Compliance Reference
NIST 800-53 Rev 5 Controls
The comprehensive federal security and privacy control catalog — all 1,196 controls organized across 20 families.
AC Access Control 147
AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management AC-2(3) Disable Accounts AC-2(4) Automated Audit Actions AC-2(5) Inactivity Logout AC-2(6) Dynamic Privilege Management AC-2(7) Privileged User Accounts AC-2(8) Dynamic Account Management AC-2(9) Restrictions on Use of Shared and Group Accounts AC-2(10) Shared and Group Account Credential Change AC-2(11) Usage Conditions AC-2(12) Account Monitoring for Atypical Usage AC-2(13) Disable Accounts for High-risk Individuals AC-3 Access Enforcement AC-3(1) Restricted Access to Privileged Functions AC-3(2) Dual Authorization AC-3(3) Mandatory Access Control AC-3(4) Discretionary Access Control AC-3(5) Security-relevant Information AC-3(6) Protection of User and System Information AC-3(7) Role-based Access Control AC-3(8) Revocation of Access Authorizations AC-3(9) Controlled Release AC-3(10) Audited Override of Access Control Mechanisms AC-3(11) Restrict Access to Specific Information Types AC-3(12) Assert and Enforce Application Access AC-3(13) Attribute-based Access Control AC-3(14) Individual Access AC-3(15) Discretionary and Mandatory Access Control AC-4 Information Flow Enforcement AC-4(1) Object Security and Privacy Attributes AC-4(2) Processing Domains AC-4(3) Dynamic Information Flow Control AC-4(4) Flow Control of Encrypted Information AC-4(5) Embedded Data Types AC-4(6) Metadata AC-4(7) One-way Flow Mechanisms AC-4(8) Security and Privacy Policy Filters AC-4(9) Human Reviews AC-4(10) Enable and Disable Security or Privacy Policy Filters AC-4(11) Configuration of Security or Privacy Policy Filters AC-4(12) Data Type Identifiers AC-4(13) Decomposition into Policy-relevant Subcomponents AC-4(14) Security or Privacy Policy Filter Constraints AC-4(15) Detection of Unsanctioned Information AC-4(16) Information Transfers on Interconnected Systems AC-4(17) Domain Authentication AC-4(18) Security Attribute Binding AC-4(19) Validation of Metadata AC-4(20) Approved Solutions AC-4(21) Physical or Logical Separation of Information Flows AC-4(22) Access Only AC-4(23) Modify Non-releasable Information AC-4(24) Internal Normalized Format AC-4(25) Data Sanitization AC-4(26) Audit Filtering Actions AC-4(27) Redundant/Independent Filtering Mechanisms AC-4(28) Linear Filter Pipelines AC-4(29) Filter Orchestration Engines AC-4(30) Filter Mechanisms Using Multiple Processes AC-4(31) Failed Content Transfer Prevention AC-4(32) Process Requirements for Information Transfer AC-5 Separation of Duties AC-6 Least Privilege AC-6(1) Authorize Access to Security Functions AC-6(2) Non-privileged Access for Nonsecurity Functions AC-6(3) Network Access to Privileged Commands AC-6(4) Separate Processing Domains AC-6(5) Privileged Accounts AC-6(6) Privileged Access by Non-organizational Users AC-6(7) Review of User Privileges AC-6(8) Privilege Levels for Code Execution AC-6(9) Log Use of Privileged Functions AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions AC-7 Unsuccessful Logon Attempts AC-7(1) Automatic Account Lock AC-7(2) Purge or Wipe Mobile Device AC-7(3) Biometric Attempt Limiting AC-7(4) Use of Alternate Authentication Factor AC-8 System Use Notification AC-9 Previous Logon Notification AC-9(1) Unsuccessful Logons AC-9(2) Successful and Unsuccessful Logons AC-9(3) Notification of Account Changes AC-9(4) Additional Logon Information AC-10 Concurrent Session Control AC-11 Device Lock AC-11(1) Pattern-hiding Displays AC-12 Session Termination AC-12(1) User-initiated Logouts AC-12(2) Termination Message AC-12(3) Timeout Warning Message AC-13 Supervision and Review — Access Control AC-14 Permitted Actions Without Identification or Authentication AC-14(1) Necessary Uses AC-15 Automated Marking AC-16 Security and Privacy Attributes AC-16(1) Dynamic Attribute Association AC-16(2) Attribute Value Changes by Authorized Individuals AC-16(3) Maintenance of Attribute Associations by System AC-16(4) Association of Attributes by Authorized Individuals AC-16(5) Attribute Displays on Objects to Be Output AC-16(6) Maintenance of Attribute Association AC-16(7) Consistent Attribute Interpretation AC-16(8) Association Techniques and Technologies AC-16(9) Attribute Reassignment — Regrading Mechanisms AC-16(10) Attribute Configuration by Authorized Individuals AC-17 Remote Access AC-17(1) Monitoring and Control AC-17(2) Protection of Confidentiality and Integrity Using Encryption AC-17(3) Managed Access Control Points AC-17(4) Privileged Commands and Access AC-17(5) Monitoring for Unauthorized Connections AC-17(6) Protection of Mechanism Information AC-17(7) Additional Protection for Security Function Access AC-17(8) Disable Nonsecure Network Protocols AC-17(9) Disconnect or Disable Access AC-17(10) Authenticate Remote Commands AC-18 Wireless Access AC-18(1) Authentication and Encryption AC-18(2) Monitoring Unauthorized Connections AC-18(3) Disable Wireless Networking AC-18(4) Restrict Configurations by Users AC-18(5) Antennas and Transmission Power Levels AC-19 Access Control for Mobile Devices AC-19(1) Use of Writable and Portable Storage Devices AC-19(2) Use of Personally Owned Portable Storage Devices AC-19(3) Use of Portable Storage Devices with No Identifiable Owner AC-19(4) Restrictions for Classified Information AC-19(5) Full Device or Container-based Encryption AC-20 Use of External Systems AC-20(1) Limits on Authorized Use AC-20(2) Portable Storage Devices — Restricted Use AC-20(3) Non-organizationally Owned Systems — Restricted Use AC-20(4) Network Accessible Storage Devices — Prohibited Use AC-20(5) Portable Storage Devices — Prohibited Use AC-21 Information Sharing AC-21(1) Automated Decision Support AC-21(2) Information Search and Retrieval AC-22 Publicly Accessible Content AC-23 Data Mining Protection AC-24 Access Control Decisions AC-24(1) Transmit Access Authorization Information AC-24(2) No User or Process Identity AC-25 Reference Monitor
AT Awareness and Training 17
AT-1 Policy and Procedures AT-2 Literacy Training and Awareness AT-2(1) Practical Exercises AT-2(2) Insider Threat AT-2(3) Social Engineering and Mining AT-2(4) Suspicious Communications and Anomalous System Behavior AT-2(5) Advanced Persistent Threat AT-2(6) Cyber Threat Environment AT-3 Role-based Training AT-3(1) Environmental Controls AT-3(2) Physical Security Controls AT-3(3) Practical Exercises AT-3(4) Suspicious Communications and Anomalous System Behavior AT-3(5) Processing Personally Identifiable Information AT-4 Training Records AT-5 Contacts with Security Groups and Associations AT-6 Training Feedback
AU Audit and Accountability 69
AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component AU-2(3) Reviews and Updates AU-2(4) Privileged Functions AU-3 Content of Audit Records AU-3(1) Additional Audit Information AU-3(2) Centralized Management of Planned Audit Record Content AU-3(3) Limit Personally Identifiable Information Elements AU-4 Audit Log Storage Capacity AU-4(1) Transfer to Alternate Storage AU-5 Response to Audit Logging Process Failures AU-5(1) Storage Capacity Warning AU-5(2) Real-time Alerts AU-5(3) Configurable Traffic Volume Thresholds AU-5(4) Shutdown on Failure AU-5(5) Alternate Audit Logging Capability AU-6 Audit Record Review, Analysis, and Reporting AU-6(1) Automated Process Integration AU-6(2) Automated Security Alerts AU-6(3) Correlate Audit Record Repositories AU-6(4) Central Review and Analysis AU-6(5) Integrated Analysis of Audit Records AU-6(6) Correlation with Physical Monitoring AU-6(7) Permitted Actions AU-6(8) Full Text Analysis of Privileged Commands AU-6(9) Correlation with Information from Nontechnical Sources AU-6(10) Audit Level Adjustment AU-7 Audit Record Reduction and Report Generation AU-7(1) Automatic Processing AU-7(2) Automatic Sort and Search AU-8 Time Stamps AU-8(1) Synchronization with Authoritative Time Source AU-8(2) Secondary Authoritative Time Source AU-9 Protection of Audit Information AU-9(1) Hardware Write-once Media AU-9(2) Store on Separate Physical Systems or Components AU-9(3) Cryptographic Protection AU-9(4) Access by Subset of Privileged Users AU-9(5) Dual Authorization AU-9(6) Read-only Access AU-9(7) Store on Component with Different Operating System AU-10 Non-repudiation AU-10(1) Association of Identities AU-10(2) Validate Binding of Information Producer Identity AU-10(3) Chain of Custody AU-10(4) Validate Binding of Information Reviewer Identity AU-10(5) Digital Signatures AU-11 Audit Record Retention AU-11(1) Long-term Retrieval Capability AU-12 Audit Record Generation AU-12(1) System-wide and Time-correlated Audit Trail AU-12(2) Standardized Formats AU-12(3) Changes by Authorized Individuals AU-12(4) Query Parameter Audits of Personally Identifiable Information AU-13 Monitoring for Information Disclosure AU-13(1) Use of Automated Tools AU-13(2) Review of Monitored Sites AU-13(3) Unauthorized Replication of Information AU-14 Session Audit AU-14(1) System Start-up AU-14(2) Capture and Record Content AU-14(3) Remote Viewing and Listening AU-15 Alternate Audit Logging Capability AU-16 Cross-organizational Audit Logging AU-16(1) Identity Preservation AU-16(2) Sharing of Audit Information AU-16(3) Disassociability
CA Assessment, Authorization, and Monitoring 32
CA-1 Policy and Procedures CA-2 Control Assessments CA-2(1) Independent Assessors CA-2(2) Specialized Assessments CA-2(3) Leveraging Results from External Organizations CA-3 Information Exchange CA-3(1) Unclassified National Security System Connections CA-3(2) Classified National Security System Connections CA-3(3) Unclassified Non-national Security System Connections CA-3(4) Connections to Public Networks CA-3(5) Restrictions on External System Connections CA-3(6) Transfer Authorizations CA-3(7) Transitive Information Exchanges CA-4 Security Certification CA-5 Plan of Action and Milestones CA-5(1) Automation Support for Accuracy and Currency CA-6 Authorization CA-6(1) Joint Authorization — Intra-organization CA-6(2) Joint Authorization — Inter-organization CA-7 Continuous Monitoring CA-7(1) Independent Assessment CA-7(2) Types of Assessments CA-7(3) Trend Analyses CA-7(4) Risk Monitoring CA-7(5) Consistency Analysis CA-7(6) Automation Support for Monitoring CA-8 Penetration Testing CA-8(1) Independent Penetration Testing Agent or Team CA-8(2) Red Team Exercises CA-8(3) Facility Penetration Testing CA-9 Internal System Connections CA-9(1) Compliance Checks
CM Configuration Management 66
CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency CM-2(3) Retention of Previous Configurations CM-2(4) Unauthorized Software CM-2(5) Authorized Software CM-2(6) Development and Test Environments CM-2(7) Configure Systems and Components for High-risk Areas CM-3 Configuration Change Control CM-3(1) Automated Documentation, Notification, and Prohibition of Changes CM-3(2) Testing, Validation, and Documentation of Changes CM-3(3) Automated Change Implementation CM-3(4) Security and Privacy Representatives CM-3(5) Automated Security Response CM-3(6) Cryptography Management CM-3(7) Review System Changes CM-3(8) Prevent or Restrict Configuration Changes CM-4 Impact Analyses CM-4(1) Separate Test Environments CM-4(2) Verification of Controls CM-5 Access Restrictions for Change CM-5(1) Automated Access Enforcement and Audit Records CM-5(2) Review System Changes CM-5(3) Signed Components CM-5(4) Dual Authorization CM-5(5) Privilege Limitation for Production and Operation CM-5(6) Limit Library Privileges CM-5(7) Automatic Implementation of Security Safeguards CM-6 Configuration Settings CM-6(1) Automated Management, Application, and Verification CM-6(2) Respond to Unauthorized Changes CM-6(3) Unauthorized Change Detection CM-6(4) Conformance Demonstration CM-7 Least Functionality CM-7(1) Periodic Review CM-7(2) Prevent Program Execution CM-7(3) Registration Compliance CM-7(4) Unauthorized Software — Deny-by-exception CM-7(5) Authorized Software — Allow-by-exception CM-7(6) Confined Environments with Limited Privileges CM-7(7) Code Execution in Protected Environments CM-7(8) Binary or Machine Executable Code CM-7(9) Prohibiting The Use of Unauthorized Hardware CM-8 System Component Inventory CM-8(1) Updates During Installation and Removal CM-8(2) Automated Maintenance CM-8(3) Automated Unauthorized Component Detection CM-8(4) Accountability Information CM-8(5) No Duplicate Accounting of Components CM-8(6) Assessed Configurations and Approved Deviations CM-8(7) Centralized Repository CM-8(8) Automated Location Tracking CM-8(9) Assignment of Components to Systems CM-9 Configuration Management Plan CM-9(1) Assignment of Responsibility CM-10 Software Usage Restrictions CM-10(1) Open-source Software CM-11 User-installed Software CM-11(1) Alerts for Unauthorized Installations CM-11(2) Software Installation with Privileged Status CM-11(3) Automated Enforcement and Monitoring CM-12 Information Location CM-12(1) Automated Tools to Support Information Location CM-13 Data Action Mapping CM-14 Signed Components
CP Contingency Planning 56
CP-1 Policy and Procedures CP-2 Contingency Plan CP-2(1) Coordinate with Related Plans CP-2(2) Capacity Planning CP-2(3) Resume Mission and Business Functions CP-2(4) Resume All Mission and Business Functions CP-2(5) Continue Mission and Business Functions CP-2(6) Alternate Processing and Storage Sites CP-2(7) Coordinate with External Service Providers CP-2(8) Identify Critical Assets CP-3 Contingency Training CP-3(1) Simulated Events CP-3(2) Mechanisms Used in Training Environments CP-4 Contingency Plan Testing CP-4(1) Coordinate with Related Plans CP-4(2) Alternate Processing Site CP-4(3) Automated Testing CP-4(4) Full Recovery and Reconstitution CP-4(5) Self-challenge CP-5 Contingency Plan Update CP-6 Alternate Storage Site CP-6(1) Separation from Primary Site CP-6(2) Recovery Time and Recovery Point Objectives CP-6(3) Accessibility CP-7 Alternate Processing Site CP-7(1) Separation from Primary Site CP-7(2) Accessibility CP-7(3) Priority of Service CP-7(4) Preparation for Use CP-7(5) Equivalent Information Security Safeguards CP-7(6) Inability to Return to Primary Site CP-8 Telecommunications Services CP-8(1) Priority of Service Provisions CP-8(2) Single Points of Failure CP-8(3) Separation of Primary and Alternate Providers CP-8(4) Provider Contingency Plan CP-8(5) Alternate Telecommunication Service Testing CP-9 System Backup CP-9(1) Testing for Reliability and Integrity CP-9(2) Test Restoration Using Sampling CP-9(3) Separate Storage for Critical Information CP-9(4) Protection from Unauthorized Modification CP-9(5) Transfer to Alternate Storage Site CP-9(6) Redundant Secondary System CP-9(7) Dual Authorization for Deletion or Destruction CP-9(8) Cryptographic Protection CP-10 System Recovery and Reconstitution CP-10(1) Contingency Plan Testing CP-10(2) Transaction Recovery CP-10(3) Compensating Security Controls CP-10(4) Restore Within Time Period CP-10(5) Failover Capability CP-10(6) Component Protection CP-11 Alternate Communications Protocols CP-12 Safe Mode CP-13 Alternative Security Mechanisms
IA Identification and Authentication 74
IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts IA-2(3) Local Access to Privileged Accounts IA-2(4) Local Access to Non-privileged Accounts IA-2(5) Individual Authentication with Group Authentication IA-2(6) Access to Accounts —separate Device IA-2(7) Network Access to Non-privileged Accounts — Separate Device IA-2(8) Access to Accounts — Replay Resistant IA-2(9) Network Access to Non-privileged Accounts — Replay Resistant IA-2(10) Single Sign-on IA-2(11) Remote Access — Separate Device IA-2(12) Acceptance of PIV Credentials IA-2(13) Out-of-band Authentication IA-3 Device Identification and Authentication IA-3(1) Cryptographic Bidirectional Authentication IA-3(2) Cryptographic Bidirectional Network Authentication IA-3(3) Dynamic Address Allocation IA-3(4) Device Attestation IA-4 Identifier Management IA-4(1) Prohibit Account Identifiers as Public Identifiers IA-4(2) Supervisor Authorization IA-4(3) Multiple Forms of Certification IA-4(4) Identify User Status IA-4(5) Dynamic Management IA-4(6) Cross-organization Management IA-4(7) In-person Registration IA-4(8) Pairwise Pseudonymous Identifiers IA-4(9) Attribute Maintenance and Protection IA-5 Authenticator Management IA-5(1) Password-based Authentication IA-5(2) Public Key-based Authentication IA-5(3) In-person or Trusted External Party Registration IA-5(4) Automated Support for Password Strength Determination IA-5(5) Change Authenticators Prior to Delivery IA-5(6) Protection of Authenticators IA-5(7) No Embedded Unencrypted Static Authenticators IA-5(8) Multiple System Accounts IA-5(9) Federated Credential Management IA-5(10) Dynamic Credential Binding IA-5(11) Hardware Token-based Authentication IA-5(12) Biometric Authentication Performance IA-5(13) Expiration of Cached Authenticators IA-5(14) Managing Content of PKI Trust Stores IA-5(15) GSA-approved Products and Services IA-5(16) In-person or Trusted External Party Authenticator Issuance IA-5(17) Presentation Attack Detection for Biometric Authenticators IA-5(18) Password Managers IA-6 Authentication Feedback IA-7 Cryptographic Module Authentication IA-8 Identification and Authentication (Non-organizational Users) IA-8(1) Acceptance of PIV Credentials from Other Agencies IA-8(2) Acceptance of External Authenticators IA-8(3) Use of FICAM-approved Products IA-8(4) Use of Defined Profiles IA-8(5) Acceptance of PIV-I Credentials IA-8(6) Disassociability IA-9 Service Identification and Authentication IA-9(1) Information Exchange IA-9(2) Transmission of Decisions IA-10 Adaptive Authentication IA-11 Re-authentication IA-12 Identity Proofing IA-12(1) Supervisor Authorization IA-12(2) Identity Evidence IA-12(3) Identity Evidence Validation and Verification IA-12(4) In-person Validation and Verification IA-12(5) Address Confirmation IA-12(6) Accept Externally-proofed Identities IA-13 Identity Providers and Authorization Servers IA-13(1) Protection of Cryptographic Keys IA-13(2) Verification of Identity Assertions and Access Tokens IA-13(3) Token Management
IR Incident Response 42
IR-1 Policy and Procedures IR-2 Incident Response Training IR-2(1) Simulated Events IR-2(2) Automated Training Environments IR-2(3) Breach IR-3 Incident Response Testing IR-3(1) Automated Testing IR-3(2) Coordination with Related Plans IR-3(3) Continuous Improvement IR-4 Incident Handling IR-4(1) Automated Incident Handling Processes IR-4(2) Dynamic Reconfiguration IR-4(3) Continuity of Operations IR-4(4) Information Correlation IR-4(5) Automatic Disabling of System IR-4(6) Insider Threats IR-4(7) Insider Threats — Intra-organization Coordination IR-4(8) Correlation with External Organizations IR-4(9) Dynamic Response Capability IR-4(10) Supply Chain Coordination IR-4(11) Integrated Incident Response Team IR-4(12) Malicious Code and Forensic Analysis IR-4(13) Behavior Analysis IR-4(14) Security Operations Center IR-4(15) Public Relations and Reputation Repair IR-5 Incident Monitoring IR-5(1) Automated Tracking, Data Collection, and Analysis IR-6 Incident Reporting IR-6(1) Automated Reporting IR-6(2) Vulnerabilities Related to Incidents IR-6(3) Supply Chain Coordination IR-7 Incident Response Assistance IR-7(1) Automation Support for Availability of Information and Support IR-7(2) Coordination with External Providers IR-8 Incident Response Plan IR-8(1) Breaches IR-9 Information Spillage Response IR-9(1) Responsible Personnel IR-9(2) Training IR-9(3) Post-spill Operations IR-9(4) Exposure to Unauthorized Personnel IR-10 Integrated Information Security Analysis Team
MA Maintenance 30
MA-1 Policy and Procedures MA-2 Controlled Maintenance MA-2(1) Record Content MA-2(2) Automated Maintenance Activities MA-3 Maintenance Tools MA-3(1) Inspect Tools MA-3(2) Inspect Media MA-3(3) Prevent Unauthorized Removal MA-3(4) Restricted Tool Use MA-3(5) Execution with Privilege MA-3(6) Software Updates and Patches MA-4 Nonlocal Maintenance MA-4(1) Logging and Review MA-4(2) Document Nonlocal Maintenance MA-4(3) Comparable Security and Sanitization MA-4(4) Authentication and Separation of Maintenance Sessions MA-4(5) Approvals and Notifications MA-4(6) Cryptographic Protection MA-4(7) Disconnect Verification MA-5 Maintenance Personnel MA-5(1) Individuals Without Appropriate Access MA-5(2) Security Clearances for Classified Systems MA-5(3) Citizenship Requirements for Classified Systems MA-5(4) Foreign Nationals MA-5(5) Non-system Maintenance MA-6 Timely Maintenance MA-6(1) Preventive Maintenance MA-6(2) Predictive Maintenance MA-6(3) Automated Support for Predictive Maintenance MA-7 Field Maintenance
MP Media Protection 30
MP-1 Policy and Procedures MP-2 Media Access MP-2(1) Automated Restricted Access MP-2(2) Cryptographic Protection MP-3 Media Marking MP-4 Media Storage MP-4(1) Cryptographic Protection MP-4(2) Automated Restricted Access MP-5 Media Transport MP-5(1) Protection Outside of Controlled Areas MP-5(2) Documentation of Activities MP-5(3) Custodians MP-5(4) Cryptographic Protection MP-6 Media Sanitization MP-6(1) Review, Approve, Track, Document, and Verify MP-6(2) Equipment Testing MP-6(3) Nondestructive Techniques MP-6(4) Controlled Unclassified Information MP-6(5) Classified Information MP-6(6) Media Destruction MP-6(7) Dual Authorization MP-6(8) Remote Purging or Wiping of Information MP-7 Media Use MP-7(1) Prohibit Use Without Owner MP-7(2) Prohibit Use of Sanitization-resistant Media MP-8 Media Downgrading MP-8(1) Documentation of Process MP-8(2) Equipment Testing MP-8(3) Controlled Unclassified Information MP-8(4) Classified Information
PE Physical and Environmental Protection 59
PE-1 Policy and Procedures PE-2 Physical Access Authorizations PE-2(1) Access by Position or Role PE-2(2) Two Forms of Identification PE-2(3) Restrict Unescorted Access PE-3 Physical Access Control PE-3(1) System Access PE-3(2) Facility and Systems PE-3(3) Continuous Guards PE-3(4) Lockable Casings PE-3(5) Tamper Protection PE-3(6) Facility Penetration Testing PE-3(7) Physical Barriers PE-3(8) Access Control Vestibules PE-4 Access Control for Transmission PE-5 Access Control for Output Devices PE-5(1) Access to Output by Authorized Individuals PE-5(2) Link to Individual Identity PE-5(3) Marking Output Devices PE-6 Monitoring Physical Access PE-6(1) Intrusion Alarms and Surveillance Equipment PE-6(2) Automated Intrusion Recognition and Responses PE-6(3) Video Surveillance PE-6(4) Monitoring Physical Access to Systems PE-7 Visitor Control PE-8 Visitor Access Records PE-8(1) Automated Records Maintenance and Review PE-8(2) Physical Access Records PE-8(3) Limit Personally Identifiable Information Elements PE-9 Power Equipment and Cabling PE-9(1) Redundant Cabling PE-9(2) Automatic Voltage Controls PE-10 Emergency Shutoff PE-10(1) Accidental and Unauthorized Activation PE-11 Emergency Power PE-11(1) Alternate Power Supply — Minimal Operational Capability PE-11(2) Alternate Power Supply — Self-contained PE-12 Emergency Lighting PE-12(1) Essential Mission and Business Functions PE-13 Fire Protection PE-13(1) Detection Systems — Automatic Activation and Notification PE-13(2) Suppression Systems — Automatic Activation and Notification PE-13(3) Automatic Fire Suppression PE-13(4) Inspections PE-14 Environmental Controls PE-14(1) Automatic Controls PE-14(2) Monitoring with Alarms and Notifications PE-15 Water Damage Protection PE-15(1) Automation Support PE-16 Delivery and Removal PE-17 Alternate Work Site PE-18 Location of System Components PE-18(1) Facility Site PE-19 Information Leakage PE-19(1) National Emissions Policies and Procedures PE-20 Asset Monitoring and Tracking PE-21 Electromagnetic Pulse Protection PE-22 Component Marking PE-23 Facility Location
PL Planning 17
PL-1 Policy and Procedures PL-2 System Security and Privacy Plans PL-2(1) Concept of Operations PL-2(2) Functional Architecture PL-2(3) Plan and Coordinate with Other Organizational Entities PL-3 System Security Plan Update PL-4 Rules of Behavior PL-4(1) Social Media and External Site/Application Usage Restrictions PL-5 Privacy Impact Assessment PL-6 Security-related Activity Planning PL-7 Concept of Operations PL-8 Security and Privacy Architectures PL-8(1) Defense in Depth PL-8(2) Supplier Diversity PL-9 Central Management PL-10 Baseline Selection PL-11 Baseline Tailoring
PM Program Management 37
PM-1 Information Security Program Plan PM-2 Information Security Program Leadership Role PM-3 Information Security and Privacy Resources PM-4 Plan of Action and Milestones Process PM-5 System Inventory PM-5(1) Inventory of Personally Identifiable Information PM-6 Measures of Performance PM-7 Enterprise Architecture PM-7(1) Offloading PM-8 Critical Infrastructure Plan PM-9 Risk Management Strategy PM-10 Authorization Process PM-11 Mission and Business Process Definition PM-12 Insider Threat Program PM-13 Security and Privacy Workforce PM-14 Testing, Training, and Monitoring PM-15 Security and Privacy Groups and Associations PM-16 Threat Awareness Program PM-16(1) Automated Means for Sharing Threat Intelligence PM-17 Protecting Controlled Unclassified Information on External Systems PM-18 Privacy Program Plan PM-19 Privacy Program Leadership Role PM-20 Dissemination of Privacy Program Information PM-20(1) Privacy Policies on Websites, Applications, and Digital Services PM-21 Accounting of Disclosures PM-22 Personally Identifiable Information Quality Management PM-23 Data Governance Body PM-24 Data Integrity Board PM-25 Minimization of Personally Identifiable Information Used in Testing, Training, and Research PM-26 Complaint Management PM-27 Privacy Reporting PM-28 Risk Framing PM-29 Risk Management Program Leadership Roles PM-30 Supply Chain Risk Management Strategy PM-30(1) Suppliers of Critical or Mission-essential Items PM-31 Continuous Monitoring Strategy PM-32 Purposing
PS Personnel Security 18
PS-1 Policy and Procedures PS-2 Position Risk Designation PS-3 Personnel Screening PS-3(1) Classified Information PS-3(2) Formal Indoctrination PS-3(3) Information Requiring Special Protective Measures PS-3(4) Citizenship Requirements PS-4 Personnel Termination PS-4(1) Post-employment Requirements PS-4(2) Automated Actions PS-5 Personnel Transfer PS-6 Access Agreements PS-6(1) Information Requiring Special Protection PS-6(2) Classified Information Requiring Special Protection PS-6(3) Post-employment Requirements PS-7 External Personnel Security PS-8 Personnel Sanctions PS-9 Position Descriptions
PT Personally Identifiable Information Processing and Transparency 21
PT-1 Policy and Procedures PT-2 Authority to Process Personally Identifiable Information PT-2(1) Data Tagging PT-2(2) Automation PT-3 Personally Identifiable Information Processing Purposes PT-3(1) Data Tagging PT-3(2) Automation PT-4 Consent PT-4(1) Tailored Consent PT-4(2) Just-in-time Consent PT-4(3) Revocation PT-5 Privacy Notice PT-5(1) Just-in-time Notice PT-5(2) Privacy Act Statements PT-6 System of Records Notice PT-6(1) Routine Uses PT-6(2) Exemption Rules PT-7 Specific Categories of Personally Identifiable Information PT-7(1) Social Security Numbers PT-7(2) First Amendment Information PT-8 Computer Matching Requirements
RA Risk Assessment 26
RA-1 Policy and Procedures RA-2 Security Categorization RA-2(1) Impact-level Prioritization RA-3 Risk Assessment RA-3(1) Supply Chain Risk Assessment RA-3(2) Use of All-source Intelligence RA-3(3) Dynamic Threat Awareness RA-3(4) Predictive Cyber Analytics RA-4 Risk Assessment Update RA-5 Vulnerability Monitoring and Scanning RA-5(1) Update Tool Capability RA-5(2) Update Vulnerabilities to Be Scanned RA-5(3) Breadth and Depth of Coverage RA-5(4) Discoverable Information RA-5(5) Privileged Access RA-5(6) Automated Trend Analyses RA-5(7) Automated Detection and Notification of Unauthorized Components RA-5(8) Review Historic Audit Logs RA-5(9) Penetration Testing and Analyses RA-5(10) Correlate Scanning Information RA-5(11) Public Disclosure Program RA-6 Technical Surveillance Countermeasures Survey RA-7 Risk Response RA-8 Privacy Impact Assessments RA-9 Criticality Analysis RA-10 Threat Hunting
SA System and Services Acquisition 147
SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment SA-3(2) Use of Live or Operational Data SA-3(3) Technology Refresh SA-4 Acquisition Process SA-4(1) Functional Properties of Controls SA-4(2) Design and Implementation Information for Controls SA-4(3) Development Methods, Techniques, and Practices SA-4(4) Assignment of Components to Systems SA-4(5) System, Component, and Service Configurations SA-4(6) Use of Information Assurance Products SA-4(7) NIAP-approved Protection Profiles SA-4(8) Continuous Monitoring Plan for Controls SA-4(9) Functions, Ports, Protocols, and Services in Use SA-4(10) Use of Approved PIV Products SA-4(11) System of Records SA-4(12) Data Ownership SA-5 System Documentation SA-5(1) Functional Properties of Security Controls SA-5(2) Security-relevant External System Interfaces SA-5(3) High-level Design SA-5(4) Low-level Design SA-5(5) Source Code SA-6 Software Usage Restrictions SA-7 User-installed Software SA-8 Security and Privacy Engineering Principles SA-8(1) Clear Abstractions SA-8(2) Least Common Mechanism SA-8(3) Modularity and Layering SA-8(4) Partially Ordered Dependencies SA-8(5) Efficiently Mediated Access SA-8(6) Minimized Sharing SA-8(7) Reduced Complexity SA-8(8) Secure Evolvability SA-8(9) Trusted Components SA-8(10) Hierarchical Trust SA-8(11) Inverse Modification Threshold SA-8(12) Hierarchical Protection SA-8(13) Minimized Security Elements SA-8(14) Least Privilege SA-8(15) Predicate Permission SA-8(16) Self-reliant Trustworthiness SA-8(17) Secure Distributed Composition SA-8(18) Trusted Communications Channels SA-8(19) Continuous Protection SA-8(20) Secure Metadata Management SA-8(21) Self-analysis SA-8(22) Accountability and Traceability SA-8(23) Secure Defaults SA-8(24) Secure Failure and Recovery SA-8(25) Economic Security SA-8(26) Performance Security SA-8(27) Human Factored Security SA-8(28) Acceptable Security SA-8(29) Repeatable and Documented Procedures SA-8(30) Procedural Rigor SA-8(31) Secure System Modification SA-8(32) Sufficient Documentation SA-8(33) Minimization SA-9 External System Services SA-9(1) Risk Assessments and Organizational Approvals SA-9(2) Identification of Functions, Ports, Protocols, and Services SA-9(3) Establish and Maintain Trust Relationship with Providers SA-9(4) Consistent Interests of Consumers and Providers SA-9(5) Processing, Storage, and Service Location SA-9(6) Organization-controlled Cryptographic Keys SA-9(7) Organization-controlled Integrity Checking SA-9(8) Processing and Storage Location — U.S. Jurisdiction SA-10 Developer Configuration Management SA-10(1) Software and Firmware Integrity Verification SA-10(2) Alternative Configuration Management Processes SA-10(3) Hardware Integrity Verification SA-10(4) Trusted Generation SA-10(5) Mapping Integrity for Version Control SA-10(6) Trusted Distribution SA-10(7) Security and Privacy Representatives SA-11 Developer Testing and Evaluation SA-11(1) Static Code Analysis SA-11(2) Threat Modeling and Vulnerability Analyses SA-11(3) Independent Verification of Assessment Plans and Evidence SA-11(4) Manual Code Reviews SA-11(5) Penetration Testing SA-11(6) Attack Surface Reviews SA-11(7) Verify Scope of Testing and Evaluation SA-11(8) Dynamic Code Analysis SA-11(9) Interactive Application Security Testing SA-12 Supply Chain Protection SA-12(1) Acquisition Strategies / Tools / Methods SA-12(2) Supplier Reviews SA-12(3) Trusted Shipping and Warehousing SA-12(4) Diversity of Suppliers SA-12(5) Limitation of Harm SA-12(6) Minimizing Procurement Time SA-12(7) Assessments Prior to Selection / Acceptance / Update SA-12(8) Use of All-source Intelligence SA-12(9) Operations Security SA-12(10) Validate as Genuine and Not Altered SA-12(11) Penetration Testing / Analysis of Elements, Processes, and Actors SA-12(12) Inter-organizational Agreements SA-12(13) Critical Information System Components SA-12(14) Identity and Traceability SA-12(15) Processes to Address Weaknesses or Deficiencies SA-13 Trustworthiness SA-14 Criticality Analysis SA-14(1) Critical Components with No Viable Alternative Sourcing SA-15 Development Process, Standards, and Tools SA-15(1) Quality Metrics SA-15(2) Security and Privacy Tracking Tools SA-15(3) Criticality Analysis SA-15(4) Threat Modeling and Vulnerability Analysis SA-15(5) Attack Surface Reduction SA-15(6) Continuous Improvement SA-15(7) Automated Vulnerability Analysis SA-15(8) Reuse of Threat and Vulnerability Information SA-15(9) Use of Live Data SA-15(10) Incident Response Plan SA-15(11) Archive System or Component SA-15(12) Minimize Personally Identifiable Information SA-15(13) Logging Syntax SA-16 Developer-provided Training SA-17 Developer Security and Privacy Architecture and Design SA-17(1) Formal Policy Model SA-17(2) Security-relevant Components SA-17(3) Formal Correspondence SA-17(4) Informal Correspondence SA-17(5) Conceptually Simple Design SA-17(6) Structure for Testing SA-17(7) Structure for Least Privilege SA-17(8) Orchestration SA-17(9) Design Diversity SA-18 Tamper Resistance and Detection SA-18(1) Multiple Phases of System Development Life Cycle SA-18(2) Inspection of Systems or Components SA-19 Component Authenticity SA-19(1) Anti-counterfeit Training SA-19(2) Configuration Control for Component Service and Repair SA-19(3) Component Disposal SA-19(4) Anti-counterfeit Scanning SA-20 Customized Development of Critical Components SA-21 Developer Screening SA-21(1) Validation of Screening SA-22 Unsupported System Components SA-22(1) Alternative Sources for Continued Support SA-23 Specialization SA-24 Design For Cyber Resiliency
SC System and Communications Protection 162
SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability SC-3 Security Function Isolation SC-3(1) Hardware Separation SC-3(2) Access and Flow Control Functions SC-3(3) Minimize Nonsecurity Functionality SC-3(4) Module Coupling and Cohesiveness SC-3(5) Layered Structures SC-4 Information in Shared System Resources SC-4(1) Security Levels SC-4(2) Multilevel or Periods Processing SC-5 Denial-of-service Protection SC-5(1) Restrict Ability to Attack Other Systems SC-5(2) Capacity, Bandwidth, and Redundancy SC-5(3) Detection and Monitoring SC-6 Resource Availability SC-7 Boundary Protection SC-7(1) Physically Separated Subnetworks SC-7(2) Public Access SC-7(3) Access Points SC-7(4) External Telecommunications Services SC-7(5) Deny by Default — Allow by Exception SC-7(6) Response to Recognized Failures SC-7(7) Split Tunneling for Remote Devices SC-7(8) Route Traffic to Authenticated Proxy Servers SC-7(9) Restrict Threatening Outgoing Communications Traffic SC-7(10) Prevent Exfiltration SC-7(11) Restrict Incoming Communications Traffic SC-7(12) Host-based Protection SC-7(13) Isolation of Security Tools, Mechanisms, and Support Components SC-7(14) Protect Against Unauthorized Physical Connections SC-7(15) Networked Privileged Accesses SC-7(16) Prevent Discovery of System Components SC-7(17) Automated Enforcement of Protocol Formats SC-7(18) Fail Secure SC-7(19) Block Communication from Non-organizationally Configured Hosts SC-7(20) Dynamic Isolation and Segregation SC-7(21) Isolation of System Components SC-7(22) Separate Subnets for Connecting to Different Security Domains SC-7(23) Disable Sender Feedback on Protocol Validation Failure SC-7(24) Personally Identifiable Information SC-7(25) Unclassified National Security System Connections SC-7(26) Classified National Security System Connections SC-7(27) Unclassified Non-national Security System Connections SC-7(28) Connections to Public Networks SC-7(29) Separate Subnets to Isolate Functions SC-8 Transmission Confidentiality and Integrity SC-8(1) Cryptographic Protection SC-8(2) Pre- and Post-transmission Handling SC-8(3) Cryptographic Protection for Message Externals SC-8(4) Conceal or Randomize Communications SC-8(5) Protected Distribution System SC-9 Transmission Confidentiality SC-10 Network Disconnect SC-11 Trusted Path SC-11(1) Irrefutable Communications Path SC-12 Cryptographic Key Establishment and Management SC-12(1) Availability SC-12(2) Symmetric Keys SC-12(3) Asymmetric Keys SC-12(4) PKI Certificates SC-12(5) PKI Certificates / Hardware Tokens SC-12(6) Physical Control of Keys SC-13 Cryptographic Protection SC-13(1) FIPS-validated Cryptography SC-13(2) NSA-approved Cryptography SC-13(3) Individuals Without Formal Access Approvals SC-13(4) Digital Signatures SC-14 Public Access Protections SC-15 Collaborative Computing Devices and Applications SC-15(1) Physical or Logical Disconnect SC-15(2) Blocking Inbound and Outbound Communications Traffic SC-15(3) Disabling and Removal in Secure Work Areas SC-15(4) Explicitly Indicate Current Participants SC-16 Transmission of Security and Privacy Attributes SC-16(1) Integrity Verification SC-16(2) Anti-spoofing Mechanisms SC-16(3) Cryptographic Binding SC-17 Public Key Infrastructure Certificates SC-18 Mobile Code SC-18(1) Identify Unacceptable Code and Take Corrective Actions SC-18(2) Acquisition, Development, and Use SC-18(3) Prevent Downloading and Execution SC-18(4) Prevent Automatic Execution SC-18(5) Allow Execution Only in Confined Environments SC-19 Voice Over Internet Protocol SC-20 Secure Name/Address Resolution Service (Authoritative Source) SC-20(1) Child Subspaces SC-20(2) Data Origin and Integrity SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver) SC-21(1) Data Origin and Integrity SC-22 Architecture and Provisioning for Name/Address Resolution Service SC-23 Session Authenticity SC-23(1) Invalidate Session Identifiers at Logout SC-23(2) User-initiated Logouts and Message Displays SC-23(3) Unique System-generated Session Identifiers SC-23(4) Unique Session Identifiers with Randomization SC-23(5) Allowed Certificate Authorities SC-24 Fail in Known State SC-25 Thin Nodes SC-26 Decoys SC-26(1) Detection of Malicious Code SC-27 Platform-independent Applications SC-28 Protection of Information at Rest SC-28(1) Cryptographic Protection SC-28(2) Offline Storage SC-28(3) Cryptographic Keys SC-29 Heterogeneity SC-29(1) Virtualization Techniques SC-30 Concealment and Misdirection SC-30(1) Virtualization Techniques SC-30(2) Randomness SC-30(3) Change Processing and Storage Locations SC-30(4) Misleading Information SC-30(5) Concealment of System Components SC-31 Covert Channel Analysis SC-31(1) Test Covert Channels for Exploitability SC-31(2) Maximum Bandwidth SC-31(3) Measure Bandwidth in Operational Environments SC-32 System Partitioning SC-32(1) Separate Physical Domains for Privileged Functions SC-33 Transmission Preparation Integrity SC-34 Non-modifiable Executable Programs SC-34(1) No Writable Storage SC-34(2) Integrity Protection on Read-only Media SC-34(3) Hardware-based Protection SC-35 External Malicious Code Identification SC-36 Distributed Processing and Storage SC-36(1) Polling Techniques SC-36(2) Synchronization SC-37 Out-of-band Channels SC-37(1) Ensure Delivery and Transmission SC-38 Operations Security SC-39 Process Isolation SC-39(1) Hardware Separation SC-39(2) Separate Execution Domain Per Thread SC-40 Wireless Link Protection SC-40(1) Electromagnetic Interference SC-40(2) Reduce Detection Potential SC-40(3) Imitative or Manipulative Communications Deception SC-40(4) Signal Parameter Identification SC-41 Port and I/O Device Access SC-42 Sensor Capability and Data SC-42(1) Reporting to Authorized Individuals or Roles SC-42(2) Authorized Use SC-42(3) Prohibit Use of Devices SC-42(4) Notice of Collection SC-42(5) Collection Minimization SC-43 Usage Restrictions SC-44 Detonation Chambers SC-45 System Time Synchronization SC-45(1) Synchronization with Authoritative Time Source SC-45(2) Secondary Authoritative Time Source SC-46 Cross Domain Policy Enforcement SC-47 Alternate Communications Paths SC-48 Sensor Relocation SC-48(1) Dynamic Relocation of Sensors or Monitoring Capabilities SC-49 Hardware-enforced Separation and Policy Enforcement SC-50 Software-enforced Separation and Policy Enforcement SC-51 Hardware-based Protection
SI System and Information Integrity 119
SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status SI-2(3) Time to Remediate Flaws and Benchmarks for Corrective Actions SI-2(4) Automated Patch Management Tools SI-2(5) Automatic Software and Firmware Updates SI-2(6) Removal of Previous Versions of Software and Firmware SI-2(7) Root Cause Analysis SI-3 Malicious Code Protection SI-3(1) Central Management SI-3(2) Automatic Updates SI-3(3) Non-privileged Users SI-3(4) Updates Only by Privileged Users SI-3(5) Portable Storage Devices SI-3(6) Testing and Verification SI-3(7) Nonsignature-based Detection SI-3(8) Detect Unauthorized Commands SI-3(9) Authenticate Remote Commands SI-3(10) Malicious Code Analysis SI-4 System Monitoring SI-4(1) System-wide Intrusion Detection System SI-4(2) Automated Tools and Mechanisms for Real-time Analysis SI-4(3) Automated Tool and Mechanism Integration SI-4(4) Inbound and Outbound Communications Traffic SI-4(5) System-generated Alerts SI-4(6) Restrict Non-privileged Users SI-4(7) Automated Response to Suspicious Events SI-4(8) Protection of Monitoring Information SI-4(9) Testing of Monitoring Tools and Mechanisms SI-4(10) Visibility of Encrypted Communications SI-4(11) Analyze Communications Traffic Anomalies SI-4(12) Automated Organization-generated Alerts SI-4(13) Analyze Traffic and Event Patterns SI-4(14) Wireless Intrusion Detection SI-4(15) Wireless to Wireline Communications SI-4(16) Correlate Monitoring Information SI-4(17) Integrated Situational Awareness SI-4(18) Analyze Traffic and Covert Exfiltration SI-4(19) Risk for Individuals SI-4(20) Privileged Users SI-4(21) Probationary Periods SI-4(22) Unauthorized Network Services SI-4(23) Host-based Devices SI-4(24) Indicators of Compromise SI-4(25) Optimize Network Traffic Analysis SI-5 Security Alerts, Advisories, and Directives SI-5(1) Automated Alerts and Advisories SI-6 Security and Privacy Function Verification SI-6(1) Notification of Failed Security Tests SI-6(2) Automation Support for Distributed Testing SI-6(3) Report Verification Results SI-7 Software, Firmware, and Information Integrity SI-7(1) Integrity Checks SI-7(2) Automated Notifications of Integrity Violations SI-7(3) Centrally Managed Integrity Tools SI-7(4) Tamper-evident Packaging SI-7(5) Automated Response to Integrity Violations SI-7(6) Cryptographic Protection SI-7(7) Integration of Detection and Response SI-7(8) Auditing Capability for Significant Events SI-7(9) Verify Boot Process SI-7(10) Protection of Boot Firmware SI-7(11) Confined Environments with Limited Privileges SI-7(12) Integrity Verification SI-7(13) Code Execution in Protected Environments SI-7(14) Binary or Machine Executable Code SI-7(15) Code Authentication SI-7(16) Time Limit on Process Execution Without Supervision SI-7(17) Runtime Application Self-protection SI-8 Spam Protection SI-8(1) Central Management SI-8(2) Automatic Updates SI-8(3) Continuous Learning Capability SI-9 Information Input Restrictions SI-10 Information Input Validation SI-10(1) Manual Override Capability SI-10(2) Review and Resolve Errors SI-10(3) Predictable Behavior SI-10(4) Timing Interactions SI-10(5) Restrict Inputs to Trusted Sources and Approved Formats SI-10(6) Injection Prevention SI-11 Error Handling SI-12 Information Management and Retention SI-12(1) Limit Personally Identifiable Information Elements SI-12(2) Minimize Personally Identifiable Information in Testing, Training, and Research SI-12(3) Information Disposal SI-13 Predictable Failure Prevention SI-13(1) Transferring Component Responsibilities SI-13(2) Time Limit on Process Execution Without Supervision SI-13(3) Manual Transfer Between Components SI-13(4) Standby Component Installation and Notification SI-13(5) Failover Capability SI-14 Non-persistence SI-14(1) Refresh from Trusted Sources SI-14(2) Non-persistent Information SI-14(3) Non-persistent Connectivity SI-15 Information Output Filtering SI-16 Memory Protection SI-17 Fail-safe Procedures SI-18 Personally Identifiable Information Quality Operations SI-18(1) Automation Support SI-18(2) Data Tags SI-18(3) Collection SI-18(4) Individual Requests SI-18(5) Notice of Correction or Deletion SI-19 De-identification SI-19(1) Collection SI-19(2) Archiving SI-19(3) Release SI-19(4) Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers SI-19(5) Statistical Disclosure Control SI-19(6) Differential Privacy SI-19(7) Validated Algorithms and Software SI-19(8) Motivated Intruder SI-20 Tainting SI-21 Information Refresh SI-22 Information Diversity SI-23 Information Fragmentation
SR Supply Chain Risk Management 27
SR-1 Policy and Procedures SR-2 Supply Chain Risk Management Plan SR-2(1) Establish SCRM Team SR-3 Supply Chain Controls and Processes SR-3(1) Diverse Supply Base SR-3(2) Limitation of Harm SR-3(3) Sub-tier Flow Down SR-4 Provenance SR-4(1) Identity SR-4(2) Track and Trace SR-4(3) Validate as Genuine and Not Altered SR-4(4) Supply Chain Integrity — Pedigree SR-5 Acquisition Strategies, Tools, and Methods SR-5(1) Adequate Supply SR-5(2) Assessments Prior to Selection, Acceptance, Modification, or Update SR-6 Supplier Assessments and Reviews SR-6(1) Testing and Analysis SR-7 Supply Chain Operations Security SR-8 Notification Agreements SR-9 Tamper Resistance and Detection SR-9(1) Multiple Stages of System Development Life Cycle SR-10 Inspection of Systems or Components SR-11 Component Authenticity SR-11(1) Anti-counterfeit Training SR-11(2) Configuration Control for Component Service and Repair SR-11(3) Anti-counterfeit Scanning SR-12 Component Disposal