This document contains mappings of the CIS Critical Security Controls (CIS Controls) and CIS Safeguards t

Certification (CMMC) version 2.0

Last updated April 2023
Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
[email protected]

Editors
Thomas Sager

Contributors
License for Use

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi
nc-nd/4.0/legalcode

To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Con
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing th
the prior approval of CIS® (Center for Internet Security, Inc.).
es 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-

are authorized to copy and redistribute the content as a framework for use by you, within your
hat (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you
als. Users of the CIS Controls framework are also required to refer to
at users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to
Mapping Methodology
Mapping Methodology

This page describes the methodology used to map the CIS Critical Security Controls to Cybersecurity Matu
Reference link for CMMC v2.0: https://www.acq.osd.mil/cmmc/documentation.html

The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
It is not enough for two Controls to be related, it must be clear that implementing one Control will contribute
The general strategy used is to identify all of the aspects within a Control and attempt to discern if both item

CIS Control 6.1 - Establish an Access Granting Process

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new h

For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following:
• A clearly documented process, covering both new employees and changes in access.
• All relevant enteprise access control must be covered under this process, there can be no seperation whe
• Automated tools are ideally used, such as a SSO provider or routing access control through a directory s
• The same process is followed every time a user's rights change, so a user never amasses greater rights

If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
The relationship column will contain one of four possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat
• No relationship: This will be represented by a blank cell.

The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this <
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST CSF PR
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are formally m

The CIS Controls are written with certain principles in mind, such as only having one ask per Safeguard. T
can often be "Subset."
Mappings are available from a variety of sources online, and different individuals may make their own deci
other mapping.
If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c
https://workbench.cisecurity.org/communities/94
Remember to download the CIS Controls Version 8 Guide where you can learn more about:

- This Version of the CIS Controls

- The CIS Controls Ecosystem ("It's not about the list')
- How to Get Started
- Using or Transitioning from Prior Versions of the CIS Controls
- Structure of the CIS Controls
- Implementation Groups
- Why is this Controls critical
- Procedures and tools
https://www.cisecurity.org/controls/v8/

A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/v8/

Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
 CIS CIS Security
Asset Type Title
Control Safeguard Function
1 Inventory and Control of Enterprise Assets

Actively manage (inventory, track, and corr

mobile; network devices; non-computing/In
infrastructure physically, virtually, remotely
totality of assets that need to be monitored
identifying unauthorized and unmanaged as

Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory

Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory

1 1.2 Devices Respond Address Unauthorized Assets

1 1.2 Devices Respond Address Unauthorized Assets

1 1.3 Devices Detect Utilize an Active Discovery Tool

Use Dynamic Host

Configuration Protocol (DHCP)
1 1.4 Devices Identify
Logging to Update Enterprise
Asset Inventory

Use a Passive Asset Discovery

1 1.5 Devices Detect
Tool

2 Inventory and Control of Software Assets

Actively manage (inventory, track, and corr

network so that only authorized software is
software is found and prevented from insta

Establish and Maintain a

2 2.1 Applications Identify
Software Inventory

Ensure Authorized Software is

2 2.2 Applications Identify
Currently Supported

2 2.3 Applications Respond Address Unauthorized Software

2 2.3 Applications Respond Address Unauthorized Software

Utilize Automated Software

2 2.4 Applications Detect
Inventory Tools

2 2.5 Applications Protect Allowlist Authorized Software

2 2.5 Applications Protect Allowlist Authorized Software

2 2.5 Applications Protect Allowlist Authorized Software

2 2.5 Applications Protect Allowlist Authorized Software

2 2.6 Applications Protect Allowlist Authorized Libraries

2 2.7 Applications Protect Allowlist Authorized Scripts

3 Data Protection

Develop processes and technical controls t

Establish and Maintain a Data

3 3.1 Data Identify
Management Process

Establish and Maintain a Data

3 3.2 Data Identify
Inventory

Configure Data Access Control

3 3.3 Data Protect
Lists

Configure Data Access Control

3 3.3 Data Protect
Lists

Configure Data Access Control

3 3.3 Data Protect
Lists

Configure Data Access Control

3 3.3 Data Protect
Lists

Configure Data Access Control

3 3.3 Data Protect
Lists
3 3.4 Data Protect Enforce Data Retention

3 3.5 Data Protect Securely Dispose of Data

Encrypt Data on End-User

3 3.6 Devices Protect
Devices

Establish and Maintain a Data

3 3.7 Data Identify
Classification Scheme

3 3.8 Data Identify Document Data Flows

3 3.8 Data Identify Document Data Flows

3 3.8 Data Identify Document Data Flows

Encrypt Data on Removable

3 3.9 Data Protect
Media

Encrypt Data on Removable

3 3.9 Data Protect
Media

Encrypt Sensitive Data in

3 3.10 Data Protect
Transit

Encrypt Sensitive Data in

3 3.10 Data Protect
Transit
Encrypt Sensitive Data in
3 3.10 Data Protect
Transit
Encrypt Sensitive Data in
3 3.10 Data Protect
Transit
 Encrypt Sensitive Data in
3 3.10 Data Protect
Transit

Encrypt Sensitive Data in

3 3.10 Data Protect
Transit

3 3.11 Data Protect Encrypt Sensitive Data at Rest

3 3.11 Data Protect Encrypt Sensitive Data at Rest

3 3.11 Data Protect Encrypt Sensitive Data at Rest

3 3.11 Data Protect Encrypt Sensitive Data at Rest

3 3.11 Data Protect Encrypt Sensitive Data at Rest

Segment Data Processing and

3 3.12 Network Protect
Storage Based on Sensitivity

Segment Data Processing and

3 3.12 Network Protect
Storage Based on Sensitivity

Segment Data Processing and

3 3.12 Network Protect
Storage Based on Sensitivity
 Segment Data Processing and
3 3.12 Network Protect
Storage Based on Sensitivity

Deploy a Data Loss Prevention

3 3.13 Data Protect
Solution

Deploy a Data Loss Prevention

3 3.13 Data Protect
Solution

Deploy a Data Loss Prevention

3 3.13 Data Protect
Solution

3 3.14 Data Detect Log Sensitive Data Access

4 Secure Configuration of Enterprise Assets a

Establish and maintain the secure configura
mobile; network devices; non-computing/Io
applications).

Establish and Maintain a

4 4.1 Applications Protect
Secure Configuration Process

Establish and Maintain a

4 4.1 Applications Protect
Secure Configuration Process

Establish and Maintain a

4 4.1 Applications Protect
Secure Configuration Process

Establish and Maintain a

4 4.1 Applications Protect
Secure Configuration Process
 Establish and Maintain a
4 4.1 Applications Protect
Secure Configuration Process

Establish and Maintain a

4 4.1 Applications Protect
Secure Configuration Process

Establish and Maintain a

4 4.2 Network Protect Secure Configuration Process
for Network Infrastructure

Establish and Maintain a

4 4.2 Network Protect Secure Configuration Process
for Network Infrastructure

Establish and Maintain a

4 4.2 Network Protect Secure Configuration Process
for Network Infrastructure

Establish and Maintain a

4 4.2 Network Protect Secure Configuration Process
for Network Infrastructure

Establish and Maintain a

4 4.2 Network Protect Secure Configuration Process
for Network Infrastructure

Establish and Maintain a

4 4.2 Network Protect Secure Configuration Process
for Network Infrastructure

Configure Automatic Session

4 4.3 Users Protect
Locking on Enterprise Assets

Configure Automatic Session

4 4.3 Users Protect
Locking on Enterprise Assets

Implement and Manage a

4 4.4 Devices Protect
Firewall on Servers

Implement and Manage a

4 4.4 Devices Protect
Firewall on Servers
 Implement and Manage a
4 4.4 Devices Protect
Firewall on Servers

Implement and Manage a

4 4.4 Devices Protect
Firewall on Servers

Implement and Manage a

4 4.5 Devices Protect
Firewall on End-User Devices

Implement and Manage a

4 4.5 Devices Protect
Firewall on End-User Devices

Implement and Manage a

4 4.5 Devices Protect
Firewall on End-User Devices

Implement and Manage a

4 4.5 Devices Protect
Firewall on End-User Devices

Securely Manage Enterprise

4 4.6 Network Protect
Assets and Software

Manage Default Accounts on

4 4.7 Users Protect
Enterprise Assets and Software

Uninstall or Disable
4 4.8 Devices Protect Unnecessary Services on
Enterprise Assets and Software

Uninstall or Disable
4 4.8 Devices Protect Unnecessary Services on
Enterprise Assets and Software

Uninstall or Disable
4 4.8 Devices Protect Unnecessary Services on
Enterprise Assets and Software
 Configure Trusted DNS Servers
4 4.9 Devices Protect
on Enterprise Assets

Enforce Automatic Device

4 4.10 Devices Respond Lockout on Portable End-User
Devices

Enforce Automatic Device

4 4.10 Devices Respond Lockout on Portable End-User
Devices

Enforce Remote Wipe

4 4.11 Devices Protect Capability on Portable End-User
Devices

Separate Enterprise
4 4.12 Devices Protect Workspaces on Mobile End-
User Devices

5 Account Management

Use processes and tools to assign and man

administrator accounts, as well as service a

Establish and Maintain an

5 5.1 Users Identify
Inventory of Accounts

5 5.2 Users Protect Use Unique Passwords

5 5.3 Users Respond Disable Dormant Accounts

Restrict Administrator Privileges

5 5.4 Users Protect to Dedicated Administrator
Accounts
 Restrict Administrator Privileges
5 5.4 Users Protect to Dedicated Administrator
Accounts

Restrict Administrator Privileges

5 5.4 Users Protect to Dedicated Administrator
Accounts

Restrict Administrator Privileges

5 5.4 Users Protect to Dedicated Administrator
Accounts

Establish and Maintain an

5 5.5 Users Identify
Inventory of Service Accounts

Centralize Account
5 5.6 Users Protect
Management
6 Access Control Management
Use processes and tools to create, assign,
administrator, and service accounts for ent

Establish an Access Granting

6 6.1 Users Protect
Process

Establish an Access Granting

6 6.1 Users Protect
Process

Establish an Access Revoking

6 6.2 Users Protect
Process

Require MFA for Externally-

6 6.3 Users Protect
Exposed Applications

Require MFA for Remote

6 6.4 Users Protect
Network Access
Require MFA for Remote
6 6.4 Users Protect
Network Access

Require MFA for Remote

6 6.4 Users Protect
Network Access
 Require MFA for Remote
6 6.4 Users Protect
Network Access

Require MFA for Administrative

6 6.5 Users Protect
Access
Require MFA for Administrative
6 6.5 Users Protect
Access

Require MFA for Administrative

6 6.5 Users Protect
Access

Establish and Maintain an

6 6.6 Users Identify Inventory of Authentication and
Authorization Systems

6 6.7 Users Protect Centralize Access Control

Define and Maintain Role-

6 6.8 Data Protect
Based Access Control

Define and Maintain Role-

6 6.8 Data Protect
Based Access Control

Define and Maintain Role-

6 6.8 Data Protect
Based Access Control

Define and Maintain Role-

6 6.8 Data Protect
Based Access Control

7 Continuous Vulnerability Management

Develop a plan to continuously assess and
infrastructure, in order to remediate, and m
private industry sources for new threat and
 Establish and Maintain a
7 7.1 Applications Protect Vulnerability Management
Process

Establish and Maintain a

7 7.1 Applications Protect Vulnerability Management
Process

Establish and Maintain a

7 7.1 Applications Protect Vulnerability Management
Process
Establish and Maintain a
7 7.2 Applications Respond
Remediation Process

Establish and Maintain a

7 7.2 Applications Respond
Remediation Process

Perform Automated Operating

7 7.3 Applications Protect
System Patch Management
Perform Automated Application
7 7.4 Applications Protect
Patch Management

Perform Automated
7 7.5 Applications Identify Vulnerability Scans of Internal
Enterprise Assets

Perform Automated
7 7.5 Applications Identify Vulnerability Scans of Internal
Enterprise Assets

Perform Automated
Vulnerability Scans of
7 7.6 Applications Identify
Externally-Exposed Enterprise
Assets
Perform Automated
Vulnerability Scans of
7 7.6 Applications Identify
Externally-Exposed Enterprise
Assets
Remediate Detected
7 7.7 Applications Respond
Vulnerabilities

Remediate Detected
7 7.7 Applications Respond
Vulnerabilities

Remediate Detected
7 7.7 Applications Respond
Vulnerabilities
8 Audit Log Management
Collect, alert, review, and retain audit logs o
attack.

Establish and Maintain an Audit

8 8.1 Network Protect
Log Management Process

8 8.2 Network Detect Collect Audit Logs

Ensure Adequate Audit Log

8 8.3 Network Protect
Storage

Standardize Time
8 8.4 Network Protect
Synchronization

8 8.5 Network Detect Collect Detailed Audit Logs

8 8.6 Network Detect Collect DNS Query Audit Logs

Collect URL Request Audit
8 8.7 Network Detect
Logs
Collect Command-Line Audit
8 8.8 Devices Detect
Logs

8 8.9 Network Detect Centralize Audit Logs

8 8.10 Network Protect Retain Audit Logs

8 8.11 Network Detect Conduct Audit Log Reviews

8 8.12 Data Detect Collect Service Provider Logs

9 Email and Web Browser Protections

Improve protections and detections of threa
attackers to manipulate human behavior thr

Ensure Use of Only Fully

9 9.1 Applications Protect Supported Browsers and Email
Clients
 Ensure Use of Only Fully
9 9.1 Applications Protect Supported Browsers and Email
Clients

9 9.2 Network Protect Use DNS Filtering Services

Maintain and Enforce Network-

9 9.3 Network Protect
Based URL Filters

Restrict Unnecessary or
9 9.4 Applications Protect Unauthorized Browser and
Email Client Extensions

Restrict Unnecessary or
9 9.4 Applications Protect Unauthorized Browser and
Email Client Extensions

9 9.5 Network Protect Implement DMARC

9 9.6 Network Protect Block Unnecessary File Types

9 9.6 Network Protect Block Unnecessary File Types

Deploy and Maintain Email
9 9.7 Network Protect Server Anti-Malware
Protections
10 Malware Defenses

Prevent or control the installation, spread, a

enterprise assets.

Deploy and Maintain Anti-

10 10.1 Devices Protect
Malware Software
Configure Automatic Anti-
10 10.2 Devices Protect
Malware Signature Updates
Disable Autorun and Autoplay
10 10.3 Devices Protect
for Removable Media
Configure Automatic Anti-
10 10.4 Devices Detect Malware Scanning of
Removable Media

Configure Automatic Anti-

10 10.4 Devices Detect Malware Scanning of
Removable Media
 Enable Anti-Exploitation
10 10.5 Devices Protect
Features

Centrally Manage Anti-Malware

10 10.6 Devices Protect
Software
Use Behavior-Based Anti-
10 10.7 Devices Detect
Malware Software
11 Data Recovery
Establish and maintain data recovery practi
and trusted state.

Establish and Maintain a Data

11 11.1 Data Recover
Recovery Process

11 11.2 Data Recover Perform Automated Backups

11 11.3 Data Protect Protect Recovery Data

Establish and Maintain an

11 11.4 Data Recover Isolated Instance of Recovery
Data

11 11.5 Data Recover Test Data Recovery

Network Infrastructure
12
Management
Establish, implement, and actively manage
attackers from exploiting vulnerable networ

Ensure Network Infrastructure is

12 12.1 Network Protect
Up-to-Date

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture
 Establish and Maintain a
12 12.2 Network Protect
Secure Network Architecture

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture

Establish and Maintain a

12 12.2 Network Protect
Secure Network Architecture

Securely Manage Network

12 12.3 Network Protect
Infrastructure

Establish and Maintain

12 12.4 Network Identify
Architecture Diagram(s)

Establish and Maintain

12 12.4 Network Identify
Architecture Diagram(s)
 Centralize Network
12 12.5 Network Protect Authentication, Authorization,
and Auditing (AAA)

Use of Secure Network

12 12.6 Network Protect Management and
Communication Protocols

Use of Secure Network

12 12.6 Network Protect Management and
Communication Protocols

Use of Secure Network

12 12.6 Network Protect Management and
Communication Protocols

Use of Secure Network

12 12.6 Network Protect Management and
Communication Protocols

Use of Secure Network

12 12.6 Network Protect Management and
Communication Protocols
Ensure Remote Devices Utilize
a VPN and are Connecting to
12 12.7 Devices Protect
an Enterprise’s AAA
Infrastructure
Ensure Remote Devices Utilize
a VPN and are Connecting to
12 12.7 Devices Protect
an Enterprise’s AAA
Infrastructure
Ensure Remote Devices Utilize
a VPN and are Connecting to
12 12.7 Devices Protect
an Enterprise’s AAA
Infrastructure
Ensure Remote Devices Utilize
a VPN and are Connecting to
12 12.7 Devices Protect
an Enterprise’s AAA
Infrastructure
Ensure Remote Devices Utilize
a VPN and are Connecting to
12 12.7 Devices Protect
an Enterprise’s AAA
Infrastructure

Establish and Maintain

Dedicated Computing
12 12.8 Devices Protect
Resources for All Administrative
Work
 Network Monitoring and
13
Defense

Operate processes and tooling to establish

against security threats across the enterpri

Centralize Security Event

13 13.1 Network Detect
Alerting

Centralize Security Event

13 13.1 Network Detect
Alerting

Centralize Security Event

13 13.1 Network Detect
Alerting

Centralize Security Event

13 13.1 Network Detect
Alerting

Deploy a Host-Based Intrusion

13 13.2 Devices Detect
Detection Solution

Deploy a Host-Based Intrusion

13 13.2 Devices Detect
Detection Solution

Deploy a Network Intrusion

13 13.3 Network Detect
Detection Solution

Deploy a Network Intrusion

13 13.3 Network Detect
Detection Solution

Perform Traffic Filtering

13 13.4 Network Protect
Between Network Segments
 Perform Traffic Filtering
13 13.4 Network Protect
Between Network Segments

Manage Access Control for

13 13.5 Devices Protect
Remote Assets

Manage Access Control for

13 13.5 Devices Protect
Remote Assets

Manage Access Control for

13 13.5 Devices Protect
Remote Assets

Manage Access Control for

13 13.5 Devices Protect
Remote Assets

Manage Access Control for

13 13.5 Devices Protect
Remote Assets

Collect Network Traffic Flow

13 13.6 Network Detect
Logs

Collect Network Traffic Flow

13 13.6 Network Detect
Logs

Collect Network Traffic Flow

13 13.6 Network Detect
Logs

Deploy a Host-Based Intrusion

13 13.7 Devices Protect
Prevention Solution

Deploy a Network Intrusion

13 13.8 Network Protect
Prevention Solution

Deploy Port-Level Access

13 13.9 Devices Protect
Control
 Deploy Port-Level Access
13 13.9 Devices Protect
Control

Deploy Port-Level Access

13 13.9 Devices Protect
Control

Perform Application Layer

13 13.10 Network Protect
Filtering

Perform Application Layer

13 13.10 Network Protect
Filtering

Tune Security Event Alerting

13 13.11 Network Detect
Thresholds
14 Security Awareness and Skills Training
Establish and maintain a security awarenes
security conscious and properly skilled to r

Establish and Maintain a

14 14.1 N/A Protect
Security Awareness Program

Train Workforce Members to

14 14.2 N/A Protect Recognize Social Engineering
Attacks
Train Workforce Members on
14 14.3 N/A Protect
Authentication Best Practices

Train Workforce on Data

14 14.4 N/A Protect
Handling Best Practices

Train Workforce Members on

14 14.5 N/A Protect Causes of Unintentional Data
Exposure

Train Workforce Members on

14 14.6 N/A Protect Recognizing and Reporting
Security Incidents
 Train Workforce Members on
14 14.6 N/A Protect Recognizing and Reporting
Security Incidents

Train Workforce on How to

Identify and Report if Their
14 14.7 N/A Protect
Enterprise Assets are Missing
Security Updates

Train Workforce on the Dangers

of Connecting to and
14 14.8 N/A Protect
Transmitting Enterprise Data
Over Insecure Networks

Conduct Role-Specific Security

14 14.9 N/A Protect
Awareness and Skills Training

Conduct Role-Specific Security

14 14.9 N/A Protect
Awareness and Skills Training

15 Service Provider Management

Develop a process to evaluate service prov
critical IT platforms or processes, to ensure
appropriately.

Establish and Maintain an

15 15.1 N/A Identify
Inventory of Service Providers

Establish and Maintain a

15 15.2 N/A Identify Service Provider Management
Policy

15 15.3 N/A Identify Classify Service Providers

 Ensure Service Provider
15 15.4 N/A Protect Contracts Include Security
Requirements

15 15.5 N/A Identify Assess Service Providers

15 15.6 Data Detect Monitor Service Providers

Securely Decommission
15 15.7 Data Protect
Service Providers

16 Application Software Security

Manage the security life cycle of in-house d
remediate security weaknesses before they

Establish and Maintain a

16 16.1 Applications Protect Secure Application
Development Process

Establish and Maintain a

16 16.2 Applications Protect Process to Accept and Address
Software Vulnerabilities
 Perform Root Cause Analysis
16 16.3 Applications Protect
on Security Vulnerabilities

Establish and Manage an

16 16.4 Applications Protect Inventory of Third-Party
Software Components

Use Up-to-Date and Trusted

16 16.5 Applications Protect Third-Party Software
Components

Establish and Maintain a

Severity Rating System and
16 16.6 Applications Protect
Process for Application
Vulnerabilities

Use Standard Hardening

16 16.7 Applications Protect Configuration Templates for
Application Infrastructure

Separate Production and Non-

16 16.8 Applications Protect
Production Systems

Train Developers in Application

16 16.9 Applications Protect Security Concepts and Secure
Coding

Apply Secure Design Principles

16 16.10 Applications Protect
in Application Architectures
 Leverage Vetted Modules or
16 16.11 Applications Protect Services for Application
Security Components

Implement Code-Level Security

16 16.12 Applications Protect
Checks

Conduct Application Penetration

16 16.13 Applications Protect
Testing

16 16.14 Applications Protect Conduct Threat Modeling

17 Incident Response Management

Establish a program to develop and maintai
defined roles, training, and communications

Designate Personnel to Manage

17 17.1 N/A Respond
Incident Handling

Establish and Maintain Contact

17 17.2 N/A Respond Information for Reporting
Security Incidents
 Establish and Maintain an
17 17.3 N/A Respond Enterprise Process for
Reporting Incidents

Establish and Maintain an

17 17.3 N/A Respond Enterprise Process for
Reporting Incidents

Establish and Maintain an

17 17.4 N/A Respond
Incident Response Process

Assign Key Roles and

17 17.5 N/A Respond
Responsibilities

Define Mechanisms for

17 17.6 N/A Respond Communicating During Incident
Response

Conduct Routine Incident

17 17.7 N/A Recover
Response Exercises

17 17.8 N/A Recover Conduct Post-Incident Reviews

Establish and Maintain Security

17 17.9 N/A Recover
Incident Thresholds

18 Penetration Testing
Test the effectiveness and resiliency of ente
controls (people, processes, and technolog
 Establish and Maintain a
18 18.1 N/A Identify
Penetration Testing Program

Perform Periodic External

18 18.2 Network Identify
Penetration Tests

Remediate Penetration Test

18 18.3 Network Protect
Findings

18 18.4 Network Protect Validate Security Measures

Perform Periodic Internal

18 18.5 N/A Identify
Penetration Tests
 Description IG1

l of Enterprise Assets

entory, track, and correct) all enterprise assets (end-user devices, including portable and
ces; non-computing/Internet of Things (IoT) devices; and servers) connected to the
ally, virtually, remotely, and those within cloud environments, to accurately know the
need to be monitored and protected within the enterprise. This will also support
zed and unmanaged assets to remove or remediate.

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise
assets with the potential to store or process data, to include: end-user devices
(including portable and mobile), network devices, non-computing/IoT devices, and
servers. Ensure the inventory records the network address (if static), hardware
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
X
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and
those within cloud environments. Additionally, it includes assets that are regularly
connected to the enterprise’s network infrastructure, even if they are not under control
of the enterprise. Review and update the inventory of all enterprise assets bi-annually,
or more frequently.

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise
assets with the potential to store or process data, to include: end-user devices
(including portable and mobile), network devices, non-computing/IoT devices, and
servers. Ensure the inventory records the network address (if static), hardware
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
X
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and
those within cloud environments. Additionally, it includes assets that are regularly
connected to the enterprise’s network infrastructure, even if they are not under control
of the enterprise. Review and update the inventory of all enterprise assets bi-annually,
or more frequently.

Ensure that a process exists to address unauthorized assets on a weekly basis. The
enterprise may choose to remove the asset from the network, deny the asset from X
connecting remotely to the network, or quarantine the asset.

Ensure that a process exists to address unauthorized assets on a weekly basis. The
enterprise may choose to remove the asset from the network, deny the asset from X
connecting remotely to the network, or quarantine the asset.
 Utilize an active discovery tool to identify assets connected to the enterprise’s network.
Configure the active discovery tool to execute daily, or more frequently.

Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management
tools to update the enterprise’s asset inventory. Review and use logs to update the
enterprise’s asset inventory weekly, or more frequently.

Use a passive discovery tool to identify assets connected to the enterprise’s network.
Review and use scans to update the enterprise’s asset inventory at least weekly, or
more frequently.
l of Software Assets

entory, track, and correct) all software (operating systems and applications) on the
authorized software is installed and can execute, and that unauthorized and unmanaged
d prevented from installation or execution.

Establish and maintain a detailed inventory of all licensed software installed on

enterprise assets. The software inventory must document the title, publisher, initial
install/use date, and business purpose for each entry; where appropriate, include the
X
Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism,
and decommission date. Review and update the software inventory bi-annually, or
more frequently.

Ensure that only currently supported software is designated as authorized in the

software inventory for enterprise assets. If software is unsupported, yet necessary for
the fulfillment of the enterprise’s mission, document an exception detailing mitigating
X
controls and residual risk acceptance. For any unsupported software without an
exception documentation, designate as unauthorized. Review the software list to verify
software support at least monthly, or more frequently.

Ensure that unauthorized software is either removed from use on enterprise assets or
X
receives a documented exception. Review monthly, or more frequently.

Ensure that unauthorized software is either removed from use on enterprise assets or
X
receives a documented exception. Review monthly, or more frequently.

Utilize software inventory tools, when possible, throughout the enterprise to automate
the discovery and documentation of installed software.

Use technical controls, such as application allowlisting, to ensure that only authorized
software can execute or be accessed. Reassess bi-annually, or more frequently.

Use technical controls, such as application allowlisting, to ensure that only authorized
software can execute or be accessed. Reassess bi-annually, or more frequently.
 Use technical controls, such as application allowlisting, to ensure that only authorized
software can execute or be accessed. Reassess bi-annually, or more frequently.

Use technical controls, such as application allowlisting, to ensure that only authorized
software can execute or be accessed. Reassess bi-annually, or more frequently.

Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block
unauthorized libraries from loading into a system process. Reassess bi-annually, or
more frequently.
Use technical controls, such as digital signatures and version control, to ensure that
only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute.
Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.

nd technical controls to identify, classify, securely handle, retain, and dispose of data.

Establish and maintain a data management process. In the process, address data
sensitivity, data owner, handling of data, data retention limits, and disposal
requirements, based on sensitivity and retention standards for the enterprise. Review X
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.

Establish and maintain a data inventory, based on the enterprise’s data management
process. Inventory sensitive data, at a minimum. Review and update inventory X
annually, at a minimum, with a priority on sensitive data.

Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems, X
databases, and applications.

Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems, X
databases, and applications.

Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems, X
databases, and applications.

Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems, X
databases, and applications.

Configure data access control lists based on a user’s need to know. Apply data access
control lists, also known as access permissions, to local and remote file systems, X
databases, and applications.
Retain data according to the enterprise’s data management process. Data retention
X
must include both minimum and maximum timelines.

Securely dispose of data as outlined in the enterprise’s data management process.

X
Ensure the disposal process and method are commensurate with the data sensitivity.

Encrypt data on end-user devices containing sensitive data. Example implementations

X
can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
Establish and maintain an overall data classification scheme for the enterprise.
Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and
classify their data according to those labels. Review and update the classification
scheme annually, or when significant enterprise changes occur that could impact this
Safeguard.
Document data flows. Data flow documentation includes service provider data flows
and should be based on the enterprise’s data management process. Review and
update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.

Document data flows. Data flow documentation includes service provider data flows
and should be based on the enterprise’s data management process. Review and
update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.

Document data flows. Data flow documentation includes service provider data flows
and should be based on the enterprise’s data management process. Review and
update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.

Encrypt data on removable media.

Encrypt data on removable media.

Encrypt sensitive data in transit. Example implementations can include: Transport

Layer Security (TLS) and Open Secure Shell (OpenSSH).

Encrypt sensitive data in transit. Example implementations can include: Transport

Layer Security (TLS) and Open Secure Shell (OpenSSH).
Encrypt sensitive data in transit. Example implementations can include: Transport
Layer Security (TLS) and Open Secure Shell (OpenSSH).
Encrypt sensitive data in transit. Example implementations can include: Transport
Layer Security (TLS) and Open Secure Shell (OpenSSH).
Encrypt sensitive data in transit. Example implementations can include: Transport
Layer Security (TLS) and Open Secure Shell (OpenSSH).

Encrypt sensitive data in transit. Example implementations can include: Transport

Layer Security (TLS) and Open Secure Shell (OpenSSH).

Encrypt sensitive data at rest on servers, applications, and databases containing

sensitive data. Storage-layer encryption, also known as server-side encryption, meets
the minimum requirement of this Safeguard. Additional encryption methods may
include application-layer encryption, also known as client-side encryption, where
access to the data storage device(s) does not permit access to the plain-text data.

Encrypt sensitive data at rest on servers, applications, and databases containing

sensitive data. Storage-layer encryption, also known as server-side encryption, meets
the minimum requirement of this Safeguard. Additional encryption methods may
include application-layer encryption, also known as client-side encryption, where
access to the data storage device(s) does not permit access to the plain-text data.

Encrypt sensitive data at rest on servers, applications, and databases containing

sensitive data. Storage-layer encryption, also known as server-side encryption, meets
the minimum requirement of this Safeguard. Additional encryption methods may
include application-layer encryption, also known as client-side encryption, where
access to the data storage device(s) does not permit access to the plain-text data.

Encrypt sensitive data at rest on servers, applications, and databases containing

sensitive data. Storage-layer encryption, also known as server-side encryption, meets
the minimum requirement of this Safeguard. Additional encryption methods may
include application-layer encryption, also known as client-side encryption, where
access to the data storage device(s) does not permit access to the plain-text data.

Encrypt sensitive data at rest on servers, applications, and databases containing

sensitive data. Storage-layer encryption, also known as server-side encryption, meets
the minimum requirement of this Safeguard. Additional encryption methods may
include application-layer encryption, also known as client-side encryption, where
access to the data storage device(s) does not permit access to the plain-text data.

Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.

Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.

Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.
 Segment data processing and storage based on the sensitivity of the data. Do not
process sensitive data on enterprise assets intended for lower sensitivity data.

Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool
to identify all sensitive data stored, processed, or transmitted through enterprise
assets, including those located onsite or at a remote service provider, and update the
enterprise's sensitive data inventory.

Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool
to identify all sensitive data stored, processed, or transmitted through enterprise
assets, including those located onsite or at a remote service provider, and update the
enterprise's sensitive data inventory.

Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool
to identify all sensitive data stored, processed, or transmitted through enterprise
assets, including those located onsite or at a remote service provider, and update the
enterprise's sensitive data inventory.

Log sensitive data access, including modification and disposal.

of Enterprise Assets and Software

in the secure configuration of enterprise assets (end-user devices, including portable and
ces; non-computing/IoT devices; and servers) and software (operating systems and

Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation X
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation X
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation X
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation X
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation X
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile, non-computing/IoT devices, and servers) and
software (operating systems and applications). Review and update documentation X
annually, or when significant enterprise changes occur that could impact this
Safeguard.

Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur that X
could impact this Safeguard.

Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur that X
could impact this Safeguard.

Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur that X
could impact this Safeguard.

Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur that X
could impact this Safeguard.

Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur that X
could impact this Safeguard.

Establish and maintain a secure configuration process for network devices. Review
and update documentation annually, or when significant enterprise changes occur that X
could impact this Safeguard.

Configure automatic session locking on enterprise assets after a defined period of

inactivity. For general purpose operating systems, the period must not exceed 15 X
minutes. For mobile end-user devices, the period must not exceed 2 minutes.

Configure automatic session locking on enterprise assets after a defined period of

inactivity. For general purpose operating systems, the period must not exceed 15 X
minutes. For mobile end-user devices, the period must not exceed 2 minutes.

Implement and manage a firewall on servers, where supported. Example

implementations include a virtual firewall, operating system firewall, or a third-party X
firewall agent.

Implement and manage a firewall on servers, where supported. Example

implementations include a virtual firewall, operating system firewall, or a third-party X
firewall agent.
Implement and manage a firewall on servers, where supported. Example
implementations include a virtual firewall, operating system firewall, or a third-party X
firewall agent.

Implement and manage a firewall on servers, where supported. Example

implementations include a virtual firewall, operating system firewall, or a third-party X
firewall agent.

Implement and manage a host-based firewall or port-filtering tool on end-user devices,

with a default-deny rule that drops all traffic except those services and ports that are X
explicitly allowed.

Implement and manage a host-based firewall or port-filtering tool on end-user devices,

with a default-deny rule that drops all traffic except those services and ports that are X
explicitly allowed.

Implement and manage a host-based firewall or port-filtering tool on end-user devices,

with a default-deny rule that drops all traffic except those services and ports that are X
explicitly allowed.

Implement and manage a host-based firewall or port-filtering tool on end-user devices,

with a default-deny rule that drops all traffic except those services and ports that are X
explicitly allowed.
Securely manage enterprise assets and software. Example implementations include
managing configuration through version-controlled-infrastructure-as-code and
accessing administrative interfaces over secure network protocols, such as Secure
X
Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure
management protocols, such as Telnet (Teletype Network) and HTTP, unless
operationally essential.
Manage default accounts on enterprise assets and software, such as root,
administrator, and other pre-configured vendor accounts. Example implementations X
can include: disabling default accounts or making them unusable.

Uninstall or disable unnecessary services on enterprise assets and software, such as

an unused file sharing service, web application module, or service function.

Uninstall or disable unnecessary services on enterprise assets and software, such as

an unused file sharing service, web application module, or service function.

Uninstall or disable unnecessary services on enterprise assets and software, such as

an unused file sharing service, web application module, or service function.
 Configure trusted DNS servers on enterprise assets. Example implementations
include: configuring assets to use enterprise-controlled DNS servers and/or reputable
externally accessible DNS servers.

Enforce automatic device lockout following a predetermined threshold of local failed

authentication attempts on portable end-user devices, where supported. For laptops,
do not allow more than 20 failed authentication attempts; for tablets and smartphones,
no more than 10 failed authentication attempts. Example implementations include
Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.

Enforce automatic device lockout following a predetermined threshold of local failed

authentication attempts on portable end-user devices, where supported. For laptops,
do not allow more than 20 failed authentication attempts; for tablets and smartphones,
no more than 10 failed authentication attempts. Example implementations include
Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.

Remotely wipe enterprise data from enterprise-owned portable end-user devices when
deemed appropriate such as lost or stolen devices, or when an individual no longer
supports the enterprise.

Ensure separate enterprise workspaces are used on mobile end-user devices, where
supported. Example implementations include using an Apple® Configuration Profile or
Android™ Work Profile to separate enterprise applications and data from personal
applications and data.

ools to assign and manage authorization to credentials for user accounts, including
ts, as well as service accounts, to enterprise assets and software.

Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory must include both user and administrator accounts. The inventory, at a
minimum, should contain the person’s name, username, start/stop dates, and X
department. Validate that all active accounts are authorized, on a recurring schedule at
a minimum quarterly, or more frequently.

Use unique passwords for all enterprise assets. Best practice implementation includes,
at a minimum, an 8-character password for accounts using MFA and a 14-character X
password for accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where
X
supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise
assets. Conduct general computing activities, such as internet browsing, email, and X
productivity suite use, from the user’s primary, non-privileged account.
 Restrict administrator privileges to dedicated administrator accounts on enterprise
assets. Conduct general computing activities, such as internet browsing, email, and X
productivity suite use, from the user’s primary, non-privileged account.

Restrict administrator privileges to dedicated administrator accounts on enterprise

assets. Conduct general computing activities, such as internet browsing, email, and X
productivity suite use, from the user’s primary, non-privileged account.

Restrict administrator privileges to dedicated administrator accounts on enterprise

assets. Conduct general computing activities, such as internet browsing, email, and X
productivity suite use, from the user’s primary, non-privileged account.

Establish and maintain an inventory of service accounts. The inventory, at a minimum,

must contain department owner, review date, and purpose. Perform service account
reviews to validate that all active accounts are authorized, on a recurring schedule at a
minimum quarterly, or more frequently.
Centralize account management through a directory or identity service.

ools to create, assign, manage, and revoke access credentials and privileges for user,
rvice accounts for enterprise assets and software.

Establish and follow a process, preferably automated, for granting access to enterprise
X
assets upon new hire, rights grant, or role change of a user.

Establish and follow a process, preferably automated, for granting access to enterprise
X
assets upon new hire, rights grant, or role change of a user.

Establish and follow a process, preferably automated, for revoking access to enterprise
assets, through disabling accounts immediately upon termination, rights revocation, or
X
role change of a user. Disabling accounts, instead of deleting accounts, may be
necessary to preserve audit trails.

Require all externally-exposed enterprise or third-party applications to enforce MFA,

where supported. Enforcing MFA through a directory service or SSO provider is a X
satisfactory implementation of this Safeguard.

Require MFA for remote network access. X

Require MFA for remote network access. X

Require MFA for remote network access. X

 Require MFA for remote network access. X

Require MFA for all administrative access accounts, where supported, on all enterprise
X
assets, whether managed on-site or through a third-party provider.
Require MFA for all administrative access accounts, where supported, on all enterprise
X
assets, whether managed on-site or through a third-party provider.

Require MFA for all administrative access accounts, where supported, on all enterprise
X
assets, whether managed on-site or through a third-party provider.

Establish and maintain an inventory of the enterprise’s authentication and

authorization systems, including those hosted on-site or at a remote service provider.
Review and update the inventory, at a minimum, annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO
provider, where supported.

Define and maintain role-based access control, through determining and documenting
the access rights necessary for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all privileges are authorized, on a recurring schedule at a minimum annually, or more
frequently.

Define and maintain role-based access control, through determining and documenting
the access rights necessary for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all privileges are authorized, on a recurring schedule at a minimum annually, or more
frequently.

Define and maintain role-based access control, through determining and documenting
the access rights necessary for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all privileges are authorized, on a recurring schedule at a minimum annually, or more
frequently.

Define and maintain role-based access control, through determining and documenting
the access rights necessary for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all privileges are authorized, on a recurring schedule at a minimum annually, or more
frequently.
ility Management
ntinuously assess and track vulnerabilities on all enterprise assets within the enterprise’s
er to remediate, and minimize, the window of opportunity for attackers. Monitor public and
ces for new threat and vulnerability information.
Establish and maintain a documented vulnerability management process for enterprise
assets. Review and update documentation annually, or when significant enterprise X
changes occur that could impact this Safeguard.

Establish and maintain a documented vulnerability management process for enterprise

assets. Review and update documentation annually, or when significant enterprise X
changes occur that could impact this Safeguard.

Establish and maintain a documented vulnerability management process for enterprise

assets. Review and update documentation annually, or when significant enterprise X
changes occur that could impact this Safeguard.
Establish and maintain a risk-based remediation strategy documented in a remediation
X
process, with monthly, or more frequent, reviews.

Establish and maintain a risk-based remediation strategy documented in a remediation

X
process, with monthly, or more frequent, reviews.

Perform operating system updates on enterprise assets through automated patch

X
management on a monthly, or more frequent, basis.
Perform application updates on enterprise assets through automated patch
X
management on a monthly, or more frequent, basis.

Perform automated vulnerability scans of internal enterprise assets on a quarterly, or

more frequent, basis. Conduct both authenticated and unauthenticated scans, using a
SCAP-compliant vulnerability scanning tool.

Perform automated vulnerability scans of internal enterprise assets on a quarterly, or

more frequent, basis. Conduct both authenticated and unauthenticated scans, using a
SCAP-compliant vulnerability scanning tool.

Perform automated vulnerability scans of externally-exposed enterprise assets using a

SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more
frequent, basis.

Perform automated vulnerability scans of externally-exposed enterprise assets using a

SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more
frequent, basis.
Remediate detected vulnerabilities in software through processes and tooling on a
monthly, or more frequent, basis, based on the remediation process.

Remediate detected vulnerabilities in software through processes and tooling on a

monthly, or more frequent, basis, based on the remediation process.

Remediate detected vulnerabilities in software through processes and tooling on a

monthly, or more frequent, basis, based on the remediation process.
 and retain audit logs of events that could help detect, understand, or recover from an

Establish and maintain an audit log management process that defines the enterprise’s
logging requirements. At a minimum, address the collection, review, and retention of
X
audit logs for enterprise assets. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.

Collect audit logs. Ensure that logging, per the enterprise’s audit log management
X
process, has been enabled across enterprise assets.

Ensure that logging destinations maintain adequate storage to comply with the
X
enterprise’s audit log management process.

Standardize time synchronization. Configure at least two synchronized time sources

across enterprise assets, where supported.

Configure detailed audit logging for enterprise assets containing sensitive data. Include
event source, date, username, timestamp, source addresses, destination addresses,
and other useful elements that could assist in a forensic investigation.

Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit
logs from PowerShell®, BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise
assets.
Retain audit logs across enterprise assets for a minimum of 90 days.

Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.

Collect service provider logs, where supported. Example implementations include

collecting authentication and authorization events, data creation and disposal events,
and user management events.
ser Protections
and detections of threats from email and web vectors, as these are opportunities for
ate human behavior through direct engagement.

Ensure only fully supported browsers and email clients are allowed to execute in the
enterprise, only using the latest version of browsers and email clients provided through X
the vendor.
 Ensure only fully supported browsers and email clients are allowed to execute in the
enterprise, only using the latest version of browsers and email clients provided through X
the vendor.
Use DNS filtering services on all enterprise assets to block access to known malicious
X
domains.
Enforce and update network-based URL filters to limit an enterprise asset from
connecting to potentially malicious or unapproved websites. Example implementations
include category-based filtering, reputation-based filtering, or through the use of block
lists. Enforce filters for all enterprise assets.

Restrict, either through uninstalling or disabling, any unauthorized or unnecessary

browser or email client plugins, extensions, and add-on applications.

Restrict, either through uninstalling or disabling, any unauthorized or unnecessary

browser or email client plugins, extensions, and add-on applications.

To lower the chance of spoofed or modified emails from valid domains, implement
DMARC policy and verification, starting with implementing the Sender Policy
Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.

Block unnecessary file types attempting to enter the enterprise’s email gateway.

Deploy and maintain email server anti-malware protections, such as attachment

scanning and/or sandboxing.

e installation, spread, and execution of malicious applications, code, or scripts on

Deploy and maintain anti-malware software on all enterprise assets. X

Configure automatic updates for anti-malware signature files on all enterprise assets. X

Disable autorun and autoplay auto-execute functionality for removable media. X

Configure anti-malware software to automatically scan removable media.

Configure anti-malware software to automatically scan removable media.

 Enable anti-exploitation features on enterprise assets and software, where possible,
such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit
Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

Centrally manage anti-malware software.

Use behavior-based anti-malware software.

in data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident

Establish and maintain a data recovery process. In the process, address the scope of
data recovery activities, recovery prioritization, and the security of backup data.
X
Review and update documentation annually, or when significant enterprise changes
occur that could impact this Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or
X
more frequently, based on the sensitivity of the data.

Protect recovery data with equivalent controls to the original data. Reference
X
encryption or data separation, based on requirements.

Establish and maintain an isolated instance of recovery data. Example

implementations include, version controlling backup destinations through offline, cloud, X
or off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope
enterprise assets.

, and actively manage (track, report, correct) network devices, in order to prevent
ting vulnerable network services and access points.

Ensure network infrastructure is kept up-to-date. Example implementations include

running the latest stable release of software and/or using currently supported network-
X
as-a-service (NaaS) offerings. Review software versions monthly, or more frequently,
to verify software support.

Establish and maintain a secure network architecture. A secure network architecture

must address segmentation, least privilege, and availability, at a minimum.

Establish and maintain a secure network architecture. A secure network architecture

must address segmentation, least privilege, and availability, at a minimum.
Establish and maintain a secure network architecture. A secure network architecture
must address segmentation, least privilege, and availability, at a minimum.

Establish and maintain a secure network architecture. A secure network architecture

must address segmentation, least privilege, and availability, at a minimum.

Establish and maintain a secure network architecture. A secure network architecture

must address segmentation, least privilege, and availability, at a minimum.

Establish and maintain a secure network architecture. A secure network architecture

must address segmentation, least privilege, and availability, at a minimum.

Establish and maintain a secure network architecture. A secure network architecture

must address segmentation, least privilege, and availability, at a minimum.

Establish and maintain a secure network architecture. A secure network architecture

must address segmentation, least privilege, and availability, at a minimum.

Establish and maintain a secure network architecture. A secure network architecture

must address segmentation, least privilege, and availability, at a minimum.

Establish and maintain a secure network architecture. A secure network architecture

must address segmentation, least privilege, and availability, at a minimum.

Establish and maintain a secure network architecture. A secure network architecture

must address segmentation, least privilege, and availability, at a minimum.

Securely manage network infrastructure. Example implementations include version-

controlled-infrastructure-as-code, and the use of secure network protocols, such as
SSH and HTTPS.

Establish and maintain architecture diagram(s) and/or other network system

documentation. Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.

Establish and maintain architecture diagram(s) and/or other network system

documentation. Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.
Centralize network AAA.

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
Protected Access 2 (WPA2) Enterprise or greater).

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
Protected Access 2 (WPA2) Enterprise or greater).

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
Protected Access 2 (WPA2) Enterprise or greater).

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
Protected Access 2 (WPA2) Enterprise or greater).

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
Protected Access 2 (WPA2) Enterprise or greater).

Require users to authenticate to enterprise-managed VPN and authentication services

prior to accessing enterprise resources on end-user devices.

Require users to authenticate to enterprise-managed VPN and authentication services

prior to accessing enterprise resources on end-user devices.

Require users to authenticate to enterprise-managed VPN and authentication services

prior to accessing enterprise resources on end-user devices.

Require users to authenticate to enterprise-managed VPN and authentication services

prior to accessing enterprise resources on end-user devices.

Require users to authenticate to enterprise-managed VPN and authentication services

prior to accessing enterprise resources on end-user devices.

Establish and maintain dedicated computing resources, either physically or logically

separated, for all administrative tasks or tasks requiring administrative access. The
computing resources should be segmented from the enterprise's primary network and
not be allowed internet access.
nd tooling to establish and maintain comprehensive network monitoring and defense
ats across the enterprise’s network infrastructure and user base.

Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.

Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.

Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.

Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.

Deploy a host-based intrusion detection solution on enterprise assets, where

appropriate and/or supported.

Deploy a host-based intrusion detection solution on enterprise assets, where

appropriate and/or supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate.
Example implementations include the use of a Network Intrusion Detection System
(NIDS) or equivalent cloud service provider (CSP) service.

Deploy a network intrusion detection solution on enterprise assets, where appropriate.

Example implementations include the use of a Network Intrusion Detection System
(NIDS) or equivalent cloud service provider (CSP) service.

Perform traffic filtering between network segments, where appropriate.

Perform traffic filtering between network segments, where appropriate.

Manage access control for assets remotely connecting to enterprise resources.

Determine amount of access to enterprise resources based on: up-to-date anti-
malware software installed, configuration compliance with the enterprise’s secure
configuration process, and ensuring the operating system and applications are up-to-
date.
Manage access control for assets remotely connecting to enterprise resources.
Determine amount of access to enterprise resources based on: up-to-date anti-
malware software installed, configuration compliance with the enterprise’s secure
configuration process, and ensuring the operating system and applications are up-to-
date.
Manage access control for assets remotely connecting to enterprise resources.
Determine amount of access to enterprise resources based on: up-to-date anti-
malware software installed, configuration compliance with the enterprise’s secure
configuration process, and ensuring the operating system and applications are up-to-
date.
Manage access control for assets remotely connecting to enterprise resources.
Determine amount of access to enterprise resources based on: up-to-date anti-
malware software installed, configuration compliance with the enterprise’s secure
configuration process, and ensuring the operating system and applications are up-to-
date.
Manage access control for assets remotely connecting to enterprise resources.
Determine amount of access to enterprise resources based on: up-to-date anti-
malware software installed, configuration compliance with the enterprise’s secure
configuration process, and ensuring the operating system and applications are up-to-
date.

Collect network traffic flow logs and/or network traffic to review and alert upon from
network devices.

Collect network traffic flow logs and/or network traffic to review and alert upon from
network devices.

Collect network traffic flow logs and/or network traffic to review and alert upon from
network devices.

Deploy a host-based intrusion prevention solution on enterprise assets, where

appropriate and/or supported. Example implementations include use of an Endpoint
Detection and Response (EDR) client or host-based IPS agent.

Deploy a network intrusion prevention solution, where appropriate. Example

implementations include the use of a Network Intrusion Prevention System (NIPS) or
equivalent CSP service.

Deploy port-level access control. Port-level access control utilizes 802.1x, or similar
network access control protocols, such as certificates, and may incorporate user
and/or device authentication.
 Deploy port-level access control. Port-level access control utilizes 802.1x, or similar
network access control protocols, such as certificates, and may incorporate user
and/or device authentication.

Deploy port-level access control. Port-level access control utilizes 802.1x, or similar
network access control protocols, such as certificates, and may incorporate user
and/or device authentication.

Perform application layer filtering. Example implementations include a filtering proxy,

application layer firewall, or gateway.

Perform application layer filtering. Example implementations include a filtering proxy,

application layer firewall, or gateway.

Tune security event alerting thresholds monthly, or more frequently.

and Skills Training

in a security awareness program to influence behavior among the workforce to be
nd properly skilled to reduce cybersecurity risks to the enterprise.

Establish and maintain a security awareness program. The purpose of a security

awareness program is to educate the enterprise’s workforce on how to interact with
enterprise assets and data in a secure manner. Conduct training at hire and, at a X
minimum, annually. Review and update content annually, or when significant
enterprise changes occur that could impact this Safeguard.

Train workforce members to recognize social engineering attacks, such as phishing,

X
pre-texting, and tailgating.

Train workforce members on authentication best practices. Example topics include

X
MFA, password composition, and credential management.

Train workforce members on how to identify and properly store, transfer, archive, and
destroy sensitive data. This also includes training workforce members on clear screen
and desk best practices, such as locking their screen when they step away from their X
enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and
storing data and assets securely.

Train workforce members to be aware of causes for unintentional data exposure.

Example topics include mis-delivery of sensitive data, losing a portable end-user X
device, or publishing data to unintended audiences.

Train workforce members to be able to recognize a potential incident and be able to

X
report such an incident.
 Train workforce members to be able to recognize a potential incident and be able to
X
report such an incident.

Train workforce to understand how to verify and report out-of-date software patches or
any failures in automated processes and tools. Part of this training should include X
notifying IT personnel of any failures in automated processes and tools.

Train workforce members on the dangers of connecting to, and transmitting data over,
insecure networks for enterprise activities. If the enterprise has remote workers,
X
training must include guidance to ensure that all users securely configure their home
network infrastructure.

Conduct role-specific security awareness and skills training. Example implementations

include secure system administration courses for IT professionals, (OWASP® Top 10
vulnerability awareness and prevention training for web application developers, and
advanced social engineering awareness training for high-profile roles.

Conduct role-specific security awareness and skills training. Example implementations

include secure system administration courses for IT professionals, (OWASP® Top 10
vulnerability awareness and prevention training for web application developers, and
advanced social engineering awareness training for high-profile roles.

evaluate service providers who hold sensitive data, or are responsible for an enterprise’s
r processes, to ensure these providers are protecting those platforms and data

Establish and maintain an inventory of service providers. The inventory is to list all
known service providers, include classification(s), and designate an enterprise contact
X
for each service provider. Review and update the inventory annually, or when
significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
enterprise changes occur that could impact this Safeguard.

Classify service providers. Classification consideration may include one or more

characteristics, such as data sensitivity, data volume, availability requirements,
applicable regulations, inherent risk, and mitigated risk. Update and review
classifications annually, or when significant enterprise changes occur that could impact
this Safeguard.
 Ensure service provider contracts include security requirements. Example
requirements may include minimum security program requirements, security incident
and/or data breach notification and response, data encryption requirements, and data
disposal commitments. These security requirements must be consistent with the
enterprise’s service provider management policy. Review service provider contracts
annually to ensure contracts are not missing security requirements.

Assess service providers consistent with the enterprise’s service provider management
policy. Assessment scope may vary based on classification(s), and may include review
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
questionnaires, or other appropriately rigorous processes. Reassess service providers
annually, at a minimum, or with new and renewed contracts.

Monitor service providers consistent with the enterprise’s service provider

management policy. Monitoring may include periodic reassessment of service provider
compliance, monitoring service provider release notes, and dark web monitoring.

Securely decommission service providers. Example considerations include user and

service account deactivation, termination of data flows, and secure disposal of
enterprise data within service provider systems.
Security
ife cycle of in-house developed, hosted, or acquired software to prevent, detect, and
eaknesses before they can impact the enterprise.

Establish and maintain a secure application development process. In the process,

address such items as: secure application design standards, secure coding practices,
developer training, vulnerability management, security of third-party code, and
application security testing procedures. Review and update documentation annually, or
when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a process to accept and address reports of software

vulnerabilities, including providing a means for external entities to report. The process
is to include such items as: a vulnerability handling policy that identifies reporting
process, responsible party for handling vulnerability reports, and a process for intake,
assignment, remediation, and remediation testing. As part of the process, use a
vulnerability tracking system that includes severity ratings, and metrics for measuring
timing for identification, analysis, and remediation of vulnerabilities. Review and update
documentation annually, or when significant enterprise changes occur that could
impact this Safeguard.

Third-party application developers need to consider this an externally-facing policy that

helps to set expectations for outside stakeholders.
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities,
root cause analysis is the task of evaluating underlying issues that create
vulnerabilities in code, and allows development teams to move beyond just fixing
individual vulnerabilities as they arise.

Establish and manage an updated inventory of third-party components used in

development, often referred to as a “bill of materials,” as well as components slated for
future use. This inventory is to include any risks that each third-party component could
pose. Evaluate the list at least monthly to identify any changes or updates to these
components, and validate that the component is still supported.

Use up-to-date and trusted third-party software components. When possible, choose
established and proven frameworks and libraries that provide adequate
security. Acquire these components from trusted sources or evaluate the software for
vulnerabilities before use.

Establish and maintain a severity rating system and process for application
vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities
are fixed. This process includes setting a minimum level of security acceptability for
releasing code or applications. Severity ratings bring a systematic way of triaging
vulnerabilities that improves risk management and helps ensure the most severe bugs
are fixed first. Review and update the system and process annually.

Use standard, industry-recommended hardening configuration templates for

application infrastructure components. This includes underlying servers, databases,
and web servers, and applies to cloud containers, Platform as a Service (PaaS)
components, and SaaS components. Do not allow in-house developed software to
weaken configuration hardening.

Maintain separate environments for production and non-production systems.

Ensure that all software development personnel receive training in writing secure code
for their specific development environment and responsibilities. Training can include
general security principles and application security standard practices. Conduct
training at least annually and design in a way to promote security within the
development team, and build a culture of security among the developers.

Apply secure design principles in application architectures. Secure design principles

include the concept of least privilege and enforcing mediation to validate every
operation that the user makes, promoting the concept of "never trust user input."
Examples include ensuring that explicit error checking is performed and documented
for all input, including for size, data type, and acceptable ranges or formats. Secure
design also means minimizing the application infrastructure attack surface, such as
turning off unprotected ports and services, removing unnecessary programs and files,
and renaming or removing default accounts.
 Leverage vetted modules or services for application security components, such as
identity management, encryption, and auditing and logging. Using platform features in
critical security functions will reduce developers’ workload and minimize the likelihood
of design or implementation errors. Modern operating systems provide effective
mechanisms for identification, authentication, and authorization and make those
mechanisms available to applications. Use only standardized, currently accepted, and
extensively reviewed encryption algorithms. Operating systems also provide
mechanisms to create and maintain secure audit logs.

Apply static and dynamic analysis tools within the application life cycle to verify that
secure coding practices are being followed.

Conduct application penetration testing. For critical applications, authenticated

penetration testing is better suited to finding business logic vulnerabilities than code
scanning and automated security testing. Penetration testing relies on the skill of the
tester to manually manipulate an application as an authenticated and unauthenticated
user.

Conduct threat modeling. Threat modeling is the process of identifying and addressing
application security design flaws within a design, before code is created. It is
conducted through specially trained individuals who evaluate the application design
and gauge security risks for each entry point and access level. The goal is to map out
the application, architecture, and infrastructure in a structured way to understand its
weaknesses.

anagement
o develop and maintain an incident response capability (e.g., policies, plans, procedures,
g, and communications) to prepare, detect, and quickly respond to an attack.

Designate one key person, and at least one backup, who will manage the enterprise’s
incident handling process. Management personnel are responsible for the coordination
and documentation of incident response and recovery efforts and can consist of
employees internal to the enterprise, third-party vendors, or a hybrid approach. If using X
a third-party vendor, designate at least one person internal to the enterprise to oversee
any third-party work. Review annually, or when significant enterprise changes occur
that could impact this Safeguard.

Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, third-party vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information X
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.
 Establish and maintain an enterprise process for the workforce to report security
incidents. The process includes reporting timeframe, personnel to report to,
mechanism for reporting, and the minimum information to be reported. Ensure the X
process is publicly available to all of the workforce. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.

Establish and maintain an enterprise process for the workforce to report security
incidents. The process includes reporting timeframe, personnel to report to,
mechanism for reporting, and the minimum information to be reported. Ensure the X
process is publicly available to all of the workforce. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.

Establish and maintain an incident response process that addresses roles and
responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.

Assign key roles and responsibilities for incident response, including staff from legal,
IT, information security, facilities, public relations, human resources, incident
responders, and analysts, as applicable. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.

Determine which primary and secondary mechanisms will be used to communicate

and report during a security incident. Mechanisms can include phone calls, emails, or
letters. Keep in mind that certain mechanisms, such as emails, can be affected during
a security incident. Review annually, or when significant enterprise changes occur that
could impact this Safeguard.

Plan and conduct routine incident response exercises and scenarios for key personnel
involved in the incident response process to prepare for responding to real-world
incidents. Exercises need to test communication channels, decision making, and
workflows. Conduct testing on an annual basis, at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence
through identifying lessons learned and follow-up action.

Establish and maintain security incident thresholds, including, at a minimum,

differentiating between an incident and an event. Examples can include: abnormal
activity, security vulnerability, security weakness, data breach, privacy incident, etc.
Review annually, or when significant enterprise changes occur that could impact this
Safeguard.

s and resiliency of enterprise assets through identifying and exploiting weaknesses in

cesses, and technology), and simulating the objectives and actions of an attacker.
Establish and maintain a penetration testing program appropriate to the size,
complexity, and maturity of the enterprise. Penetration testing program characteristics
include scope, such as network, web application, Application Programming Interface
(API), hosted services, and physical premise controls; frequency; limitations, such as
acceptable hours, and excluded attack types; point of contact information; remediation,
such as how findings will be routed internally; and retrospective requirements.

Perform periodic external penetration tests based on program requirements, no less

than annually. External penetration testing must include enterprise and environmental
reconnaissance to detect exploitable information. Penetration testing requires
specialized skills and experience and must be conducted through a qualified party.
The testing may be clear box or opaque box.

Remediate penetration test findings based on the enterprise’s policy for remediation
scope and prioritization.
Validate security measures after each penetration test. If deemed necessary, modify
rulesets and capabilities to detect the techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less
than annually. The testing may be clear box or opaque box.
IG2 IG3 Relationship Practice Identification #

X X Subset CM.L2-3.4.1

X X Subset CA.L2-3.12.4

X X Subset AC.L1-3.1.1

X X Subset AC.L1-3.1.2
X X

X X

X X Subset CM.L2-3.4.1

X X

X X Subset CM.L2-3.4.9

X X Subset CM.L2-3.4.7

X X Subset CM.L2-3.4.9

X X Subset CM.L2-3.4.6

X X Subset CM.L2-3.4.9
X X Subset CM.L2-3.4.7

X X Subset CM.L2-3.4.8

X X Subset CM.L2-3.4.7

X Subset CM.L2-3.4.7

X X Superset SC.L2-3.13.10

X X

X X Subset AC.L1-3.1.1

X X Subset AC.L1-3.1.2

X X Subset AC.L2-3.1.5

X X Subset AC.L2-3.1.3

X X Superset MP.L2-3.8.2
X X

X X Superset MP.L1-3.8.3

X X Superset AC.L2-3.1.19

X X

X X Superset AC.L2-3.1.3

X X Subset CA.L2-3.12.4

X X Subset SC.L2-3.13.6

X X Subset MP.L2-3.8.7

X X Subset MP.L2-3.8.6

X X Superset AC.L2-3.1.17

X X Superset AC.L2-3.1.13

X X Superset IA.L2-3.5.10

X X Superset SC.L2-3.13.11
X X Superset SC.L2-3.13.8

X X Superset SC.L2-3.13.15

X X Superset AC.L2-3.1.19

X X Superset IA.L2-3.5.10

X X Subset MP.L2-3.8.1

X X Superset SC.L2-3.13.11

X X Superset SC.L2-3.13.16

X X Superset AC.L1-3.1.22

X X Superset AC.L2-3.1.3

X X Subset CM.L2-3.4.6
X X Superset SC.L1-3.13.5

X Subset AC.L2-3.1.3

X Subset SC.L1-3.13.1

X Subset SI.L2-3.14.6

X Subset AC.L2-3.1.7

X X Superset AC.L1-3.1.1

X X Superset AC.L1-3.1.2

X X Subset CM.L2-3.4.1

X X Subset CM.L2-3.4.6
X X Subset CM.L2-3.4.2

X X Subset CM.L2-3.4.7

X X Subset CM.L2-3.4.1

X X Subset CM.L2-3.4.6

X X Superset CM.L2-3.4.3

X X Subset CM.L2-3.4.2

X X Subset CM.L2-3.4.7

X X Subset SC.L2-3.13.6

X X Equivalent AC.L2-3.1.10

X X Subset AC.L2-3.1.11

X X Subset AC.L1-3.1.20

X X Subset CM.L2-3.4.7
X X Subset SC.L1-3.13.1

X X Subset SC.L2-3.13.6

X X Subset AC.L1-3.1.20

X X Subset CM.L2-3.4.7

X X Subset SC.L1-3.13.1

X X Subset SC.L2-3.13.6

X X Subset SC.L2-3.13.15

X X

X X Subset CM.L2-3.4.7

X X Subset CM.L2-3.4.8

X X Subset SC.L2-3.13.6
X X

X X Subset AC.L2-3.1.8

X X Subset SC.L2-3.13.9

X X Subset AC.L2-3.1.18

X Subset AC.L2-3.1.19

X X

X X Equivalent IA.L2-3.5.7

X X Equivalent IA.L2-3.5.6

X X Subset AC.L2-3.1.5
X X Equivalent AC.L2-3.1.6

X X Superset AC.L2-3.1.7

X X Subset SC.L2-3.13.3

X X

X X

X X Superset AC.L1-3.1.1

X X Subset IA.L1-3.5.2

X X Superset AC.L1-3.1.1

X X

X X Subset AC.L2-3.1.12

X X Subset AC.L2-3.1.15

X X Subset IA.L2-3.5.3
X X Superset MA.L2-3.7.5

X X Subset AC.L2-3.1.12

X X Subset AC.L2-3.1.15

X X Subset IA.L2-3.5.3

X X

X X

X Subset AC.L1-3.1.2

X Subset AC.L2-3.1.5

X Superset AC.L2-3.1.4

X Superset SC.L2-3.13.3
X X Superset RA.L2-3.11.2

X X Superset SI.L1-3.14.1

X X Subset CA.L2-3.12.3

X X Equivalent RA.L2-3.11.3

X X Equivalent CA.L2-3.12.2

X X Subset SI.L1-3.14.1

X X Subset SI.L1-3.14.1

X X Subset RA.L2-3.11.2

X X Subset SI.L1-3.14.5

X X Subset RA.L2-3.11.2

X X Subset SI.L1-3.14.5

X X Equivalent RA.L2-3.11.3

X X Subset CA.L2-3.12.2

X X Subset SI.L1-3.14.1
X X Superset AU.L2-3.3.1

X X Equivalent AU.L2-3.3.1

X X

X X Equivalent AU.L2-3.3.7

X X Equivalent AU.L2-3.3.1

X X
X X

X X

X X

X X

X X Subset AU.L2-3.3.5

X X Subset CM.L2-3.4.9
X X Subset CM.L2-3.4.2

X X

X X Subset SC.L2-3.13.6

X X Subset CM.L2-3.4.7

X X Subset CM.L2-3.4.8

X X

X X Subset SC.L2-3.13.13

X X Subset SI.L1-3.14.2

X Subset SI.L1-3.14.2

X X Subset SI.L1-3.14.2

X X Equivalent SI.L1-3.14.4

X X Subset MP.L2-3.8.7

X X Subset SC.L2-3.13.13

X X Subset SI.L1-3.14.5
X X

X X

X X

X X

X X

X X Subset MP.L2-3.8.9

X X

X X

X X

X X Superset AC.L1-3.1.2

X X Superset AC.L1-3.1.20
X X Superset AC.L1-3.1.22

X X Superset AC.L2-3.1.16

X X Superset AC.L2-3.1.14

X X Superset AC.L2-3.1.3

X X Superset AC.L2-3.1.17

X X Subset CM.L2-3.4.1

X X Subset CM.L2-3.4.6

X X Subset SC.L1-3.13.5

X X Subset SC.L2-3.13.2

X X Subset SC.L2-3.13.15

X X Subset AC.L1-3.1.20

X X Subset CA.L2-3.12.4
X X

X X Superset AC.L2-3.1.17

X X Superset AC.L2-3.1.13

X X Subset IA.L1-3.5.2

X X Subset SC.L1-3.13.1

X X Subset SC.L2-3.13.15

X X Subset AC.L2-3.1.12

X X Subset AC.L2-3.1.14

X X Superset AC.L2-3.1.13

X X Superset IA.L2-3.5.3

X X Superset MA.L2-3.7.5

X Subset SC.L2-3.13.3
X X Subset AU.L2-3.3.5

X X Subset AU.L2-3.3.6

X X Subset SI.L2-3.14.3

X X Subset SI.L2-3.14.7

X X Subset SC.L1-3.13.1

X X Subset SI.L2-3.14.7

X X Subset SI.L2-3.14.6

X X Subset SI.L2-3.14.7

X X Subset SC.L1-3.13.1
X X Subset SC.L2-3.13.6

X X Subset AC.L2-3.1.12

X X Subset AC.L2-3.1.14

X X Superset AC.L2-3.1.18

X X Superset AC.L2-3.1.13

X X Superset AC.L2-3.1.15

X X Superset AC.L2-3.1.3

X X Subset SI.L2-3.14.3

X X Subset SI.L2-3.14.6

X Subset SI.L2-3.14.6

X Subset SI.L2-3.14.6

X Subset AC.L1-3.1.20
 X Subset CM.L2-3.4.7

X Subset SC.L2-3.13.6

X Subset SC.L1-3.13.1

X Subset SC.L2-3.13.6

X X Superset AT.L2-3.2.1

X X

X X

X X Superset AC.L1-3.1.22

X X

X X Superset AT.L2-3.2.3
X X Subset IR.L2-3.6.2

X X

X X

X X Superset AT.L2-3.2.1

X X Superset AT.L2-3.2.2

X X

X X Subset CA.L2-3.12.4

X X
X X

X X Subset SC.L2-3.13.2

X X Subset SI.L1-3.14.1
X X

X X

X X

X X Subset SI.L1-3.14.1

X X Subset CM.L2-3.4.2

X X

X X Subset AT.L2-3.2.2

X X Subset SC.L2-3.13.2
X X

X Subset SC.L2-3.13.2

X X

X X Subset IR.L2-3.6.2
X X Subset IR.L2-3.6.2

X X Subset SI.L1-3.14.1

X X Equivalent IR.L2-3.6.1

X X

X X

X X Equivalent IR.L2-3.6.3

X X

X
X X

X X

X X

X
 Practice Name

System Baselining

System Security Plan

Authorized Access Control

Transaction & Function Control

System Baselining

User-Installed Software

Nonessential Functionality

User-Installed Software

Least Functionality

User-Installed Software
Nonessential Functionality

Application Execution Policy

Nonessential Functionality

Nonessential Functionality

Key Management

Authorized Access Control

Transaction & Function Control

Least Privilege

Control CUI Flow

Media Access
Media Disposal

Encrypt CUI on Mobile

Control CUI Flow

System Security Plan

Network Communication by Exception

Removable Media

Portable Storage Encryption

Wireless Access Protection

Remote Access Confidentiality

Cryptographically-Protected Passwords

CUI Encryption
Data in Transit

Communications Authenticity

Encrypt CUI on Mobile

Cryptographically-Protected Passwords

Media Protection

CUI Encryption

Data at Rest

Control Public Information

Control CUI Flow

Least Functionality
Public-Access System Separation

Control CUI Flow

Boundary Protection

Monitor Communications for Attacks

Privileged Functions

Authorized Access Control

Transaction & Function Control

System Baselining

Least Functionality
Security Configuration Enforcement

Nonessential Functionality

System Baselining

Least Functionality

System Change Management

Security Configuration Enforcement

Nonessential Functionality

Network Communication by Exception

Session Lock

Session Termination

External Connections

Nonessential Functionality
Boundary Protection

Network Communication by Exception

External Connections

Nonessential Functionality

Boundary Protection

Network Communication by Exception

Communications Authenticity

Nonessential Functionality

Application Execution Policy

Network Communication by Exception

Unsuccessful Logon Attempts

Connections Termination

Mobile Device Connection

Encrypt CUI on Mobile

Password Complexity

Identifier Handling

Least Privilege
Non-Privileged Account Use

Privileged Functions

Role Separation

Authorized Access Control

Authentication

Authorized Access Control

Control Remote Access

Privileged Remote Access

Multifactor Authentication
Nonlocal Maintenance

Control Remote Access

Privileged Remote Access

Multifactor Authentication

Transaction & Function Control

Least Privilege

Separation of Duties

Role Separation
Vulnerability Scan

Flaw Remediation

Security Control Monitoring

Vulnerability Remediation

Plan of Action

Flaw Remediation

Flaw Remediation

Vulnerability Scan

System & File Scanning

Vulnerability Scan

System & File Scanning

Vulnerability Remediation

Plan of Action

Flaw Remediation
System Auditing

System Auditing

Authoritative Time Source

System Auditing

Audit Correlation

User-Installed Software
Security Configuration Enforcement

Network Communication by Exception

Nonessential Functionality

Application Execution Policy

Mobile Code

Malicious Code Protection

Malicious Code Protection

Malicious Code Protection

Update Malicious Code Protection

Removable Media

Mobile Code

System & File Scanning

Protect Backups

Transaction & Function Control

External Connections
Control Public Information

Wireless Access Authorization

Remote Access Routing

Control CUI Flow

Wireless Access Protection

System Baselining

Least Functionality

Public-Access System Separation

Security Engineering

Communications Authenticity

External Connections

System Security Plan

Wireless Access Protection

Remote Access Confidentiality

Authentication

Boundary Protection

Communications Authenticity

Control Remote Access

Remote Access Routing

Remote Access Confidentiality

Multifactor Authentication

Nonlocal Maintenance

Role Separation
Audit Correlation

Reduction & Reporting

Security Alerts & Advisories

Identify Unauthorized Use

Boundary Protection

Identify Unauthorized Use

Monitor Communications for Attacks

Identify Unauthorized Use

Boundary Protection
Network Communication by Exception

Control Remote Access

Remote Access Routing

Mobile Device Connection

Remote Access Confidentiality

Privileged Remote Access

Control CUI Flow

Security Alerts & Advisories

Monitor Communications for Attacks

Monitor Communications for Attacks

Monitor Communications for Attacks

External Connections
Nonessential Functionality

Network Communication by Exception

Boundary Protection

Network Communication by Exception

Role-Based Risk Awareness

Control Public Information

Insider Threat Awareness

Incident Reporting

Role-Based Risk Awareness

Role-Based Training

System Security Plan

Security Engineering

Flaw Remediation
Flaw Remediation

Security Configuration Enforcement

Role-Based Training

Security Engineering
Security Engineering

Incident Reporting
Incident Reporting

Flaw Remediation

Incident Handling

Incident Response Testing

 Description Level

Establish and maintain baseline configurations and

inventories of organizational systems (including
2
hardware, software, firmware, and documentation)
throughout the respective system development life cycles.

Develop, document, and periodically update system

security plans that describe system boundaries, system
environments of operation, how security requirements are 2
implemented, and the relationships with or connections to
other systems.

Limit information system access to authorized users,

processes acting on behalf of authorized users, or
1
devices (including other information systems).

Limit information system access to the types of

transactions and functions that authorized users are
1
permitted to execute.
Establish and maintain baseline configurations and
inventories of organizational systems (including
2
hardware, software, firmware, and documentation)
throughout the respective system development life cycles.

Control and monitor user installed software. 2

Restrict, disable, or prevent the use of nonessential

2
programs, functions, ports, protocols, and services.

Control and monitor user installed software. 2

Employ the principle of least functionality by configuring

organizational systems to provide only essential 2
capabilities.

Control and monitor user installed software. 2

Restrict, disable, or prevent the use of nonessential
2
programs, functions, ports, protocols, and services.
Apply deny-by-exception (blacklisting) policy to prevent
the use of unauthorized software or deny-all, permitby-
2
exception (whitelisting) policy to allow the execution of
authorized software.

Restrict, disable, or prevent the use of nonessential

2
programs, functions, ports, protocols, and services.

Restrict, disable, or prevent the use of nonessential

2
programs, functions, ports, protocols, and services.

Establish and manage cryptographic keys for

2
cryptography employed in organizational systems.

Limit information system access to authorized users,

processes acting on behalf of authorized users, or
1
devices (including other information systems).

Limit information system access to the types of

transactions and functions that authorized users are
1
permitted to execute.

Employ the principle of least privilege, including for

specific security functions and privileged accounts. 2

Control the flow of CUI in accordance with approved

authorizations. 2

Limit access to CUI on system media to authorized users. 2

Sanitize or destroy information system media containing
Federal Contract Information before disposal or release 1
for reuse.
Encrypt CUI on mobile devices and mobile computing
2
platforms.

Control the flow of CUI in accordance with approved

authorizations. 2

Develop, document, and periodically update system

security plans that describe system boundaries, system
environments of operation, how security requirements are 2
implemented, and the relationships with or connections to
other systems.

Deny network communications traffic by default and allow

network communications traffic by exception (i.e., deny 2
all, permit by exception).

Control the use of removable media on system

2
components.
Implement cryptographic mechanisms to protect the
confidentiality of CUI stored on digital media during
2
transport unless otherwise protected by alternative
physical safeguards.

Protect wireless access using authentication and

encryption. 2

Employ cryptographic mechanisms to protect the

2
confidentiality of remote access sessions.
Store and transmit only cryptographically-protected
2
passwords.
Employ FIPS-validated cryptography when used to
2
protect the confidentiality of CUI.
Implement cryptographic mechanisms to prevent
unauthorized disclosure of CUI during transmission
2
unless otherwise protected by alternative physical
safeguards.
Protect the authenticity of communications sessions. 2

Encrypt CUI on mobile devices and mobile computing

2
platforms.

Store and transmit only cryptographically-protected

2
passwords.

Protect (i.e., physically control and securely store) system

2
media containing CUI, both paper and digital.

Employ FIPS-validated cryptography when used to

2
protect the confidentiality of CUI.

Protect the confidentiality of CUI at rest. 2

Control information posted or processed on publicly

accessible information systems. 1

Control the flow of CUI in accordance with approved

authorizations. 2

Employ the principle of least functionality by configuring

organizational systems to provide only essential 2
capabilities.
Implement subnetworks for publicly accessible system
components that are physically or logically separated 1
from internal networks.

Control the flow of CUI in accordance with approved

authorizations. 2

Monitor, control, and protect organizational

communications (i.e., information transmitted or received
by organizational information systems) at the external 1
boundaries and key internal boundaries of the information
systems.

Monitor organizational systems, including inbound and

outbound communications traffic, to detect attacks and 2
indicators of potential attacks.

Prevent non-privileged users from executing privileged

functions and capture the execution of such functions in
2
audit logs.

Limit information system access to authorized users,

processes acting on behalf of authorized users, or
1
devices (including other information systems).

Limit information system access to the types of

transactions and functions that authorized users are
1
permitted to execute.

Establish and maintain baseline configurations and

inventories of organizational systems (including
2
hardware, software, firmware, and documentation)
throughout the respective system development life cycles.

Employ the principle of least functionality by configuring

organizational systems to provide only essential 2
capabilities.
Establish and enforce security configuration settings for
information technology products employed in 2
organizational systems.

Restrict, disable, or prevent the use of nonessential

2
programs, functions, ports, protocols, and services.

Establish and maintain baseline configurations and

inventories of organizational systems (including
2
hardware, software, firmware, and documentation)
throughout the respective system development life cycles.

Employ the principle of least functionality by configuring

organizational systems to provide only essential 2
capabilities.

Track, review, approve, or disapprove, and log changes

2
to organizational systems.

Establish and enforce security configuration settings for

information technology products employed in 2
organizational systems.

Restrict, disable, or prevent the use of nonessential

2
programs, functions, ports, protocols, and services.

Deny network communications traffic by default and allow

network communications traffic by exception (i.e., deny 2
all, permit by exception).

Use session lock with pattern-hiding displays to prevent

access and viewing of data after a period of inactivity. 2

Terminate (automatically) user sessions after a defined

condition. 2

Verify and control/limit connections to and use of external

information systems. 1

Restrict, disable, or prevent the use of nonessential

2
programs, functions, ports, protocols, and services.
Monitor, control, and protect organizational
communications (i.e., information transmitted or received
by organizational information systems) at the external 1
boundaries and key internal boundaries of the information
systems.

Deny network communications traffic by default and allow

network communications traffic by exception (i.e., deny 2
all, permit by exception).

Verify and control/limit connections to and use of external

information systems. 1

Restrict, disable, or prevent the use of nonessential

2
programs, functions, ports, protocols, and services.

Monitor, control, and protect organizational

communications (i.e., information transmitted or received
by organizational information systems) at the external 1
boundaries and key internal boundaries of the information
systems.

Deny network communications traffic by default and allow

network communications traffic by exception (i.e., deny 2
all, permit by exception).

Protect the authenticity of communications sessions. 2

Restrict, disable, or prevent the use of nonessential

2
programs, functions, ports, protocols, and services.

Apply deny-by-exception (blacklisting) policy to prevent

the use of unauthorized software or deny-all, permitby-
2
exception (whitelisting) policy to allow the execution of
authorized software.

Deny network communications traffic by default and allow

network communications traffic by exception (i.e., deny 2
all, permit by exception).
Limit unsuccessful logon attempts.
2

Terminate network connections associated with

communications sessions at the end of the sessions or 2
after a defined period of inactivity.

Control connection of mobile devices.

2

Encrypt CUI on mobile devices and mobile computing

2
platforms.

Enforce a minimum password complexity and change of

2
characters when new passwords are created.

Disable identifiers after a defined period of inactivity. 2

Employ the principle of least privilege, including for

specific security functions and privileged accounts. 2
Use non-privileged accounts or roles when accessing
nonsecurity functions. 2

Prevent non-privileged users from executing privileged

functions and capture the execution of such functions in
2
audit logs.

Separate user functionality from system management

2
functionality.

Limit information system access to authorized users,

processes acting on behalf of authorized users, or
1
devices (including other information systems).

Authenticate (or verify) the identities of those users,

processes, or devices, as a prerequisite to allowing 1
access to organizational information systems.

Limit information system access to authorized users,

processes acting on behalf of authorized users, or
1
devices (including other information systems).

Monitor and control remote access sessions.

2

Authorize remote execution of privileged commands and

2
remote access to security relevant information.
Use multifactor authentication for local and network
access to privileged accounts and for network access to 2
nonprivileged accounts.
Require multifactor authentication to establish nonlocal
maintenance sessions via external network connections
2
and terminate such connections when nonlocal
maintenance is complete.
Monitor and control remote access sessions.
2

Authorize remote execution of privileged commands and

2
remote access to security relevant information.
Use multifactor authentication for local and network
access to privileged accounts and for network access to 2
nonprivileged accounts.

Limit information system access to the types of

transactions and functions that authorized users are
1
permitted to execute.

Employ the principle of least privilege, including for

specific security functions and privileged accounts. 2

Separate the duties of individuals to reduce the risk of

malevolent activity without collusion. 2

Separate user functionality from system management

2
functionality.
Scan for vulnerabilities in organizational systems and
applications periodically and when new vulnerabilities
2
affecting those systems and applications are identified.

Identify, report, and correct information and information

1
system flaws in a timely manner.

Monitor security controls on an ongoing basis to ensure

2
the continued effectiveness of the controls.

Remediate vulnerabilities in accordance with risk

2
assessments.
Develop and implement plans of action designed to
correct deficiencies and reduce or eliminate vulnerabilities 2
in organizational systems.
Identify, report, and correct information and information
1
system flaws in a timely manner.
Identify, report, and correct information and information
1
system flaws in a timely manner.
Scan for vulnerabilities in organizational systems and
applications periodically and when new vulnerabilities
2
affecting those systems and applications are identified.

Perform periodic scans of the information system and

realtime scans of files from external sources as files are 1
downloaded, opened, or executed.

Scan for vulnerabilities in organizational systems and

applications periodically and when new vulnerabilities
2
affecting those systems and applications are identified.

Perform periodic scans of the information system and

realtime scans of files from external sources as files are 1
downloaded, opened, or executed.
Remediate vulnerabilities in accordance with risk
2
assessments.
Develop and implement plans of action designed to
correct deficiencies and reduce or eliminate vulnerabilities 2
in organizational systems.
Identify, report, and correct information and information
1
system flaws in a timely manner.
Create and retain system audit logs and records to the
extent needed to enable the monitoring, analysis,
2
investigation, and reporting of unlawful or unauthorized
system activity.

Create and retain system audit logs and records to the

extent needed to enable the monitoring, analysis,
2
investigation, and reporting of unlawful or unauthorized
system activity.

Provide a system capability that compares and

synchronizes internal system clocks with an authoritative 2
source to generate time stamps for audit records.

Create and retain system audit logs and records to the

extent needed to enable the monitoring, analysis,
2
investigation, and reporting of unlawful or unauthorized
system activity.

Correlate audit record review, analysis, and reporting

processes for investigation and response to indications of 2
unlawful, unauthorized, suspicious, or unusual activity.

Control and monitor user installed software. 2

Establish and enforce security configuration settings for
information technology products employed in 2
organizational systems.

Deny network communications traffic by default and allow

network communications traffic by exception (i.e., deny 2
all, permit by exception).

Restrict, disable, or prevent the use of nonessential

2
programs, functions, ports, protocols, and services.

Apply deny-by-exception (blacklisting) policy to prevent

the use of unauthorized software or deny-all, permitby-
2
exception (whitelisting) policy to allow the execution of
authorized software.

Control and monitor the use of mobile code. 2

Provide protection from malicious code at appropriate
1
locations within organizational information systems.
Provide protection from malicious code at appropriate
1
locations within organizational information systems.

Provide protection from malicious code at appropriate

1
locations within organizational information systems.
Update malicious code protection mechanisms when new
releases are available. 1
Control the use of removable media on system
2
components.

Control and monitor the use of mobile code. 2

Perform periodic scans of the information system and

realtime scans of files from external sources as files are 1
downloaded, opened, or executed.
Protect the confidentiality of backup CUI at storage
locations. 2

Limit information system access to the types of

transactions and functions that authorized users are
1
permitted to execute.

Verify and control/limit connections to and use of external

information systems. 1
Control information posted or processed on publicly
accessible information systems. 1

Authorize wireless access prior to allowing such

connections. 2

Route remote access via managed access control points.

2

Control the flow of CUI in accordance with approved

authorizations. 2

Protect wireless access using authentication and

encryption. 2

Establish and maintain baseline configurations and

inventories of organizational systems (including
2
hardware, software, firmware, and documentation)
throughout the respective system development life cycles.

Employ the principle of least functionality by configuring

organizational systems to provide only essential 2
capabilities.

Implement subnetworks for publicly accessible system

components that are physically or logically separated 1
from internal networks.

Employ architectural designs, software development

techniques, and systems engineering principles that
2
promote effective information security within
organizational systems.

Protect the authenticity of communications sessions. 2

Verify and control/limit connections to and use of external

information systems. 1

Develop, document, and periodically update system

security plans that describe system boundaries, system
environments of operation, how security requirements are 2
implemented, and the relationships with or connections to
other systems.
Protect wireless access using authentication and
encryption. 2

Employ cryptographic mechanisms to protect the

2
confidentiality of remote access sessions.

Authenticate (or verify) the identities of those users,

processes, or devices, as a prerequisite to allowing 1
access to organizational information systems.

Monitor, control, and protect organizational

communications (i.e., information transmitted or received
by organizational information systems) at the external 1
boundaries and key internal boundaries of the information
systems.

Protect the authenticity of communications sessions. 2

Monitor and control remote access sessions.

2

Route remote access via managed access control points.

2

Employ cryptographic mechanisms to protect the

2
confidentiality of remote access sessions.

Use multifactor authentication for local and network

access to privileged accounts and for network access to 2
nonprivileged accounts.

Require multifactor authentication to establish nonlocal

maintenance sessions via external network connections
2
and terminate such connections when nonlocal
maintenance is complete.

Separate user functionality from system management

2
functionality.
Correlate audit record review, analysis, and reporting
processes for investigation and response to indications of 2
unlawful, unauthorized, suspicious, or unusual activity.

Provide audit record reduction and report generation to

2
support on-demand analysis and reporting.

Monitor system security alerts and advisories and take

2
action in response.

Identify unauthorized use of organizational systems. 2

Monitor, control, and protect organizational

communications (i.e., information transmitted or received
by organizational information systems) at the external 1
boundaries and key internal boundaries of the information
systems.

Identify unauthorized use of organizational systems. 2

Monitor organizational systems, including inbound and

outbound communications traffic, to detect attacks and 2
indicators of potential attacks.

Identify unauthorized use of organizational systems. 2

Monitor, control, and protect organizational

communications (i.e., information transmitted or received
by organizational information systems) at the external 1
boundaries and key internal boundaries of the information
systems.
Deny network communications traffic by default and allow
network communications traffic by exception (i.e., deny 2
all, permit by exception).

Monitor and control remote access sessions.

2

Route remote access via managed access control points.

2

Control connection of mobile devices.

2

Employ cryptographic mechanisms to protect the

2
confidentiality of remote access sessions.

Authorize remote execution of privileged commands and

2
remote access to security relevant information.

Control the flow of CUI in accordance with approved

authorizations. 2

Monitor system security alerts and advisories and take

2
action in response.
Monitor organizational systems, including inbound and
outbound communications traffic, to detect attacks and 2
indicators of potential attacks.

Monitor organizational systems, including inbound and

outbound communications traffic, to detect attacks and 2
indicators of potential attacks.

Monitor organizational systems, including inbound and

outbound communications traffic, to detect attacks and 2
indicators of potential attacks.

Verify and control/limit connections to and use of external

information systems. 1
Restrict, disable, or prevent the use of nonessential
2
programs, functions, ports, protocols, and services.

Deny network communications traffic by default and allow

network communications traffic by exception (i.e., deny 2
all, permit by exception).

Monitor, control, and protect organizational

communications (i.e., information transmitted or received
by organizational information systems) at the external 1
boundaries and key internal boundaries of the information
systems.

Deny network communications traffic by default and allow

network communications traffic by exception (i.e., deny 2
all, permit by exception).

Ensure that managers, system administrators, and users

of organizational systems are made aware of the security
risks associated with their activities and of the applicable 2
policies, standards, and procedures related to the security
of those systems.

Control information posted or processed on publicly

accessible information systems. 1

Provide security awareness training on recognizing and

2
reporting potential indicators of insider threat.
Track, document, and report incidents to designated
officials and/or authorities both internal and external to the 2
organization.

Ensure that managers, system administrators, and users

of organizational systems are made aware of the security
risks associated with their activities and of the applicable 2
policies, standards, and procedures related to the security
of those systems.

Ensure that personnel are trained to carry out their

assigned information security-related duties and 2
responsibilities.

Develop, document, and periodically update system

security plans that describe system boundaries, system
environments of operation, how security requirements are 2
implemented, and the relationships with or connections to
other systems.
Employ architectural designs, software development
techniques, and systems engineering principles that
2
promote effective information security within
organizational systems.

Identify, report, and correct information and information

1
system flaws in a timely manner.
Identify, report, and correct information and information
1
system flaws in a timely manner.

Establish and enforce security configuration settings for

information technology products employed in 2
organizational systems.

Ensure that personnel are trained to carry out their

assigned information security-related duties and 2
responsibilities.

Employ architectural designs, software development

techniques, and systems engineering principles that
2
promote effective information security within
organizational systems.
Employ architectural designs, software development
techniques, and systems engineering principles that
2
promote effective information security within
organizational systems.

Track, document, and report incidents to designated

officials and/or authorities both internal and external to the 2
organization.
Track, document, and report incidents to designated
officials and/or authorities both internal and external to the 2
organization.

Identify, report, and correct information and information

1
system flaws in a timely manner.

Establish an operational incident-handling capability for

organizational systems that includes preparation,
2
detection, analysis, containment, recovery, and user
response activities.

Test the organizational incident response capability. 2

The following CMMC Practices are NOT mapped to the CIS Controls
Practice Identification # Practice Name Description
Provide privacy and security notices
consistent with applicable CUI rules.
AC.L2-3.1.9 Privacy & Security Notices
Limit use of portable storage devices on
external systems.
AC.L2-3.1.21 Portable Storage Use
Ensure that the actions of individual system
users can be uniquely traced to those users
so they can be held accountable for their
AU.L2-3.3.2 User Accountability actions.
Alert in the event of an audit logging process
AU.L2-3.3.4 Audit Failure Alerting failure.
Protect audit information and audit logging
tools from unauthorized access, modification,
AU.L2-3.3.8 Audit Protection and deletion.
Limit management of audit logging
AU.L2-3.3.9 Audit Management functionality to a subset of privileged users.
Analyze the security impact of changes prior
CM.L2-3.4.4 Security Impact Analysis to implementation.

Define, document, approve, and enforce

physical and logical access restrictions
associated with changes to organizational
CM.L2-3.4.5 Access Restrictions for Chan systems.
Identify information system users, processes
IA.L1-3.5.1 Identification acting on behalf of users, or devices.
Prohibit password reuse for a specified
IA.L2-3.5.8 Password Reuse number of generations.
Allow temporary password use for system
logons with an immediate change to a
IA.L2-3.5.9 Temporary Passwords permanent password.
Obscure feedback of authentication
IA.L2-3.5.11 Obscure Feedback information.
Employ replay-resistant authentication
mechanisms for network access to privileged
IA.L2-3.5.4 Replay-Resistant Authenticatand non-privileged accounts.
Prevent the reuse of identifiers for a defined
IA.L2-3.5.5 Identifier Reuse period.
Perform maintenance on organizational
MA.L2-3.7.1 Perform Maintenance systems.
Provide controls on the tools, techniques,
mechanisms, and personnel used to conduct
MA.L2-3.7.2 System Maintenance Control system maintenance.
 Supervise the maintenance activities of
personnel without required access
MA.L2-3.7.6 Maintenance Personnel authorization.
Ensure equipment removed for off-site
MA.L2-3.7.3 Equipment Sanitization maintenance is sanitized of any CUI.
Check media containing diagnostic and test
programs for malicious code before the
MA.L2-3.7.4 Media Inspection media are used in organizational systems.
Mark media with necessary CUI markings
MP.L2-3.8.4 Media Markings and distribution
Prohibit the use limitations.
of portable storage devices
when such devices have no identifiable
MP.L2-3.8.8 Shared Media owner.
Protect the confidentiality of backup CUI at storage locations.
MP.L2-3.8.9 Protect Backups
Control access to media containing CUI and
maintain accountability for media during
MP.L2-3.8.5 Media Accountability transport outside of controlled areas.
Screen individuals prior to authorizing access
PS.L2-3.9.1 Screen Individuals to organizational systems containing CUI.
Ensure that organizational systems
containing CUI are protected during and after
personnel actions such as terminations and
PS.L2-3.9.2 Personnel Actions transfers.

Limit physical access to organizational

information systems, equipment, and the
respective operating environments to
PE.L1-3.10.1 Limit Physical Access authorized individuals.
PE.L1-3.10.3 Escort Visitors Escort visitors and monitor visitor activity.
PE.L1-3.10.4 Physical Access Logs Maintainand
Control audit logs ofphysical
manage physicalaccess
access.
PE.L1-3.10.5 Manage Physical Access devices.
Protect and monitor the physical facility and
support infrastructure for organizational
PE.L2-3.10.2 Monitor Facility systems.
Enforce safeguarding measures for CUI at
PE.L2-3.10.6 Alternative Work Sites alternate work sites.

Periodically assess the risk to organizational

operations (including mission, functions,
image, or reputation), organizational assets,
and individuals, resulting from the operation
of organizational systems and the associated
RA.L2-3.11.1 Risk Assessments processing, storage, or transmission of CUI.
Periodically assess the security controls in
organizational systems to determine if the
CA.L2-3.12.1 Security Control Assessment controls are effective in their application.
Prohibit remote activation of collaborative
computing devices and provide indication of
SC.L2-3.13.12 Collaborative Device Control devices in use to users present at the device.
 Prevent unauthorized and unintended
information transfer via shared system
SC.L2-3.13.4 Shared Resource Control resources.

Prevent remote devices from simultaneously

establishing non-remote connections with
organizational systems and communicating
via some other connection to resources in
SC.L2-3.13.7 Split Tunneling external networks (i.e., split tunneling).
Control and monitor the use of Voice over
SC.L2-3.13.14 Voice over Internet Protocol Internet Protocol (VoIP) technologies.
Level

2
2

2
2

1
1
1
1

2
2

2
The following CIS Safeguards are NOT mapped to CMMC v2.0

5.1

5.5
5.6

6.3

6.6
6.7
8.3
8.6
8.7
8.8
8.9
8.10

8.12
9.2

9.5

10.5
10.6
10.7

11.1
11.2
11.5

12.1
12.5
13.11
14.2
14.3

14.5

14.7

14.8

15.1
 15.3

15.4

15.5

15.6

15.7

16.3

16.4

16.5
16.8

16.11
16.12

16.13

17.1

17.5

17.6
17.8

17.9
18.1

18.2
18.3
18.4
18.5
The following CIS Safeguards are NOT mapped to CMMC v2.0

Establish and Maintain an Inventory of Accounts

Establish and Maintain an Inventory of Service Accounts

Centralize Account Management

Require MFA for Externally-Exposed Applications

Establish and Maintain an Inventory of Authentication and Authorization Systems

Centralize Access Control
Ensure Adequate Audit Log Storage
Collect DNS Query Audit Logs
Collect URL Request Audit Logs
Collect Command-Line Audit Logs
Centralize Audit Logs
Retain Audit Logs

Collect Service Provider Logs

Use DNS Filtering Services

Implement DMARC

Enable Anti-Exploitation Features

Centrally Manage Anti-Malware Software
Use Behavior-Based Anti-Malware Software

Establish and Maintain a Data Recovery Process

Perform Automated Backups
Test Data Recovery

Ensure Network Infrastructure is Up-to-Date

Centralize Network Authentication, Authorization, and Auditing (AAA)
Tune Security Event Alerting Thresholds
Train Workforce Members to Recognize Social Engineering Attacks
Train Workforce Members on Authentication Best Practices

Train Workforce Members on Causes of Unintentional Data Exposure

Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates

Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks

Establish and Maintain an Inventory of Service Providers

Classify Service Providers

Ensure Service Provider Contracts Include Security Requirements

Assess Service Providers

Monitor Service Providers

Securely Decommission Service Providers

Perform Root Cause Analysis on Security Vulnerabilities

Establish and Manage an Inventory of Third-Party Software Components

Use Up-to-Date and Trusted Third-Party Software Components

Separate Production and Non-Production Systems

Leverage Vetted Modules or Services for Application Security Components

Implement Code-Level Security Checks

Conduct Application Penetration Testing

Designate Personnel to Manage Incident Handling

Assign Key Roles and Responsibilities

Define Mechanisms for Communicating During Incident Response

Conduct Post-Incident Reviews

Establish and Maintain Security Incident Thresholds

Establish and Maintain a Penetration Testing Program

Perform Periodic External Penetration Tests

Remediate Penetration Test Findings
Validate Security Measures
Perform Periodic Internal Penetration Tests
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user
inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate th
a recurring schedule at a minimum quarterly, or more frequently.
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department own
service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum qu
Centralize account management through a directory or identity service.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MF
provider is a satisfactory implementation of this Safeguard.
Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those ho
provider. Review and update the inventory, at a minimum, annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management p
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Collect service provider logs, where supported. Example implementations include collecting authentication and auth
disposal events, and user management events.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, st
Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execu
Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Centrally manage anti-malware software.
Use behavior-based anti-malware software.
Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recov
backup data. Review and update documentation annually, or when significant enterprise changes occur that could im
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the s
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release
supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify so
Centralize network AAA.
Tune security event alerting thresholds monthly, or more frequently.
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Train workforce members on authentication best practices. Example topics include MFA, password composition, and
Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-deliver
end-user device, or publishing data to unintended audiences.
Train workforce to understand how to verify and report out-of-date software patches or any failures in automated pro
should include notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterpr
remote workers,
Establish traininganmust
and maintain include
inventory ofguidance to ensureThe
service providers. thatinventory
all users is
securely configure
to list all their home
known service network
providers, infras
include
enterprise contact for each service provider. Review and update the inventory annually, or when significant enterpris
Safeguard.
Classify service providers. Classification consideration may include one or more characteristics, such as data sensit
requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or
occur that could impact this Safeguard.
Ensure service provider contracts include security requirements. Example requirements may include minimum secu
incident and/or data breach notification and response, data encryption requirements, and data disposal commitment
consistent with the enterprise’s service provider management policy. Review service provider contracts annually to e
requirements.

Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope m
may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Paym
Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service provide
and renewed contracts.
Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may inclu
provider compliance, monitoring service provider release notes, and dark web monitoring.
Securely decommission service providers. Example considerations include user and service account deactivation, te
disposal of enterprise data within service provider systems.
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the tas
create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as
Establish and manage an updated inventory of third-party components used in development, often referred to as a “
slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the
changes or updates to these components, and validate that the component is still supported.
Use up-to-date and trusted third-party software components. When possible, choose established and proven framew
security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use.
Maintain separate environments for production and non-production systems.
Leverage vetted modules or services for application security components, such as identity management, encryption
platform features in critical security functions will reduce developers’ workload and minimize the likelihood of design
operating systems provide effective mechanisms for identification, authentication, and authorization and make those
Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also
maintain secure audit logs.
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are bein
Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to
code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipu
and unauthenticated user.

Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Ma
the coordination and documentation of incident response and recovery efforts and can consist of employees interna
a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise to oversee a
when significant enterprise changes occur that could impact this Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilitie
incident responders, and analysts, as applicable. Review annually, or when significant enterprise changes occur tha
Determine which primary and secondary mechanisms will be used to communicate and report during a security incid
calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security inc
significant enterprise changes occur that could impact this Safeguard.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons le
Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and
abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or w
that could impact this Safeguard.
Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterpr
characteristics include scope, such as network, web application, Application Programming Interface (API), hosted se
frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediatio
internally; and retrospective requirements.
Perform periodic external penetration tests based on program requirements, no less than annually. External penetra
environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and e
through a qualified party. The testing may be clear box or opaque box.
Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to det
Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may