-30(5) concealment of system components
SC-31 Covert Channel Analysis
SC-31(1) test covert channels for exploitability
SC-31(2) maximum bandwidth
SC-31(3) measure bandwidth in operational environments
35

SC-32 System Partitioning
SC-32(1) separate physical domains for privileged functions
SC-33 Transmission Preparation Integrity
SC-34 Non-Modifiable Executable Programs
SC-34(1) no writable storage
SC-34(2) integrity protection and read-only media
SC-34(3) hardware-based protection
SC-35 External Malicious Code Identification
SC-36 Distributed Processing and Storage
SC-36(1) polling techniques
SC-36(2) synchronization
SC-37 Out-of-Band Channels
SC-37(1) ensure delivery and transmission
SC-38 Operations Security
SC-39 Process Isolation
SC-39(1) hardware separation
SC-39(2) separate execution domain per thread
SC-40 Wireless Link Protection
SC-40(1) electromagnetic interference
SC-40(2) reduce detection potential
SC-40(3) imitative or manipulative communications deception
SC-40(4) signal parameter identification
SC-41 Port and I/O Device Access
SC-42 Sensor Capability and Data
SC-42(1) reporting to authorized individuals or roles
SC-42(2) authorized use
SC-42(3) prohibit use of devices
SC-42(4) notice of collection
SC-42(5) collection minimization
SC-43 Usage Restrictions
SC-44 Detonation Chambers
36

SC-45 System Time Synchronization
SC-45(1) synchronization with authoritative time source
SC-45(2) secondary authoritative time source
SC-46 Cross Domain Policy Enforcement
SC-47 Alternate Communications Paths
SC-48 Sensor Relocation
SC-48(1) dynamic relocation of sensors or monitoring capabilities
SC-49 Hardware-Enforced Separation and Policy Enforcement
SC-50 Software-Enforced Separation and Policy Enforcement
SC-51 Hardware-Based Protection
SYSTEM AND INFORMATION INTEGRITY FAMILY
SI-1 Policy and Procedures
SI-2 Flaw Remediation
SI-2(1) central management
SI-2(2) automated flaw remediation status
SI-2(3) time to remediate flaws and benchmarks for corrective actions
SI-2(4) automated patch management tools
SI-2(5) automatic software and firmware updates
SI-2(6) removal of previous versions of software and firmware
SI-3 Malicious Code Protection
SI-3(2) automatic updates
SI-3(3) non-privileged users
SI-3(4) updates only by privileged users
SI-3(5) portable storage devices
SI-3(6) testing and verification
SI-3(7) nonsignature-based detection
SI-3(8) detect unauthorized commands
SI-3(9) authenticate remote commands
SI-3(10) malicious code analysis
SI-4 System Monitoring
37

SI-4(1) system-wide intrusion detection system
SI-4(2) automated tools and mechanisms for real-time analysis
SI-4(3) automated tool and mechanism integration
SI-4(4) inbound and outbound communications traffic
SI-4(5) system-generated alerts
SI-4(6) restrict non-privileged users
SI-4(7) automated response to suspicious events
SI-4(8) protection of monitoring information
SI-4(9) testing of monitoring tools and mechanisms
SI-4(10) visibility of encrypted communications
SI-4(11) analyze communications traffic anomalies
SI-4(12) automated organization-generated alerts
SI-4(13) analyze traffic and event patterns
SI-4(14) wireless intrusion detection
SI-4(15) wireless to wireline communications
SI-4(16) correlate monitoring information
SI-4(17) integrated situational awareness
SI-4(18) analyze traffic and covert exfiltration
SI-4(19) risk for individuals
SI-4(20) privileged users
SI-4(21) probationary periods
SI-4(22) unauthorized network services
SI-4(23) host-based devices
SI-4(24) indicators of compromise
SI-4(25) optimize network traffic analysis
SI-5 Security Alerts, Advisories, and Directives
SI-5(1) automated alerts and advisories
SI-6 Security and Privacy Function Verification
SI-6(1) notification of failed security tests
SI-6(2) automation support for distributed testing
SI-6(3) report verification results
38

SI-7 Software, Firmware, and Information Integrity
SI-7(1) integrity checks
SI-7(2) automated notifications of integrity violations
SI-7(3) centrally managed integrity tools
SI-7(4) tamper-evident packaging
SI-7(5) automated response to integrity violations
SI-7(6) cryptographic protection
SI-7(7) integration of detection and response
SI-7(8) auditing capability for significant events
SI-7(9) verify boot process
SI-7(10) protection of boot firmware
SI-7(11) confined environments with limited privileges
SI-7(12) integrity verification
SI-7(13) code execution in protected environments
SI-7(14) binary or machine executable code
SI-7(15) code authentication
SI-7(16) time limit on process execution without supervision
SI-7(17) runtime application self-protection
SI-8 Spam Protection
SI-8(2) automatic updates
SI-8(3) continuous learning capability
SI-9 Information Input Restrictions
SI-10 Information Input Validation
SI-10(1) manual override capability
SI-10(2) review and resolve errors
SI-10(3) predictable behavior
SI-10(4) timing interactions
SI-10(5) restrict inputs to trusted sources and approved formats
SI-10(6) injection prevention
SI-11 Error Handling
39

SI-12 Information Management and Retention
SI-12(1) limit personally identifiable information elements
SI-12(2) minimize personally identifiable information in testing, training, and

research
SI-12(3) information disposal
SI-13 Predictable Failure Prevention
SI-13(1) transferring component responsibilities
SI-13(2) time limit on process execution without supervision
SI-13(3) manual transfer between components
SI-13(4) standby component installation and notification
SI-13(5) failover capability
SI-14 Non-Persistence
SI-14(1) refresh from trusted sources
SI-14(2) non-persistent information
SI-14(3) non-persistent connectivity
SI-15 Information Output Filtering
SI-16 Memory Protection
SI-17 Fail-Safe Procedures
SI-18 Personally Identifiable Information Quality Operations
SI-18(1) automation support
SI-18(2) data tags
SI-18(3) collection
SI-18(4) individual requests
SI-18(5) notice of correction or deletion
SI-19 De-Identification
SI-19(1) collection
SI-19(2) archiving
SI-19(3) release
removal, masking, encryption, hashing, or replacement of direct
SI-19(4)
identifiers
SI-19(5) statistical disclosure control
SI-19(6) differential privacy
40

SI-19(7) validated algorithms software
SI-19(8) motivated intruder
SI-20 Tainting
SI-21 Information Refresh
SI-22 Information Diversity
SI-23 Information Fragmentation
SUPPLY CHAIN RISK MANAGEMENT FAMILY
SR-1 Policy and Procedures
SR-2 Supply Chain Risk Management Plan
SR-2(1) establish scrm team
SR-3 Supply Chain Controls and Processes
SR-3(1) diverse supply base
SR-3(2) limitation of harm
SR-3(3) sub-tier flow down
SR-4 Provenance
SR-4(1) identity
SR-4(2) track and trace
SR-4(3) validate as genuine and not altered
SR-4(4) supply chain integrity — pedigree
SR-5 Acquisition Strategies, Tools, and Methods
SR-5(1) adequate supply
SR-5(2) assessments prior to selection, acceptance, modification, or update
SR-6 Supplier Assessments and Reviews

SR-6(1) testing and analysis
SR-7 Supply Chain Operations Security
SR-8 Notification Agreements
SR-9 Tamper Resistance and Detection
SR-9(1) multiple stages of system development life cycle
SR-10 Inspection of Systems or Components
SR-11 Component Authenticity
SR-11(1) anti-counterfeit training
41

SR-11(2) configuration control for component service and repair
SR-11(3) anti-counterfeit scanning
SR-12 Component Disposal
42

Sp800-53-Collaboration-Index-Template 5544

Uploaded by

Copyright:

Available Formats

Sp800-53-Collaboration-Index-Template 5544

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sp800-53-Collaboration-Index-Template 5544

Uploaded by

Copyright:

Available Formats

NIST Special Publication (SP) 800-53, Revsion 5, Supplement

September 21, 2020

urity and Privacy Control Collaboration Index Template

T encourages organizations to share feedback by sending an email to [email protected] to help

T SP 800-53, Revision 5 can be accessed from: https://doi.org/10.6028/NIST.SP.800-53r5

AWARENESS AND TRAINING FAMILY

Control Control Name Collaboration

Control Control Name Collaboration

AC-6(10) prohibit non-privileged users from executing privileged functions

AC-7 Unsuccessful Logon Attempts

Control Control Name Collaboration

AC-14 Permitted Actions without Identification or Authentication

AC-14(1) necessary uses

Control Control Name Collaboration

AT-2(4) suspicious communications and anomalous system behavior

Control Control Name Collaboration

AT-3(4) suspicious communications and anomalous system behavior

AT-3(5) processing personally identifiable information

Control Control Name Collaboration

Control Control Name Collaboration

AU-12(4) query parameter audits of personally identifiable information

AU-13 Monitoring for Information Disclosure

Control Control Name Collaboration

Control Control Name Collaboration

CM-3(1) automated documentation, notification, and prohibition of changes

CM-3(2) testing, validation, and documentation of changes

Control Control Name Collaboration

Control Control Name Collaboration

Control Control Name Collaboration

Control Control Name Collaboration

IA-2(8) access to accounts — replay resistant

IA-2(9) network access to non-privileged accounts — replay resistant

IA-2(10) single sign-on

Control Control Name Collaboration

IA-8 Identification and Authentication (Non-Organizational Users)

IA-8(1) acceptance of piv credentials from other agencies

Control Control Name Collaboration

Control Control Name Collaboration

IR-7(1) automation support for availability of information and support

IR-7(2) coordination with external providers

Control Control Name Collaboration

Control Control Name Collaboration

Control Control Name Collaboration

PE-13(2) suppression systems — automatic activation and notification

PE-13(3) automatic fire suppression

Control Control Name Collaboration

PL-4(1) social media and external site/application usage restrictions

PL-5 Privacy Impact Assessment

Control Control Name Collaboration

PM-20(1) privacy policies on websites, applications, and digital services

PM-21 Accounting of Disclosures

Control Control Name Collaboration

Control Control Name Collaboration

RA-5(7) automated detection and notification of unauthorized components

Control Control Name Collaboration

Control Control Name Collaboration

Control Control Name Collaboration

Control Control Name Collaboration

SA-12(11) penetration testing / analysis of elements, processes, and actors