SCF Report

The following report demonstrates how our policies align with the Secure Controls Framework. The report is intended for internal use only and should not be shared with external parties.

SCF Control Coverage 20 / 1239 controls mapped 2%

Cybersecurity & Data Protection Governance 2/31

GOV-01: Cybersecurity & Data Protection Governance Program 1 policy

GOV-01.1: Steering Committee & Program Oversight

No policies mapped to GOV-01.1

GOV-01.2: Status Reporting To Governing Body

No policies mapped to GOV-01.2

GOV-02: Publishing Cybersecurity & Data Protection Documentation 1 policy

GOV-02.1: Exception Management

No policies mapped to GOV-02.1

GOV-03: Periodic Review & Update of Cybersecurity & Data Protection Program

No policies mapped to GOV-03

GOV-04: Assigned Cybersecurity & Data Protection Responsibilities

No policies mapped to GOV-04

GOV-04.1: Stakeholder Accountability Structure

No policies mapped to GOV-04.1

GOV-04.2: Authoritative Chain of Command

No policies mapped to GOV-04.2

GOV-05: Measures of Performance

No policies mapped to GOV-05

GOV-05.1: Key Performance Indicators (KPIs)

No policies mapped to GOV-05.1

GOV-05.2: Key Risk Indicators (KRIs)

No policies mapped to GOV-05.2

GOV-06: Contacts With Authorities

No policies mapped to GOV-06

GOV-07: Contacts With Groups & Associations

No policies mapped to GOV-07

GOV-08: Defining Business Context & Mission

No policies mapped to GOV-08

GOV-09: Define Control Objectives

No policies mapped to GOV-09

GOV-10: Data Governance

No policies mapped to GOV-10

GOV-11: Purpose Validation

No policies mapped to GOV-11

GOV-12: Forced Technology Transfer (FTT)

No policies mapped to GOV-12

GOV-13: State-Sponsored Espionage

No policies mapped to GOV-13

GOV-14: Business As Usual (BAU) Secure Practices

No policies mapped to GOV-14

GOV-15: Operationalizing Cybersecurity & Data Protection Practices

No policies mapped to GOV-15

GOV-15.1: Select Controls

No policies mapped to GOV-15.1

GOV-15.2: Implement Controls

No policies mapped to GOV-15.2

GOV-15.3: Assess Controls

No policies mapped to GOV-15.3

GOV-15.4: Authorize Systems, Applications & Services

No policies mapped to GOV-15.4

GOV-15.5: Monitor Controls

No policies mapped to GOV-15.5

GOV-16: Materiality Determination

No policies mapped to GOV-16

GOV-16.1: Material Risks

No policies mapped to GOV-16.1

GOV-16.2: Material Threats

No policies mapped to GOV-16.2

GOV-17: Cybersecurity & Data Privacy Status Reporting

No policies mapped to GOV-17

Artificial & Autonomous Technologies 0/67

AAT-01: Artificial Intelligence (AI) & Autonomous Technologies Governance

No policies mapped to AAT-01

AAT-01.1: AI & Autonomous Technologies-Related Legal Requirements Definition

No policies mapped to AAT-01.1

AAT-01.2: Trustworthy AI & Autonomous Technologies

No policies mapped to AAT-01.2

AAT-01.3: AI & Autonomous Technologies Value Sustainment

No policies mapped to AAT-01.3

AAT-02: Situational Awareness of AI & Autonomous Technologies

No policies mapped to AAT-02

AAT-02.1: AI & Autonomous Technologies Risk Mapping

No policies mapped to AAT-02.1

AAT-02.2: AI & Autonomous Technologies Internal Controls

No policies mapped to AAT-02.2

AAT-03: AI & Autonomous Technologies Context Definition

No policies mapped to AAT-03

AAT-03.1: AI & Autonomous Technologies Mission and Goals Definition

No policies mapped to AAT-03.1

AAT-04: AI & Autonomous Technologies Business Case

No policies mapped to AAT-04

AAT-04.1: AI & Autonomous Technologies Potential Benefits Analysis

No policies mapped to AAT-04.1

AAT-04.2: AI & Autonomous Technologies Potential Costs Analysis

No policies mapped to AAT-04.2

AAT-04.3: AI & Autonomous Technologies Targeted Application Scope

No policies mapped to AAT-04.3

AAT-04.4: AI & Autonomous Technologies Cost / Benefit Mapping

No policies mapped to AAT-04.4

AAT-05: AI & Autonomous Technologies Training

No policies mapped to AAT-05

AAT-06: AI & Autonomous Technologies Fairness & Bias

No policies mapped to AAT-06

AAT-07: AI & Autonomous Technologies Risk Management Decisions

No policies mapped to AAT-07

AAT-07.1: AI & Autonomous Technologies Impact Characterization

No policies mapped to AAT-07.1

AAT-07.2: AI & Autonomous Technologies Likelihood & Impact Risk Analysis

No policies mapped to AAT-07.2

AAT-07.3: AI & Autonomous Technologies Continuous Improvements

No policies mapped to AAT-07.3

AAT-08: Assigned Responsibilities for AI & Autonomous Technologies

No policies mapped to AAT-08

AAT-09: AI & Autonomous Technologies Risk Profiling

No policies mapped to AAT-09

AAT-10: Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)

No policies mapped to AAT-10

AAT-10.1: AI TEVV Trustworthiness Assessment

No policies mapped to AAT-10.1

AAT-10.2: AI TEVV Tools

No policies mapped to AAT-10.2

AAT-10.3: AI TEVV Trustworthiness Demonstration

No policies mapped to AAT-10.3

AAT-10.4: AI TEVV Safety Demonstration

No policies mapped to AAT-10.4

AAT-10.5: AI TEVV Resiliency Assessment

No policies mapped to AAT-10.5

AAT-10.6: AI TEVV Transparency & Accountability Assessment

No policies mapped to AAT-10.6

AAT-10.7: AI TEVV Privacy Assessment

No policies mapped to AAT-10.7

AAT-10.8: AI TEVV Fairness & Bias Assessment

No policies mapped to AAT-10.8

AAT-10.9: AI & Autonomous Technologies Model Validation

No policies mapped to AAT-10.9

AAT-10.10: AI TEVV Results Evaluation

No policies mapped to AAT-10.10

AAT-10.11: AI TEVV Effectiveness

No policies mapped to AAT-10.11

AAT-10.12: AI TEVV Comparable Deployment Settings

No policies mapped to AAT-10.12

AAT-10.13: AI TEVV Post-Deployment Monitoring

No policies mapped to AAT-10.13

AAT-10.14: Updating AI & Autonomous Technologies

No policies mapped to AAT-10.14

AAT-11: Robust Stakeholder Engagement for AI & Autonomous Technologies

No policies mapped to AAT-11

AAT-11.1: AI & Autonomous Technologies Stakeholder Feedback Integration

No policies mapped to AAT-11.1

AAT-11.2: AI & Autonomous Technologies Ongoing Assessments

No policies mapped to AAT-11.2

AAT-11.3: AI & Autonomous Technologies End User Feedback

No policies mapped to AAT-11.3

AAT-11.4: AI & Autonomous Technologies Incident & Error Reporting

No policies mapped to AAT-11.4

AAT-12: AI & Autonomous Technologies Intellectual Property Infringement Protections

No policies mapped to AAT-12

AAT-12.1: Data Source Identification

No policies mapped to AAT-12.1

AAT-12.2: Data Source Integrity

No policies mapped to AAT-12.2

AAT-13: AI & Autonomous Technologies Stakeholder Diversity

No policies mapped to AAT-13

AAT-13.1: AI & Autonomous Technologies Stakeholder Competencies

No policies mapped to AAT-13.1

AAT-14: AI & Autonomous Technologies Requirements Definitions

No policies mapped to AAT-14

AAT-14.1: AI & Autonomous Technologies Implementation Tasks Definition

No policies mapped to AAT-14.1

AAT-14.2: AI & Autonomous Technologies Knowledge Limits

No policies mapped to AAT-14.2

AAT-15: AI & Autonomous Technologies Viability Decisions

No policies mapped to AAT-15

AAT-15.1: AI & Autonomous Technologies Negative Residual Risks

No policies mapped to AAT-15.1

AAT-15.2: Responsibility To Supersede, Deactivate and/or Disengage AI & Autonomous Technologies

No policies mapped to AAT-15.2

AAT-16: AI & Autonomous Technologies Production Monitoring

No policies mapped to AAT-16

AAT-16.1: AI & Autonomous Technologies Measurement Approaches

No policies mapped to AAT-16.1

AAT-16.2: Measuring AI & Autonomous Technologies Effectiveness

No policies mapped to AAT-16.2

AAT-16.3: Unmeasurable AI & Autonomous Technologies Risks

No policies mapped to AAT-16.3

AAT-16.4: Efficacy of AI & Autonomous Technologies Measurement

No policies mapped to AAT-16.4

AAT-16.5: AI & Autonomous Technologies Domain Expert Reviews

No policies mapped to AAT-16.5

AAT-16.6: AI & Autonomous Technologies Performance Changes

No policies mapped to AAT-16.6

AAT-16.7: Pre-Trained AI & Autonomous Technologies Models

No policies mapped to AAT-16.7

AAT-17: AI & Autonomous Technologies Harm Prevention

No policies mapped to AAT-17

AAT-17.1: AI & Autonomous Technologies Human Subject Protections

No policies mapped to AAT-17.1

AAT-17.2: AI & Autonomous Technologies Environmental Impact & Sustainability

No policies mapped to AAT-17.2

AAT-17.3: Previously Unknown AI & Autonomous Technologies Threats & Risks

No policies mapped to AAT-17.3

AAT-18: AI & Autonomous Technologies Risk Tracking Approaches

No policies mapped to AAT-18

AAT-18.1: AI & Autonomous Technologies Risk Response

No policies mapped to AAT-18.1

Asset Management 0/59

AST-01: Asset Governance

No policies mapped to AST-01

AST-01.1: Asset-Service Dependencies

No policies mapped to AST-01.1

AST-01.2: Stakeholder Identification & Involvement

No policies mapped to AST-01.2

AST-01.3: Standardized Naming Convention

No policies mapped to AST-01.3

AST-01.4: Approved Technologies

No policies mapped to AST-01.4

AST-02: Asset Inventories

No policies mapped to AST-02

AST-02.1: Updates During Installations / Removals

No policies mapped to AST-02.1

AST-02.2: Automated Unauthorized Component Detection

No policies mapped to AST-02.2

AST-02.3: Component Duplication Avoidance

No policies mapped to AST-02.3

AST-02.4: Approved Baseline Deviations

No policies mapped to AST-02.4

AST-02.5: Network Access Control (NAC)

No policies mapped to AST-02.5

AST-02.6: Dynamic Host Configuration Protocol (DHCP) Server Logging

No policies mapped to AST-02.6

AST-02.7: Software Licensing Restrictions

No policies mapped to AST-02.7

AST-02.8: Data Action Mapping

No policies mapped to AST-02.8

AST-02.9: Configuration Management Database (CMDB)

No policies mapped to AST-02.9

AST-02.10: Automated Location Tracking

No policies mapped to AST-02.10

AST-02.11: Component Assignment

No policies mapped to AST-02.11

AST-03: Asset Ownership Assignment

No policies mapped to AST-03

AST-03.1: Accountability Information

No policies mapped to AST-03.1

AST-03.2: Provenance

No policies mapped to AST-03.2

AST-04: Network Diagrams & Data Flow Diagrams (DFDs)

No policies mapped to AST-04

AST-04.1: Asset Scope Classification

No policies mapped to AST-04.1

AST-04.2: Control Applicability Boundary Graphical Representation

No policies mapped to AST-04.2

AST-04.3: Compliance-Specific Asset Identification

No policies mapped to AST-04.3

AST-05: Security of Assets & Media

No policies mapped to AST-05

AST-05.1: Management Approval For External Media Transfer

No policies mapped to AST-05.1

AST-06: Unattended End-User Equipment

No policies mapped to AST-06

AST-06.1: Asset Storage In Automobiles

No policies mapped to AST-06.1

AST-07: Kiosks & Point of Interaction (PoI) Devices

No policies mapped to AST-07

AST-08: Physical Tampering Detection

No policies mapped to AST-08

AST-09: Secure Disposal, Destruction or Re-Use of Equipment

No policies mapped to AST-09

AST-10: Return of Assets

No policies mapped to AST-10

AST-11: Removal of Assets

No policies mapped to AST-11

AST-12: Use of Personal Devices

No policies mapped to AST-12

AST-13: Use of Third-Party Devices

No policies mapped to AST-13

AST-14: Usage Parameters

No policies mapped to AST-14

AST-14.1: Bluetooth & Wireless Devices

No policies mapped to AST-14.1

AST-14.2: Infrared Communications

No policies mapped to AST-14.2

AST-15: Logical Tampering Protection

No policies mapped to AST-15

AST-15.1: Inspection of Systems, Components & Devices

No policies mapped to AST-15.1

AST-16: Bring Your Own Device (BYOD) Usage

No policies mapped to AST-16

AST-17: Prohibited Equipment & Services

No policies mapped to AST-17

AST-18: Roots of Trust Protection

No policies mapped to AST-18

AST-19: Telecommunications Equipment

No policies mapped to AST-19

AST-20: Video Teleconference (VTC) Security

No policies mapped to AST-20

AST-21: Voice Over Internet Protocol (VoIP) Security

No policies mapped to AST-21

AST-22: Microphones & Web Cameras

No policies mapped to AST-22

AST-23: Multi-Function Devices (MFD)

No policies mapped to AST-23

AST-24: Travel-Only Devices

No policies mapped to AST-24

AST-25: Re-Imaging Devices After Travel

No policies mapped to AST-25

AST-26: System Administrative Processes

No policies mapped to AST-26

AST-27: Jump Server

No policies mapped to AST-27

AST-28: Database Administrative Processes

No policies mapped to AST-28

AST-28.1: Database Management System (DBMS)

No policies mapped to AST-28.1

AST-29: Radio Frequency Identification (RFID) Security

No policies mapped to AST-29

AST-29.1: Contactless Access Control Systems

No policies mapped to AST-29.1

AST-30: Decommissioning

No policies mapped to AST-30

AST-31: Asset Categorization

No policies mapped to AST-31

AST-31.1: Categorize Artificial Intelligence (AI)-Related Technologies

No policies mapped to AST-31.1

Business Continuity & Disaster Recovery 0/56

BCD-01: Business Continuity Management System (BCMS)

No policies mapped to BCD-01

BCD-01.1: Coordinate with Related Plans

No policies mapped to BCD-01.1

BCD-01.2: Coordinate With External Service Providers

No policies mapped to BCD-01.2

BCD-01.3: Transfer to Alternate Processing / Storage Site

No policies mapped to BCD-01.3

BCD-01.4: Recovery Time / Point Objectives (RTO / RPO)

No policies mapped to BCD-01.4

BCD-01.5: Recovery Operations Criteria

No policies mapped to BCD-01.5

BCD-01.6: Recovery Operations Communications

No policies mapped to BCD-01.6

BCD-02: Identify Critical Assets

No policies mapped to BCD-02

BCD-02.1: Resume All Missions & Business Functions

No policies mapped to BCD-02.1

BCD-02.2: Continue Essential Mission & Business Functions

No policies mapped to BCD-02.2

BCD-02.3: Resume Essential Missions & Business Functions

No policies mapped to BCD-02.3

BCD-02.4: Data Storage Location Reviews

No policies mapped to BCD-02.4

BCD-03: Contingency Training

No policies mapped to BCD-03

BCD-03.1: Simulated Events

No policies mapped to BCD-03.1

BCD-03.2: Automated Training Environments

No policies mapped to BCD-03.2

BCD-04: Contingency Plan Testing & Exercises

No policies mapped to BCD-04

BCD-04.1: Coordinated Testing with Related Plans

No policies mapped to BCD-04.1

BCD-04.2: Alternate Storage & Processing Sites

No policies mapped to BCD-04.2

BCD-05: Contingency Plan Root Cause Analysis (RCA) & Lessons Learned

No policies mapped to BCD-05

BCD-06: Ongoing Contingency Planning

No policies mapped to BCD-06

BCD-07: Alternative Security Measures

No policies mapped to BCD-07

BCD-08: Alternate Storage Site

No policies mapped to BCD-08

BCD-08.1: Separation from Primary Site

No policies mapped to BCD-08.1

BCD-08.2: Accessibility

No policies mapped to BCD-08.2

BCD-09: Alternate Processing Site

No policies mapped to BCD-09

BCD-09.1: Separation from Primary Site

No policies mapped to BCD-09.1

BCD-09.2: Accessibility

No policies mapped to BCD-09.2

BCD-09.3: Alternate Site Priority of Service

No policies mapped to BCD-09.3

BCD-09.4: Preparation for Use

No policies mapped to BCD-09.4

BCD-09.5: Inability to Return to Primary Site

No policies mapped to BCD-09.5

BCD-10: Telecommunications Services Availability

No policies mapped to BCD-10

BCD-10.1: Telecommunications Priority of Service Provisions

No policies mapped to BCD-10.1

BCD-10.2: Separation of Primary / Alternate Providers

No policies mapped to BCD-10.2

BCD-10.3: Provider Contingency Plan

No policies mapped to BCD-10.3

BCD-10.4: Alternate Communications Channels

No policies mapped to BCD-10.4

BCD-11: Data Backups

No policies mapped to BCD-11

BCD-11.1: Testing for Reliability & Integrity

No policies mapped to BCD-11.1

BCD-11.2: Separate Storage for Critical Information

No policies mapped to BCD-11.2

BCD-11.3: Information System Imaging

No policies mapped to BCD-11.3

BCD-11.4: Cryptographic Protection

No policies mapped to BCD-11.4

BCD-11.5: Test Restoration Using Sampling

No policies mapped to BCD-11.5

BCD-11.6: Transfer to Alternate Storage Site

No policies mapped to BCD-11.6

BCD-11.7: Redundant Secondary System

No policies mapped to BCD-11.7

BCD-11.8: Dual Authorization For Backup Media Destruction

No policies mapped to BCD-11.8

BCD-11.9: Backup Access

No policies mapped to BCD-11.9

BCD-11.10: Backup Modification and/or Destruction

No policies mapped to BCD-11.10

BCD-12: Information System Recovery & Reconstitution

No policies mapped to BCD-12

BCD-12.1: Transaction Recovery

No policies mapped to BCD-12.1

BCD-12.2: Failover Capability

No policies mapped to BCD-12.2

BCD-12.3: Electronic Discovery (eDiscovery)

No policies mapped to BCD-12.3

BCD-12.4: Restore Within Time Period

No policies mapped to BCD-12.4

BCD-13: Backup & Restoration Hardware Protection

No policies mapped to BCD-13

BCD-13.1: Restoration Integrity Verification

No policies mapped to BCD-13.1

BCD-14: Isolated Recovery Environment

No policies mapped to BCD-14

BCD-15: Reserve Hardware

No policies mapped to BCD-15

BCD-16: AI & Autonomous Technologies Incidents

No policies mapped to BCD-16

Capacity & Performance Planning 0/6

CAP-01: Capacity & Performance Management

No policies mapped to CAP-01

CAP-02: Resource Priority

No policies mapped to CAP-02

CAP-03: Capacity Planning

No policies mapped to CAP-03

CAP-04: Performance Monitoring

No policies mapped to CAP-04

CAP-05: Elastic Expansion

No policies mapped to CAP-05

CAP-06: Regional Delivery

No policies mapped to CAP-06

Change Management 0/17

CHG-01: Change Management Program

No policies mapped to CHG-01

CHG-02: Configuration Change Control

No policies mapped to CHG-02

CHG-02.1: Prohibition Of Changes

No policies mapped to CHG-02.1

CHG-02.2: Test, Validate & Document Changes

No policies mapped to CHG-02.2

CHG-02.3: Cybersecurity & Data Privacy Representative for Asset Lifecycle Changes

No policies mapped to CHG-02.3

CHG-02.4: Automated Security Response

No policies mapped to CHG-02.4

CHG-02.5: Cryptographic Management

No policies mapped to CHG-02.5

CHG-03: Security Impact Analysis for Changes

No policies mapped to CHG-03

CHG-04: Access Restriction For Change

No policies mapped to CHG-04

CHG-04.1: Automated Access Enforcement / Auditing

No policies mapped to CHG-04.1

CHG-04.2: Signed Components

No policies mapped to CHG-04.2

CHG-04.3: Dual Authorization for Change

No policies mapped to CHG-04.3

CHG-04.4: Permissions To Implement Changes

No policies mapped to CHG-04.4

CHG-04.5: Library Privileges

No policies mapped to CHG-04.5

CHG-05: Stakeholder Notification of Changes

No policies mapped to CHG-05

CHG-06: Control Functionality Verification

No policies mapped to CHG-06

CHG-06.1: Report Verification Results

No policies mapped to CHG-06.1

Cloud Security 0/22

CLD-01: Cloud Services

No policies mapped to CLD-01

CLD-01.1: Cloud Infrastructure Onboarding

No policies mapped to CLD-01.1

CLD-01.2: Cloud Infrastructure Offboarding

No policies mapped to CLD-01.2

CLD-02: Cloud Security Architecture

No policies mapped to CLD-02

CLD-03: Cloud Infrastructure Security Subnet

No policies mapped to CLD-03

CLD-04: Application & Program Interface (API) Security

No policies mapped to CLD-04

CLD-05: Virtual Machine Images

No policies mapped to CLD-05

CLD-06: Multi-Tenant Environments

No policies mapped to CLD-06

CLD-06.1: Customer Responsibility Matrix (CRM)

No policies mapped to CLD-06.1

CLD-06.2: Multi-Tenant Event Logging Capabilities

No policies mapped to CLD-06.2

CLD-06.3: Multi-Tenant Forensics Capabilities

No policies mapped to CLD-06.3

CLD-06.4: Multi-Tenant Incident Response Capabilities

No policies mapped to CLD-06.4

CLD-07: Data Handling & Portability

No policies mapped to CLD-07

CLD-08: Standardized Virtualization Formats

No policies mapped to CLD-08

CLD-09: Geolocation Requirements for Processing, Storage and Service Locations

No policies mapped to CLD-09

CLD-10: Sensitive Data In Public Cloud Providers

No policies mapped to CLD-10

CLD-11: Cloud Access Security Broker (CASB)

No policies mapped to CLD-11

CLD-12: Side Channel Attack Prevention

No policies mapped to CLD-12

CLD-13: Hosted Systems, Applications & Services

No policies mapped to CLD-13

CLD-13.1: Authorized Individuals For Hosted Systems, Applications & Services

No policies mapped to CLD-13.1

CLD-13.2: Sensitive/Regulated Data On Hosted Systems, Applications & Services

No policies mapped to CLD-13.2

CLD-14: Prohibition On Unverified Hosted Systems, Applications & Services

No policies mapped to CLD-14

Compliance 1/13

CPL-01: Statutory, Regulatory & Contractual Compliance 1 policy

CPL-01.1: Non-Compliance Oversight

No policies mapped to CPL-01.1

CPL-01.2: Compliance Scope

No policies mapped to CPL-01.2

CPL-02: Cybersecurity & Data Protection Controls Oversight

No policies mapped to CPL-02

CPL-02.1: Internal Audit Function

No policies mapped to CPL-02.1

CPL-03: Cybersecurity & Data Protection Assessments

No policies mapped to CPL-03

CPL-03.1: Independent Assessors

No policies mapped to CPL-03.1

CPL-03.2: Functional Review Of Cybersecurity & Data Protection Controls

No policies mapped to CPL-03.2

CPL-04: Audit Activities

No policies mapped to CPL-04

CPL-05: Legal Assessment of Investigative Inquires

No policies mapped to CPL-05

CPL-05.1: Investigation Request Notifications

No policies mapped to CPL-05.1

CPL-05.2: Investigation Access Restrictions

No policies mapped to CPL-05.2

CPL-06: Government Surveillance

No policies mapped to CPL-06

Configuration Management 0/28

CFG-01: Configuration Management Program

No policies mapped to CFG-01

CFG-01.1: Assignment of Responsibility

No policies mapped to CFG-01.1

CFG-02: System Hardening Through Baseline Configurations

No policies mapped to CFG-02

CFG-02.1: Reviews & Updates

No policies mapped to CFG-02.1

CFG-02.2: Automated Central Management & Verification

No policies mapped to CFG-02.2

CFG-02.3: Retention Of Previous Configurations

No policies mapped to CFG-02.3

CFG-02.4: Development & Test Environment Configurations

No policies mapped to CFG-02.4

CFG-02.5: Configure Systems, Components or Services for High-Risk Areas

No policies mapped to CFG-02.5

CFG-02.6: Network Device Configuration File Synchronization

No policies mapped to CFG-02.6

CFG-02.7: Approved Configuration Deviations

No policies mapped to CFG-02.7

CFG-02.8: Respond To Unauthorized Changes

No policies mapped to CFG-02.8

CFG-02.9: Baseline Tailoring

No policies mapped to CFG-02.9

CFG-03: Least Functionality

No policies mapped to CFG-03

CFG-03.1: Periodic Review

No policies mapped to CFG-03.1

CFG-03.2: Prevent Unauthorized Software Execution

No policies mapped to CFG-03.2

CFG-03.3: Explicitly Allow / Deny Applications

No policies mapped to CFG-03.3

CFG-03.4: Split Tunneling

No policies mapped to CFG-03.4

CFG-04: Software Usage Restrictions

No policies mapped to CFG-04

CFG-04.1: Open Source Software

No policies mapped to CFG-04.1

CFG-04.2: Unsupported Internet Browsers & Email Clients

No policies mapped to CFG-04.2

CFG-05: User-Installed Software

No policies mapped to CFG-05

CFG-05.1: Unauthorized Installation Alerts

No policies mapped to CFG-05.1

CFG-05.2: Restrict Roles Permitted To Install Software

No policies mapped to CFG-05.2

CFG-06: Configuration Enforcement

No policies mapped to CFG-06

CFG-06.1: Integrity Assurance & Enforcement (IAE)

No policies mapped to CFG-06.1

CFG-07: Zero-Touch Provisioning (ZTP)

No policies mapped to CFG-07

CFG-08: Sensitive / Regulated Data Access Enforcement

No policies mapped to CFG-08

CFG-08.1: Sensitive / Regulated Data Actions

No policies mapped to CFG-08.1

Continuous Monitoring 1/66

MON-01: Continuous Monitoring 1 policy

MON-01.1: Intrusion Detection & Prevention Systems (IDS & IPS)

No policies mapped to MON-01.1

MON-01.2: Automated Tools for Real-Time Analysis

No policies mapped to MON-01.2

MON-01.3: Inbound & Outbound Communications Traffic

No policies mapped to MON-01.3

MON-01.4: System Generated Alerts

No policies mapped to MON-01.4

MON-01.5: Wireless Intrusion Detection System (WIDS)

No policies mapped to MON-01.5

MON-01.6: Host-Based Devices

No policies mapped to MON-01.6

MON-01.7: File Integrity Monitoring (FIM)

No policies mapped to MON-01.7

MON-01.8: Reviews & Updates

No policies mapped to MON-01.8

MON-01.9: Proxy Logging

No policies mapped to MON-01.9

MON-01.10: Deactivated Account Activity

No policies mapped to MON-01.10

MON-01.11: Automated Response to Suspicious Events

No policies mapped to MON-01.11

MON-01.12: Automated Alerts

No policies mapped to MON-01.12

MON-01.13: Alert Threshold Tuning

No policies mapped to MON-01.13

MON-01.14: Individuals Posing Greater Risk

No policies mapped to MON-01.14

MON-01.15: Privileged User Oversight

No policies mapped to MON-01.15

MON-01.16: Analyze and Prioritize Monitoring Requirements

No policies mapped to MON-01.16

MON-01.17: Real-Time Session Monitoring

No policies mapped to MON-01.17

MON-02: Centralized Collection of Security Event Logs

No policies mapped to MON-02

MON-02.1: Correlate Monitoring Information

No policies mapped to MON-02.1

MON-02.2: Central Review & Analysis

No policies mapped to MON-02.2

MON-02.3: Integration of Scanning & Other Monitoring Information

No policies mapped to MON-02.3

MON-02.4: Correlation with Physical Monitoring

No policies mapped to MON-02.4

MON-02.5: Permitted Actions

No policies mapped to MON-02.5

MON-02.6: Audit Level Adjustments

No policies mapped to MON-02.6

MON-02.7: System-Wide / Time-Correlated Audit Trail

No policies mapped to MON-02.7

MON-02.8: Changes by Authorized Individuals

No policies mapped to MON-02.8

MON-03: Content of Event Logs

No policies mapped to MON-03

MON-03.1: Sensitive Audit Information

No policies mapped to MON-03.1

MON-03.2: Audit Trails

No policies mapped to MON-03.2

MON-03.3: Privileged Functions Logging

No policies mapped to MON-03.3

MON-03.4: Verbosity Logging for Boundary Devices

No policies mapped to MON-03.4

MON-03.5: Limit Personal Data (PD) In Audit Records

No policies mapped to MON-03.5

MON-03.6: Centralized Management of Planned Audit Record Content

No policies mapped to MON-03.6

MON-03.7: Database Logging

No policies mapped to MON-03.7

MON-04: Event Log Storage Capacity

No policies mapped to MON-04

MON-05: Response To Event Log Processing Failures

No policies mapped to MON-05

MON-05.1: Real-Time Alerts of Event Logging Failure

No policies mapped to MON-05.1

MON-05.2: Event Log Storage Capacity Alerting

No policies mapped to MON-05.2

MON-06: Monitoring Reporting

No policies mapped to MON-06

MON-06.1: Query Parameter Audits of Personal Data (PD)

No policies mapped to MON-06.1

MON-06.2: Trend Analysis Reporting

No policies mapped to MON-06.2

MON-07: Time Stamps

No policies mapped to MON-07

MON-07.1: Synchronization With Authoritative Time Source

No policies mapped to MON-07.1

MON-08: Protection of Event Logs

No policies mapped to MON-08

MON-08.1: Event Log Backup on Separate Physical Systems / Components

No policies mapped to MON-08.1

MON-08.2: Access by Subset of Privileged Users

No policies mapped to MON-08.2

MON-08.3: Cryptographic Protection of Event Log Information

No policies mapped to MON-08.3

MON-08.4: Dual Authorization for Event Log Movement

No policies mapped to MON-08.4

MON-09: Non-Repudiation

No policies mapped to MON-09

MON-09.1: Identity Binding

No policies mapped to MON-09.1

MON-10: Event Log Retention

No policies mapped to MON-10

MON-11: Monitoring For Information Disclosure

No policies mapped to MON-11

MON-11.1: Analyze Traffic for Covert Exfiltration

No policies mapped to MON-11.1

MON-11.2: Unauthorized Network Services

No policies mapped to MON-11.2

MON-11.3: Monitoring for Indicators of Compromise (IOC)

No policies mapped to MON-11.3

MON-12: Session Audit

No policies mapped to MON-12

MON-13: Alternate Event Logging Capability

No policies mapped to MON-13

MON-14: Cross-Organizational Monitoring

No policies mapped to MON-14

MON-14.1: Sharing of Event Logs

No policies mapped to MON-14.1

MON-15: Covert Channel Analysis

No policies mapped to MON-15

MON-16: Anomalous Behavior

No policies mapped to MON-16

MON-16.1: Insider Threats

No policies mapped to MON-16.1

MON-16.2: Third-Party Threats

No policies mapped to MON-16.2

MON-16.3: Unauthorized Activities

No policies mapped to MON-16.3

MON-16.4: Account Creation and Modification Logging

No policies mapped to MON-16.4

Cryptographic Protections 1/28

CRY-01: Use of Cryptographic Controls 1 policy

CRY-01.1: Alternate Physical Protection

No policies mapped to CRY-01.1

CRY-01.2: Export-Controlled Cryptography

No policies mapped to CRY-01.2

CRY-01.3: Pre/Post Transmission Handling

No policies mapped to CRY-01.3

CRY-01.4: Conceal / Randomize Communications

No policies mapped to CRY-01.4

CRY-01.5: Cryptographic Cipher Suites and Protocols Inventory

No policies mapped to CRY-01.5

CRY-02: Cryptographic Module Authentication

No policies mapped to CRY-02

CRY-03: Transmission Confidentiality

No policies mapped to CRY-03

CRY-04: Transmission Integrity

No policies mapped to CRY-04

CRY-05: Encrypting Data At Rest

No policies mapped to CRY-05

CRY-05.1: Storage Media

No policies mapped to CRY-05.1

CRY-05.2: Offline Storage

No policies mapped to CRY-05.2

CRY-05.3: Database Encryption

No policies mapped to CRY-05.3

CRY-06: Non-Console Administrative Access

No policies mapped to CRY-06

CRY-07: Wireless Access Authentication & Encryption

No policies mapped to CRY-07

CRY-08: Public Key Infrastructure (PKI)

No policies mapped to CRY-08

CRY-08.1: Availability

No policies mapped to CRY-08.1

CRY-09: Cryptographic Key Management

No policies mapped to CRY-09

CRY-09.1: Symmetric Keys

No policies mapped to CRY-09.1

CRY-09.2: Asymmetric Keys

No policies mapped to CRY-09.2

CRY-09.3: Cryptographic Key Loss or Change

No policies mapped to CRY-09.3

CRY-09.4: Control & Distribution of Cryptographic Keys

No policies mapped to CRY-09.4

CRY-09.5: Assigned Owners

No policies mapped to CRY-09.5

CRY-09.6: Third-Party Cryptographic Keys

No policies mapped to CRY-09.6

CRY-09.7: External System Cryptographic Key Control

No policies mapped to CRY-09.7

CRY-10: Transmission of Cybersecurity & Data Privacy Attributes

No policies mapped to CRY-10

CRY-11: Certificate Authorities

No policies mapped to CRY-11

CRY-12: Certificate Monitoring

No policies mapped to CRY-12

Data Classification & Handling 3/85

DCH-01.1: Data Stewardship

No policies mapped to DCH-01.1

DCH-01.2: Sensitive / Regulated Data Protection

No policies mapped to DCH-01.2

DCH-01.3: Sensitive / Regulated Media Records

No policies mapped to DCH-01.3

DCH-01.4: Defining Access Authorizations for Sensitive/Regulated Data

No policies mapped to DCH-01.4

DCH-02: Data & Asset Classification 1 policy

DCH-02.1: Highest Classification Level

No policies mapped to DCH-02.1

DCH-03: Media Access

No policies mapped to DCH-03

DCH-03.1: Disclosure of Information

No policies mapped to DCH-03.1

DCH-03.2: Masking Displayed Data

No policies mapped to DCH-03.2

DCH-03.3: Controlled Release

No policies mapped to DCH-03.3

DCH-04: Media Marking

No policies mapped to DCH-04

DCH-04.1: Automated Marking

No policies mapped to DCH-04.1

DCH-05: Cybersecurity & Data Privacy Attributes

No policies mapped to DCH-05

DCH-05.1: Dynamic Attribute Association

No policies mapped to DCH-05.1

DCH-05.2: Attribute Value Changes By Authorized Individuals

No policies mapped to DCH-05.2

DCH-05.3: Maintenance of Attribute Associations By System

No policies mapped to DCH-05.3

DCH-05.4: Association of Attributes By Authorized Individuals

No policies mapped to DCH-05.4

DCH-05.5: Attribute Displays for Output Devices

No policies mapped to DCH-05.5

DCH-05.6: Data Subject Attribute Associations

No policies mapped to DCH-05.6

DCH-05.7: Consistent Attribute Interpretation

No policies mapped to DCH-05.7

DCH-05.8: Identity Association Techniques & Technologies

No policies mapped to DCH-05.8

DCH-05.9: Attribute Reassignment

No policies mapped to DCH-05.9

DCH-05.10: Attribute Configuration By Authorized Individuals

No policies mapped to DCH-05.10

DCH-05.11: Audit Changes

No policies mapped to DCH-05.11

DCH-06: Media Storage 1 policy

DCH-06.1: Physically Secure All Media

No policies mapped to DCH-06.1

DCH-06.2: Sensitive Data Inventories

No policies mapped to DCH-06.2

DCH-06.3: Periodic Scans for Sensitive Data

No policies mapped to DCH-06.3

DCH-06.4: Making Sensitive Data Unreadable In Storage

No policies mapped to DCH-06.4

DCH-06.5: Storing Authentication Data

No policies mapped to DCH-06.5

DCH-07: Media Transportation

No policies mapped to DCH-07

DCH-07.1: Custodians

No policies mapped to DCH-07.1

DCH-07.2: Encrypting Data In Storage Media

No policies mapped to DCH-07.2

DCH-08: Physical Media Disposal

No policies mapped to DCH-08

DCH-09: System Media Sanitization

No policies mapped to DCH-09

DCH-09.1: System Media Sanitization Documentation

No policies mapped to DCH-09.1

DCH-09.2: Equipment Testing

No policies mapped to DCH-09.2

DCH-09.3: Sanitization of Personal Data (PD)

No policies mapped to DCH-09.3

DCH-09.4: First Time Use Sanitization

No policies mapped to DCH-09.4

DCH-09.5: Dual Authorization for Sensitive Data Destruction

No policies mapped to DCH-09.5

DCH-10: Media Use

No policies mapped to DCH-10

DCH-10.1: Limitations on Use

No policies mapped to DCH-10.1

DCH-10.2: Prohibit Use Without Owner

No policies mapped to DCH-10.2

DCH-11: Data Reclassification

No policies mapped to DCH-11

DCH-12: Removable Media Security

No policies mapped to DCH-12

DCH-13: Use of External Information Systems

No policies mapped to DCH-13

DCH-13.1: Limits of Authorized Use

No policies mapped to DCH-13.1

DCH-13.2: Portable Storage Devices

No policies mapped to DCH-13.2

DCH-13.3: Protecting Sensitive Data on External Systems

No policies mapped to DCH-13.3

DCH-13.4: Non-Organizationally Owned Systems / Components / Devices

No policies mapped to DCH-13.4

DCH-14: Information Sharing

No policies mapped to DCH-14

DCH-14.1: Information Search & Retrieval

No policies mapped to DCH-14.1

DCH-14.2: Transfer Authorizations

No policies mapped to DCH-14.2

DCH-14.3: Data Access Mapping

No policies mapped to DCH-14.3

DCH-15: Publicly Accessible Content

No policies mapped to DCH-15

DCH-16: Data Mining Protection

No policies mapped to DCH-16

DCH-17: Ad-Hoc Transfers

No policies mapped to DCH-17

DCH-18: Media & Data Retention

No policies mapped to DCH-18

DCH-18.1: Minimize Sensitive & Regulated Data

No policies mapped to DCH-18.1

DCH-18.2: Limit Personal Data (PD) Elements In Testing, Training & Research

No policies mapped to DCH-18.2

DCH-18.3: Temporary Files Containing Personal Data (PD)

No policies mapped to DCH-18.3

DCH-19: Geographic Location of Data

No policies mapped to DCH-19

DCH-20: Archived Data Sets

No policies mapped to DCH-20

DCH-21: Information Disposal

No policies mapped to DCH-21

DCH-22: Data Quality Operations

No policies mapped to DCH-22

DCH-22.1: Updating & Correcting Personal Data (PD)

No policies mapped to DCH-22.1

DCH-22.2: Data Tags

No policies mapped to DCH-22.2

DCH-22.3: Primary Source Personal Data (PD) Collection

No policies mapped to DCH-22.3

DCH-23: De-Identification (Anonymization)

No policies mapped to DCH-23

DCH-23.1: De-Identify Dataset Upon Collection

No policies mapped to DCH-23.1

DCH-23.2: Archiving

No policies mapped to DCH-23.2

DCH-23.3: Release

No policies mapped to DCH-23.3

DCH-23.4: Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers

No policies mapped to DCH-23.4

DCH-23.5: Statistical Disclosure Control

No policies mapped to DCH-23.5

DCH-23.6: Differential Data Privacy

No policies mapped to DCH-23.6

DCH-23.7: Automated De-Identification of Sensitive Data

No policies mapped to DCH-23.7

DCH-23.8: Motivated Intruder

No policies mapped to DCH-23.8

DCH-23.9: Code Names

No policies mapped to DCH-23.9

DCH-24: Information Location

No policies mapped to DCH-24

DCH-24.1: Automated Tools to Support Information Location

No policies mapped to DCH-24.1

DCH-25: Transfer of Sensitive and/or Regulated Data

No policies mapped to DCH-25

DCH-25.1: Transfer Activity Limits

No policies mapped to DCH-25.1

DCH-26: Data Localization

No policies mapped to DCH-26

DCH-27: Data Rights Management (DRM)

No policies mapped to DCH-27

Embedded Technology 0/19

EMB-01: Embedded Technology Security Program

No policies mapped to EMB-01

EMB-02: Internet of Things (IOT)

No policies mapped to EMB-02

EMB-03: Operational Technology (OT)

No policies mapped to EMB-03

EMB-04: Interface Security

No policies mapped to EMB-04

EMB-05: Embedded Technology Configuration Monitoring

No policies mapped to EMB-05

EMB-06: Prevent Alterations

No policies mapped to EMB-06

EMB-07: Embedded Technology Maintenance

No policies mapped to EMB-07

EMB-08: Resilience To Outages

No policies mapped to EMB-08

EMB-09: Power Level Monitoring

No policies mapped to EMB-09

EMB-10: Embedded Technology Reviews

No policies mapped to EMB-10

EMB-11: Message Queuing Telemetry Transport (MQTT) Security

No policies mapped to EMB-11

EMB-12: Restrict Communications

No policies mapped to EMB-12

EMB-13: Authorized Communications

No policies mapped to EMB-13

EMB-14: Operating Environment Certification

No policies mapped to EMB-14

EMB-15: Safety Assessment

No policies mapped to EMB-15

EMB-16: Certificate-Based Authentication

No policies mapped to EMB-16

EMB-17: Chip-To-Cloud Security

No policies mapped to EMB-17

EMB-18: Real-Time Operating System (RTOS) Security

No policies mapped to EMB-18

EMB-19: Safe Operations

No policies mapped to EMB-19

Endpoint Security 0/45

END-01: Endpoint Security

No policies mapped to END-01

END-02: Endpoint Protection Measures

No policies mapped to END-02

END-03: Prohibit Installation Without Privileged Status

No policies mapped to END-03

END-03.1: Software Installation Alerts

No policies mapped to END-03.1

END-03.2: Governing Access Restriction for Change

No policies mapped to END-03.2

END-04: Malicious Code Protection (Anti-Malware)

No policies mapped to END-04

END-04.1: Automatic Antimalware Signature Updates

No policies mapped to END-04.1

END-04.2: Documented Protection Measures

No policies mapped to END-04.2

END-04.3: Centralized Management of Antimalware Technologies

No policies mapped to END-04.3

END-04.4: Heuristic / Nonsignature-Based Detection

No policies mapped to END-04.4

END-04.5: Malware Protection Mechanism Testing

No policies mapped to END-04.5

END-04.6: Evolving Malware Threats

No policies mapped to END-04.6

END-04.7: Always On Protection

No policies mapped to END-04.7

END-05: Software Firewall

No policies mapped to END-05

END-06: Endpoint File Integrity Monitoring (FIM)

No policies mapped to END-06

END-06.1: Integrity Checks

No policies mapped to END-06.1

END-06.2: Endpoint Detection & Response (EDR)

No policies mapped to END-06.2

END-06.3: Automated Notifications of Integrity Violations

No policies mapped to END-06.3

END-06.4: Automated Response to Integrity Violations

No policies mapped to END-06.4

END-06.5: Boot Process Integrity

No policies mapped to END-06.5

END-06.6: Protection of Boot Firmware

No policies mapped to END-06.6

END-06.7: Binary or Machine-Executable Code

No policies mapped to END-06.7

END-07: Host Intrusion Detection and Prevention Systems (HIDS / HIPS)

No policies mapped to END-07

END-08: Phishing & Spam Protection

No policies mapped to END-08

END-08.1: Central Management

No policies mapped to END-08.1

END-08.2: Automatic Spam and Phishing Protection Updates

No policies mapped to END-08.2

END-09: Trusted Path

No policies mapped to END-09

END-10: Mobile Code

No policies mapped to END-10

END-11: Thin Nodes

No policies mapped to END-11

END-12: Port & Input / Output (I/O) Device Access

No policies mapped to END-12

END-13: Sensor Capability

No policies mapped to END-13

END-13.1: Authorized Use

No policies mapped to END-13.1

END-13.2: Notice of Collection

No policies mapped to END-13.2

END-13.3: Collection Minimization

No policies mapped to END-13.3

END-13.4: Sensor Delivery Verification

No policies mapped to END-13.4

END-14: Collaborative Computing Devices

No policies mapped to END-14

END-14.1: Disabling / Removal In Secure Work Areas

No policies mapped to END-14.1

END-14.2: Explicitly Indicate Current Participants

No policies mapped to END-14.2

END-14.3: Participant Identity Verification

No policies mapped to END-14.3

END-14.4: Participant Connection Management

No policies mapped to END-14.4

END-14.5: Malicious Link & File Protections

No policies mapped to END-14.5

END-14.6: Explicit Indication Of Use

No policies mapped to END-14.6

END-15: Hypervisor Access

No policies mapped to END-15

END-16: Restrict Access To Security Functions

No policies mapped to END-16

END-16.1: Host-Based Security Function Isolation

No policies mapped to END-16.1

Human Resources Security 7/40

HRS-01: Human Resources Security Management

No policies mapped to HRS-01

HRS-02: Position Categorization

No policies mapped to HRS-02

HRS-02.1: Users With Elevated Privileges

No policies mapped to HRS-02.1

HRS-02.2: Probationary Periods

No policies mapped to HRS-02.2

HRS-03: Defined Roles & Responsibilities

No policies mapped to HRS-03

HRS-03.1: User Awareness

No policies mapped to HRS-03.1

HRS-03.2: Competency Requirements for Security-Related Positions

No policies mapped to HRS-03.2

HRS-04: Personnel Screening 1 policy

HRS-04.1: Roles With Special Protection Measures

No policies mapped to HRS-04.1

HRS-04.2: Formal Indoctrination

No policies mapped to HRS-04.2

HRS-04.3: Citizenship Requirements

No policies mapped to HRS-04.3

HRS-04.4: Citizenship Identification

No policies mapped to HRS-04.4

HRS-05.1: Rules of Behavior 1 policy

HRS-05.2: Social Media & Social Networking Restrictions 1 policy

HRS-05.3: Use of Communications Technology 1 policy

HRS-05.4: Use of Critical Technologies 1 policy

HRS-05.5: Use of Mobile Devices 1 policy

HRS-05.6: Security-Minded Dress Code

No policies mapped to HRS-05.6

HRS-05.7: Policy Familiarization & Acknowledgement

No policies mapped to HRS-05.7

HRS-06: Access Agreements

No policies mapped to HRS-06

HRS-06.1: Confidentiality Agreements

No policies mapped to HRS-06.1

HRS-06.2: Post-Employment Obligations

No policies mapped to HRS-06.2

HRS-07: Personnel Sanctions

No policies mapped to HRS-07

HRS-07.1: Workplace Investigations

No policies mapped to HRS-07.1

HRS-08: Personnel Transfer

No policies mapped to HRS-08

HRS-09: Personnel Termination

No policies mapped to HRS-09

HRS-09.1: Asset Collection

No policies mapped to HRS-09.1

HRS-09.2: High-Risk Terminations

No policies mapped to HRS-09.2

HRS-09.3: Post-Employment Requirements

No policies mapped to HRS-09.3

HRS-09.4: Automated Employment Status Notifications

No policies mapped to HRS-09.4

HRS-10: Third-Party Personnel Security

No policies mapped to HRS-10

HRS-11: Separation of Duties (SoD)

No policies mapped to HRS-11

HRS-12: Incompatible Roles

No policies mapped to HRS-12

HRS-12.1: Two-Person Rule

No policies mapped to HRS-12.1

HRS-13: Identify Critical Skills & Gaps

No policies mapped to HRS-13

HRS-13.1: Remediate Identified Skills Deficiencies

No policies mapped to HRS-13.1

HRS-13.2: Identify Vital Cybersecurity & Data Privacy Staff

No policies mapped to HRS-13.2

HRS-13.3: Establish Redundancy for Vital Cybersecurity & Data Privacy Staff

No policies mapped to HRS-13.3

HRS-13.4: Perform Succession Planning

No policies mapped to HRS-13.4

Identification & Authentication 2/105

IAC-01: Identity & Access Management (IAM) 1 policy

IAC-01.1: Retain Access Records

No policies mapped to IAC-01.1

IAC-01.2: Authenticate, Authorize and Audit (AAA)

No policies mapped to IAC-01.2

IAC-01.3: User & Service Account Inventories

No policies mapped to IAC-01.3

IAC-02: Identification & Authentication for Organizational Users 1 policy

IAC-02.1: Group Authentication

No policies mapped to IAC-02.1

IAC-02.2: Replay-Resistant Authentication

No policies mapped to IAC-02.2

IAC-02.3: Acceptance of PIV Credentials

No policies mapped to IAC-02.3

IAC-02.4: Out-of-Band Authentication (OOBA)

No policies mapped to IAC-02.4

IAC-03: Identification & Authentication for Non-Organizational Users

No policies mapped to IAC-03

IAC-03.1: Acceptance of PIV Credentials from Other Organizations

No policies mapped to IAC-03.1

IAC-03.2: Acceptance of Third-Party Credentials

No policies mapped to IAC-03.2

IAC-03.3: Use of FICAM-Issued Profiles

No policies mapped to IAC-03.3

IAC-03.4: Disassociability

No policies mapped to IAC-03.4

IAC-03.5: Acceptance of External Authenticators

No policies mapped to IAC-03.5

IAC-04: Identification & Authentication for Devices

No policies mapped to IAC-04

IAC-04.1: Device Attestation

No policies mapped to IAC-04.1

IAC-04.2: Device Authorization Enforcement

No policies mapped to IAC-04.2

IAC-05: Identification & Authentication for Third Party Systems & Services

No policies mapped to IAC-05

IAC-05.1: Sharing Identification & Authentication Information

No policies mapped to IAC-05.1

IAC-05.2: Privileged Access by Non-Organizational Users

No policies mapped to IAC-05.2

IAC-06: Multi-Factor Authentication (MFA)

No policies mapped to IAC-06

IAC-06.1: Network Access to Privileged Accounts

No policies mapped to IAC-06.1

IAC-06.2: Network Access to Non-Privileged Accounts

No policies mapped to IAC-06.2

IAC-06.3: Local Access to Privileged Accounts

No policies mapped to IAC-06.3

IAC-06.4: Out-of-Band Multi-Factor Authentication

No policies mapped to IAC-06.4

IAC-07: User Provisioning & De-Provisioning

No policies mapped to IAC-07

IAC-07.1: Change of Roles & Duties

No policies mapped to IAC-07.1

IAC-07.2: Termination of Employment

No policies mapped to IAC-07.2

IAC-08: Role-Based Access Control (RBAC)

No policies mapped to IAC-08

IAC-09: Identifier Management (User Names)

No policies mapped to IAC-09

IAC-09.1: User Identity (ID) Management

No policies mapped to IAC-09.1

IAC-09.2: Identity User Status

No policies mapped to IAC-09.2

IAC-09.3: Dynamic Management

No policies mapped to IAC-09.3

IAC-09.4: Cross-Organization Management

No policies mapped to IAC-09.4

IAC-09.5: Privileged Account Identifiers

No policies mapped to IAC-09.5

IAC-09.6: Pairwise Pseudonymous Identifiers (PPID)

No policies mapped to IAC-09.6

IAC-10: Authenticator Management

No policies mapped to IAC-10

IAC-10.1: Password-Based Authentication

No policies mapped to IAC-10.1

IAC-10.2: PKI-Based Authentication

No policies mapped to IAC-10.2

IAC-10.3: In-Person or Trusted Third-Party Registration

No policies mapped to IAC-10.3

IAC-10.4: Automated Support For Password Strength

No policies mapped to IAC-10.4

IAC-10.5: Protection of Authenticators

No policies mapped to IAC-10.5

IAC-10.6: No Embedded Unencrypted Static Authenticators

No policies mapped to IAC-10.6

IAC-10.7: Hardware Token-Based Authentication

No policies mapped to IAC-10.7

IAC-10.8: Default Authenticators

No policies mapped to IAC-10.8

IAC-10.9: Multiple Information System Accounts

No policies mapped to IAC-10.9

IAC-10.10: Expiration of Cached Authenticators

No policies mapped to IAC-10.10

IAC-10.11: Password Managers

No policies mapped to IAC-10.11

IAC-10.12: Biometric Authentication

No policies mapped to IAC-10.12

IAC-11: Authenticator Feedback

No policies mapped to IAC-11

IAC-12: Cryptographic Module Authentication

No policies mapped to IAC-12

IAC-12.1: Hardware Security Modules (HSM)

No policies mapped to IAC-12.1

IAC-13: Adaptive Identification & Authentication

No policies mapped to IAC-13

IAC-13.1: Single Sign-On (SSO) Transparent Authentication

No policies mapped to IAC-13.1

IAC-13.2: Federated Credential Management

No policies mapped to IAC-13.2

IAC-13.3: Continuous Authentication

No policies mapped to IAC-13.3

IAC-14: Re-Authentication

No policies mapped to IAC-14

IAC-15: Account Management

No policies mapped to IAC-15

IAC-15.1: Automated System Account Management (Directory Services)

No policies mapped to IAC-15.1

IAC-15.2: Removal of Temporary / Emergency Accounts

No policies mapped to IAC-15.2

IAC-15.3: Disable Inactive Accounts

No policies mapped to IAC-15.3

IAC-15.4: Automated Audit Actions

No policies mapped to IAC-15.4

IAC-15.5: Restrictions on Shared Groups / Accounts

No policies mapped to IAC-15.5

IAC-15.6: Account Disabling for High Risk Individuals

No policies mapped to IAC-15.6

IAC-15.7: System Account Reviews

No policies mapped to IAC-15.7

IAC-15.8: Usage Conditions

No policies mapped to IAC-15.8

IAC-15.9: Emergency Accounts

No policies mapped to IAC-15.9

IAC-16: Privileged Account Management (PAM)

No policies mapped to IAC-16

IAC-16.1: Privileged Account Inventories

No policies mapped to IAC-16.1

IAC-16.2: Privileged Account Separation

No policies mapped to IAC-16.2

IAC-17: Periodic Review of Account Privileges

No policies mapped to IAC-17

IAC-18: User Responsibilities for Account Management

No policies mapped to IAC-18

IAC-19: Credential Sharing

No policies mapped to IAC-19

IAC-20: Access Enforcement

No policies mapped to IAC-20

IAC-20.1: Access To Sensitive / Regulated Data

No policies mapped to IAC-20.1

IAC-20.2: Database Access

No policies mapped to IAC-20.2

IAC-20.3: Use of Privileged Utility Programs

No policies mapped to IAC-20.3

IAC-20.4: Dedicated Administrative Machines

No policies mapped to IAC-20.4

IAC-20.5: Dual Authorization for Privileged Commands

No policies mapped to IAC-20.5

IAC-20.6: Revocation of Access Authorizations

No policies mapped to IAC-20.6

IAC-20.7: Authorized System Accounts

No policies mapped to IAC-20.7

IAC-21: Least Privilege

No policies mapped to IAC-21

IAC-21.1: Authorize Access to Security Functions

No policies mapped to IAC-21.1

IAC-21.2: Non-Privileged Access for Non-Security Functions

No policies mapped to IAC-21.2

IAC-21.3: Privileged Accounts

No policies mapped to IAC-21.3

IAC-21.4: Auditing Use of Privileged Functions

No policies mapped to IAC-21.4

IAC-21.5: Prohibit Non-Privileged Users from Executing Privileged Functions

No policies mapped to IAC-21.5

IAC-21.6: Network Access to Privileged Commands

No policies mapped to IAC-21.6

IAC-21.7: Privilege Levels for Code Execution

No policies mapped to IAC-21.7

IAC-22: Account Lockout

No policies mapped to IAC-22

IAC-23: Concurrent Session Control

No policies mapped to IAC-23

IAC-24: Session Lock

No policies mapped to IAC-24

IAC-24.1: Pattern-Hiding Displays

No policies mapped to IAC-24.1

IAC-25: Session Termination

No policies mapped to IAC-25

IAC-25.1: User-Initiated Logouts / Message Displays

No policies mapped to IAC-25.1

IAC-26: Permitted Actions Without Identification or Authorization

No policies mapped to IAC-26

IAC-27: Reference Monitor

No policies mapped to IAC-27

IAC-28: Identity Proofing (Identity Verification)

No policies mapped to IAC-28

IAC-28.1: Management Approval For New or Changed Accounts

No policies mapped to IAC-28.1

IAC-28.2: Identity Evidence

No policies mapped to IAC-28.2

IAC-28.3: Identity Evidence Validation & Verification

No policies mapped to IAC-28.3

IAC-28.4: In-Person Validation & Verification

No policies mapped to IAC-28.4

IAC-28.5: Address Confirmation

No policies mapped to IAC-28.5

IAC-29: Attribute-Based Access Control (ABAC)

No policies mapped to IAC-29

Incident Response 0/39

IRO-01: Incident Response Operations

No policies mapped to IRO-01

IRO-02: Incident Handling

No policies mapped to IRO-02

IRO-02.1: Automated Incident Handling Processes

No policies mapped to IRO-02.1

IRO-02.2: Insider Threat Response Capability

No policies mapped to IRO-02.2

IRO-02.3: Dynamic Reconfiguration

No policies mapped to IRO-02.3

IRO-02.4: Incident Classification & Prioritization

No policies mapped to IRO-02.4

IRO-02.5: Correlation with External Organizations

No policies mapped to IRO-02.5

IRO-02.6: Automatic Disabling of System

No policies mapped to IRO-02.6

IRO-03: Indicators of Compromise (IOC)

No policies mapped to IRO-03

IRO-04: Incident Response Plan (IRP)

No policies mapped to IRO-04

IRO-04.1: Data Breach

No policies mapped to IRO-04.1

IRO-04.2: IRP Update

No policies mapped to IRO-04.2

IRO-04.3: Continuous Incident Response Improvements

No policies mapped to IRO-04.3

IRO-05: Incident Response Training

No policies mapped to IRO-05

IRO-05.1: Simulated Incidents

No policies mapped to IRO-05.1

IRO-05.2: Automated Incident Response Training Environments

No policies mapped to IRO-05.2

IRO-06: Incident Response Testing

No policies mapped to IRO-06

IRO-06.1: Coordination with Related Plans

No policies mapped to IRO-06.1

IRO-07: Integrated Security Incident Response Team (ISIRT)

No policies mapped to IRO-07

IRO-08: Chain of Custody & Forensics

No policies mapped to IRO-08

IRO-09: Situational Awareness For Incidents

No policies mapped to IRO-09

IRO-09.1: Automated Tracking, Data Collection & Analysis

No policies mapped to IRO-09.1

IRO-10: Incident Stakeholder Reporting

No policies mapped to IRO-10

IRO-10.1: Automated Reporting

No policies mapped to IRO-10.1

IRO-10.2: Cyber Incident Reporting for Sensitive Data

No policies mapped to IRO-10.2

IRO-10.3: Vulnerabilities Related To Incidents

No policies mapped to IRO-10.3

IRO-10.4: Supply Chain Coordination

No policies mapped to IRO-10.4

IRO-11: Incident Reporting Assistance

No policies mapped to IRO-11

IRO-11.1: Automation Support of Availability of Information / Support

No policies mapped to IRO-11.1

IRO-11.2: Coordination With External Providers

No policies mapped to IRO-11.2

IRO-12: Information Spillage Response

No policies mapped to IRO-12

IRO-12.1: Responsible Personnel

No policies mapped to IRO-12.1

IRO-12.2: Training

No policies mapped to IRO-12.2

IRO-12.3: Post-Spill Operations

No policies mapped to IRO-12.3

IRO-12.4: Exposure to Unauthorized Personnel

No policies mapped to IRO-12.4

IRO-13: Root Cause Analysis (RCA) & Lessons Learned

No policies mapped to IRO-13

IRO-14: Regulatory & Law Enforcement Contacts

No policies mapped to IRO-14

IRO-15: Detonation Chambers (Sandboxes)

No policies mapped to IRO-15

IRO-16: Public Relations & Reputation Repair

No policies mapped to IRO-16

Information Assurance 0/15

IAO-01: Information Assurance (IA) Operations

No policies mapped to IAO-01

IAO-01.1: Assessment Boundaries

No policies mapped to IAO-01.1

IAO-02: Assessments

No policies mapped to IAO-02

IAO-02.1: Assessor Independence

No policies mapped to IAO-02.1

IAO-02.2: Specialized Assessments

No policies mapped to IAO-02.2

IAO-02.3: Third-Party Assessments

No policies mapped to IAO-02.3

IAO-02.4: Security Assessment Report (SAR)

No policies mapped to IAO-02.4

IAO-03: System Security & Privacy Plan (SSPP)

No policies mapped to IAO-03

IAO-03.1: Plan / Coordinate with Other Organizational Entities

No policies mapped to IAO-03.1

IAO-03.2: Adequate Security for Sensitive / Regulated Data In Support of Contracts

No policies mapped to IAO-03.2

IAO-04: Threat Analysis & Flaw Remediation During Development

No policies mapped to IAO-04

IAO-05: Plan of Action & Milestones (POA&M)

No policies mapped to IAO-05

IAO-05.1: Plan of Action & Milestones (POA&M) Automation

No policies mapped to IAO-05.1

IAO-06: Technical Verification

No policies mapped to IAO-06

IAO-07: Security Authorization

No policies mapped to IAO-07

Maintenance 0/28

MNT-01: Maintenance Operations

No policies mapped to MNT-01

MNT-02: Controlled Maintenance

No policies mapped to MNT-02

MNT-02.1: Automated Maintenance Activities

No policies mapped to MNT-02.1

MNT-03: Timely Maintenance

No policies mapped to MNT-03

MNT-03.1: Preventative Maintenance

No policies mapped to MNT-03.1

MNT-03.2: Predictive Maintenance

No policies mapped to MNT-03.2

MNT-03.3: Automated Support For Predictive Maintenance

No policies mapped to MNT-03.3

MNT-04: Maintenance Tools

No policies mapped to MNT-04

MNT-04.1: Inspect Tools

No policies mapped to MNT-04.1

MNT-04.2: Inspect Media

No policies mapped to MNT-04.2

MNT-04.3: Prevent Unauthorized Removal

No policies mapped to MNT-04.3

MNT-04.4: Restrict Tool Usage

No policies mapped to MNT-04.4

MNT-05: Remote Maintenance

No policies mapped to MNT-05

MNT-05.1: Auditing Remote Maintenance

No policies mapped to MNT-05.1

MNT-05.2: Remote Maintenance Notifications

No policies mapped to MNT-05.2

MNT-05.3: Remote Maintenance Cryptographic Protection

No policies mapped to MNT-05.3

MNT-05.4: Remote Maintenance Disconnect Verification

No policies mapped to MNT-05.4

MNT-05.5: Remote Maintenance Pre-Approval

No policies mapped to MNT-05.5

MNT-05.6: Remote Maintenance Comparable Security & Sanitization

No policies mapped to MNT-05.6

MNT-05.7: Separation of Maintenance Sessions

No policies mapped to MNT-05.7

MNT-06: Authorized Maintenance Personnel

No policies mapped to MNT-06

MNT-06.1: Maintenance Personnel Without Appropriate Access

No policies mapped to MNT-06.1

MNT-06.2: Non-System Related Maintenance

No policies mapped to MNT-06.2

MNT-07: Maintain Configuration Control During Maintenance

No policies mapped to MNT-07

MNT-08: Field Maintenance

No policies mapped to MNT-08

MNT-09: Off-Site Maintenance

No policies mapped to MNT-09

MNT-10: Maintenance Validation

No policies mapped to MNT-10

MNT-11: Maintenance Monitoring

No policies mapped to MNT-11

Mobile Device Management 0/11

MDM-01: Centralized Management Of Mobile Devices

No policies mapped to MDM-01

MDM-02: Access Control For Mobile Devices

No policies mapped to MDM-02

MDM-03: Full Device & Container-Based Encryption

No policies mapped to MDM-03

MDM-04: Mobile Device Tampering

No policies mapped to MDM-04

MDM-05: Remote Purging

No policies mapped to MDM-05

MDM-06: Personally-Owned Mobile Devices

No policies mapped to MDM-06

MDM-07: Organization-Owned Mobile Devices

No policies mapped to MDM-07

MDM-08: Mobile Device Data Retention Limitations

No policies mapped to MDM-08

MDM-09: Mobile Device Geofencing

No policies mapped to MDM-09

MDM-10: Separate Mobile Device Profiles

No policies mapped to MDM-10

MDM-11: Restricting Access To Authorized Devices

No policies mapped to MDM-11

Network Security 1/98

NET-01: Network Security Controls (NSC) 1 policy

NET-01.1: Zero Trust Architecture (ZTA)

No policies mapped to NET-01.1

NET-02: Layered Network Defenses

No policies mapped to NET-02

NET-02.1: Denial of Service (DoS) Protection

No policies mapped to NET-02.1

NET-02.2: Guest Networks

No policies mapped to NET-02.2

NET-02.3: Cross Domain Solution (CDS)

No policies mapped to NET-02.3

NET-03: Boundary Protection

No policies mapped to NET-03

NET-03.1: Limit Network Connections

No policies mapped to NET-03.1

NET-03.2: External Telecommunications Services

No policies mapped to NET-03.2

NET-03.3: Prevent Discovery of Internal Information

No policies mapped to NET-03.3

NET-03.4: Personal Data (PD)

No policies mapped to NET-03.4

NET-03.5: Prevent Unauthorized Exfiltration

No policies mapped to NET-03.5

NET-03.6: Dynamic Isolation & Segregation (Sandboxing)

No policies mapped to NET-03.6

NET-03.7: Isolation of Information System Components

No policies mapped to NET-03.7

NET-03.8: Separate Subnet for Connecting to Different Security Domains

No policies mapped to NET-03.8

NET-04: Data Flow Enforcement – Access Control Lists (ACLs)

No policies mapped to NET-04

NET-04.1: Deny Traffic by Default & Allow Traffic by Exception

No policies mapped to NET-04.1

NET-04.2: Object Security Attributes

No policies mapped to NET-04.2

NET-04.3: Content Check for Encrypted Data

No policies mapped to NET-04.3

NET-04.4: Embedded Data Types

No policies mapped to NET-04.4

NET-04.5: Metadata

No policies mapped to NET-04.5

NET-04.6: Human Reviews

No policies mapped to NET-04.6

NET-04.7: Policy Decision Point (PDP)

No policies mapped to NET-04.7

NET-04.8: Data Type Identifiers

No policies mapped to NET-04.8

NET-04.9: Decomposition Into Policy-Related Subcomponents

No policies mapped to NET-04.9

NET-04.10: Detection of Unsanctioned Information

No policies mapped to NET-04.10

NET-04.11: Approved Solutions

No policies mapped to NET-04.11

NET-04.12: Cross Domain Authentication

No policies mapped to NET-04.12

NET-04.13: Metadata Validation

No policies mapped to NET-04.13

NET-04.14: Application Proxy

No policies mapped to NET-04.14

NET-05: Interconnection Security Agreements (ISAs)

No policies mapped to NET-05

NET-05.1: External System Connections

No policies mapped to NET-05.1

NET-05.2: Internal System Connections

No policies mapped to NET-05.2

NET-06: Network Segmentation (macrosegementation)

No policies mapped to NET-06

NET-06.1: Security Management Subnets

No policies mapped to NET-06.1

NET-06.2: Virtual Local Area Network (VLAN) Separation

No policies mapped to NET-06.2

NET-06.3: Sensitive / Regulated Data Enclave (Secure Zone)

No policies mapped to NET-06.3

NET-06.4: Segregation From Enterprise Services

No policies mapped to NET-06.4

NET-06.5: Direct Internet Access Restrictions

No policies mapped to NET-06.5

NET-06.6: Microsegmentation

No policies mapped to NET-06.6

NET-06.7: Software Defined Networking (SDN)

No policies mapped to NET-06.7

NET-07: Network Connection Termination

No policies mapped to NET-07

NET-08: Network Intrusion Detection / Prevention Systems (NIDS / NIPS)

No policies mapped to NET-08

NET-08.1: DMZ Networks

No policies mapped to NET-08.1

NET-08.2: Wireless Intrusion Detection / Prevention Systems (WIDS / WIPS)

No policies mapped to NET-08.2

NET-08.3: Host Containment

No policies mapped to NET-08.3

NET-08.4: Resource Containment

No policies mapped to NET-08.4

NET-09: Session Integrity

No policies mapped to NET-09

NET-09.1: Invalidate Session Identifiers at Logout

No policies mapped to NET-09.1

NET-09.2: Unique System-Generated Session Identifiers

No policies mapped to NET-09.2

NET-10: Domain Name Service (DNS) Resolution

No policies mapped to NET-10

NET-10.1: Architecture & Provisioning for Name / Address Resolution Service

No policies mapped to NET-10.1

NET-10.2: Secure Name / Address Resolution Service (Recursive or Caching Resolver)

No policies mapped to NET-10.2

NET-10.3: Sender Policy Framework (SPF)

No policies mapped to NET-10.3

NET-10.4: Domain Registrar Security

No policies mapped to NET-10.4

NET-11: Out-of-Band Channels

No policies mapped to NET-11

NET-12: Safeguarding Data Over Open Networks

No policies mapped to NET-12

NET-12.1: Wireless Link Protection

No policies mapped to NET-12.1

NET-12.2: End-User Messaging Technologies

No policies mapped to NET-12.2

NET-13: Electronic Messaging

No policies mapped to NET-13

NET-14: Remote Access

No policies mapped to NET-14

NET-14.1: Automated Monitoring & Control

No policies mapped to NET-14.1

NET-14.2: Protection of Confidentiality / Integrity Using Encryption

No policies mapped to NET-14.2

NET-14.3: Managed Access Control Points

No policies mapped to NET-14.3

NET-14.4: Remote Privileged Commands & Sensitive Data Access

No policies mapped to NET-14.4

NET-14.5: Work From Anywhere (WFA) - Telecommuting Security

No policies mapped to NET-14.5

NET-14.6: Third-Party Remote Access Governance

No policies mapped to NET-14.6

NET-14.7: Endpoint Security Validation

No policies mapped to NET-14.7

NET-14.8: Expeditious Disconnect / Disable Capability

No policies mapped to NET-14.8

NET-15: Wireless Networking

No policies mapped to NET-15

NET-15.1: Authentication & Encryption

No policies mapped to NET-15.1

NET-15.2: Disable Wireless Networking

No policies mapped to NET-15.2

NET-15.3: Restrict Configuration By Users

No policies mapped to NET-15.3

NET-15.4: Wireless Boundaries

No policies mapped to NET-15.4

NET-15.5: Rogue Wireless Detection

No policies mapped to NET-15.5

NET-16: Intranets

No policies mapped to NET-16

NET-17: Data Loss Prevention (DLP)

No policies mapped to NET-17

NET-18: DNS & Content Filtering

No policies mapped to NET-18

NET-18.1: Route Internal Traffic to Proxy Servers

No policies mapped to NET-18.1

NET-18.2: Visibility of Encrypted Communications

No policies mapped to NET-18.2

NET-18.3: Route Privileged Network Access

No policies mapped to NET-18.3

NET-18.4: Protocol Compliance Enforcement

No policies mapped to NET-18.4

NET-18.5: Domain Name Verification

No policies mapped to NET-18.5

NET-18.6: Internet Address Denylisting

No policies mapped to NET-18.6

NET-18.7: Bandwidth Control

No policies mapped to NET-18.7

NET-18.8: Authenticated Proxy

No policies mapped to NET-18.8

NET-18.9: Certificate Denylisting

No policies mapped to NET-18.9

NET-19: Content Disarm and Reconstruction (CDR)

No policies mapped to NET-19

NET-20: Email Content Protections

No policies mapped to NET-20

NET-20.1: Email Domain Reputation Protections

No policies mapped to NET-20.1

NET-20.2: Sender Denylisting

No policies mapped to NET-20.2

NET-20.3: Authenticated Received Chain (ARC)

No policies mapped to NET-20.3

NET-20.4: Domain-Based Message Authentication Reporting and Conformance (DMARC)

No policies mapped to NET-20.4

NET-20.5: User Digital Signatures for Outgoing Email

No policies mapped to NET-20.5

NET-20.6: Encryption for Outgoing Email

No policies mapped to NET-20.6

NET-20.7: Adaptive Email Protections

No policies mapped to NET-20.7

NET-20.8: Email Labeling

No policies mapped to NET-20.8

NET-20.9: User Threat Reporting

No policies mapped to NET-20.9

Physical & Environmental Security 0/49

PES-01: Physical & Environmental Protections

No policies mapped to PES-01

PES-01.1: Site Security Plan (SitePlan)

No policies mapped to PES-01.1

PES-01.2: Zone-Based Physical Security

No policies mapped to PES-01.2

PES-02: Physical Access Authorizations

No policies mapped to PES-02

PES-02.1: Role-Based Physical Access

No policies mapped to PES-02.1

PES-02.2: Dual Authorization for Physical Access

No policies mapped to PES-02.2

PES-03: Physical Access Control

No policies mapped to PES-03

PES-03.1: Controlled Ingress & Egress Points

No policies mapped to PES-03.1

PES-03.2: Lockable Physical Casings

No policies mapped to PES-03.2

PES-03.3: Physical Access Logs

No policies mapped to PES-03.3

PES-03.4: Access To Information Systems

No policies mapped to PES-03.4

PES-04: Physical Security of Offices, Rooms & Facilities

No policies mapped to PES-04

PES-04.1: Working in Secure Areas

No policies mapped to PES-04.1

PES-04.2: Searches

No policies mapped to PES-04.2

PES-04.3: Temporary Storage

No policies mapped to PES-04.3

PES-05: Monitoring Physical Access

No policies mapped to PES-05

PES-05.1: Intrusion Alarms / Surveillance Equipment

No policies mapped to PES-05.1

PES-05.2: Monitoring Physical Access To Information Systems

No policies mapped to PES-05.2

PES-06: Visitor Control

No policies mapped to PES-06

PES-06.1: Distinguish Visitors from On-Site Personnel

No policies mapped to PES-06.1

PES-06.2: Identification Requirement

No policies mapped to PES-06.2

PES-06.3: Restrict Unescorted Access

No policies mapped to PES-06.3

PES-06.4: Automated Records Management & Review

No policies mapped to PES-06.4

PES-06.5: Minimize Visitor Personal Data (PD)

No policies mapped to PES-06.5

PES-06.6: Visitor Access Revocation

No policies mapped to PES-06.6

PES-07: Supporting Utilities

No policies mapped to PES-07

PES-07.1: Automatic Voltage Controls

No policies mapped to PES-07.1

PES-07.2: Emergency Shutoff

No policies mapped to PES-07.2

PES-07.3: Emergency Power

No policies mapped to PES-07.3

PES-07.4: Emergency Lighting

No policies mapped to PES-07.4

PES-07.5: Water Damage Protection

No policies mapped to PES-07.5

PES-07.6: Automation Support for Water Damage Protection

No policies mapped to PES-07.6

PES-07.7: Redundant Cabling

No policies mapped to PES-07.7

PES-08: Fire Protection

No policies mapped to PES-08

PES-08.1: Fire Detection Devices

No policies mapped to PES-08.1

PES-08.2: Fire Suppression Devices

No policies mapped to PES-08.2

PES-09: Temperature & Humidity Controls

No policies mapped to PES-09

PES-09.1: Monitoring with Alarms / Notifications

No policies mapped to PES-09.1

PES-10: Delivery & Removal

No policies mapped to PES-10

PES-11: Alternate Work Site

No policies mapped to PES-11

PES-12: Equipment Siting & Protection

No policies mapped to PES-12

PES-12.1: Transmission Medium Security

No policies mapped to PES-12.1

PES-12.2: Access Control for Output Devices

No policies mapped to PES-12.2

PES-13: Information Leakage Due To Electromagnetic Signals Emanations

No policies mapped to PES-13

PES-14: Asset Monitoring and Tracking

No policies mapped to PES-14

PES-15: Electromagnetic Pulse (EMP) Protection

No policies mapped to PES-15

PES-16: Component Marking

No policies mapped to PES-16

PES-17: Proximity Sensor

No policies mapped to PES-17

PES-18: On-Site Client Segregation

No policies mapped to PES-18

Physical & Environmental Security 0/1

PES-08.3: Automatic Fire Suppression

No policies mapped to PES-08.3

Data Privacy 2/70

PRI-01: Data Privacy Program 1 policy

PRI-01.1: Chief Privacy Officer (CPO)

No policies mapped to PRI-01.1

PRI-01.2: Privacy Act Statements

No policies mapped to PRI-01.2

PRI-01.3: Dissemination of Data Privacy Program Information

No policies mapped to PRI-01.3

PRI-01.4: Data Protection Officer (DPO)

No policies mapped to PRI-01.4

PRI-01.5: Binding Corporate Rules (BCR)

No policies mapped to PRI-01.5

PRI-01.6: Security of Personal Data

No policies mapped to PRI-01.6

PRI-01.7: Limiting Personal Data Disclosures

No policies mapped to PRI-01.7

PRI-02: Data Privacy Notice

No policies mapped to PRI-02

PRI-02.1: Purpose Specification

No policies mapped to PRI-02.1

PRI-02.2: Automated Data Management Processes

No policies mapped to PRI-02.2

PRI-02.3: Computer Matching Agreements (CMA)

No policies mapped to PRI-02.3

PRI-02.4: System of Records Notice (SORN)

No policies mapped to PRI-02.4

PRI-02.5: System of Records Notice (SORN) Review Process

No policies mapped to PRI-02.5

PRI-02.6: Privacy Act Exemptions

No policies mapped to PRI-02.6

PRI-02.7: Real-Time or Layered Notice

No policies mapped to PRI-02.7

PRI-03: Choice & Consent 1 policy

PRI-03.1: Tailored Consent

No policies mapped to PRI-03.1

PRI-03.2: Just-In-Time Notice & Updated Consent

No policies mapped to PRI-03.2

PRI-03.3: Prohibition Of Selling or Sharing Personal Data

No policies mapped to PRI-03.3

PRI-03.4: Revoke Consent

No policies mapped to PRI-03.4

PRI-03.5: Product or Service Delivery Restrictions

No policies mapped to PRI-03.5

PRI-03.6: Authorized Agent

No policies mapped to PRI-03.6

PRI-03.7: Active Participation By Data Subjects

No policies mapped to PRI-03.7

PRI-03.8: Global Privacy Control (GPC)

No policies mapped to PRI-03.8

PRI-04: Restrict Collection To Identified Purpose

No policies mapped to PRI-04

PRI-04.1: Authority To Collect, Use, Maintain & Share Personal Data

No policies mapped to PRI-04.1

PRI-04.2: Primary Sources

No policies mapped to PRI-04.2

PRI-04.3: Identifiable Image Collection

No policies mapped to PRI-04.3

PRI-04.4: Acquired Personal Data

No policies mapped to PRI-04.4

PRI-04.5: Validate Collected Personal Data

No policies mapped to PRI-04.5

PRI-04.6: Re-Validate Collected Personal Data

No policies mapped to PRI-04.6

PRI-05: Personal Data Retention & Disposal

No policies mapped to PRI-05

PRI-05.1: Internal Use of Personal Data For Testing, Training and Research

No policies mapped to PRI-05.1

PRI-05.2: Personal Data Accuracy & Integrity

No policies mapped to PRI-05.2

PRI-05.3: Data Masking

No policies mapped to PRI-05.3

PRI-05.4: Usage Restrictions of Sensitive Personal Data

No policies mapped to PRI-05.4

PRI-05.5: Inventory of Personal Data

No policies mapped to PRI-05.5

PRI-05.6: Personal Data Inventory Automation Support

No policies mapped to PRI-05.6

PRI-05.7: Personal Data Categories

No policies mapped to PRI-05.7

PRI-06: Data Subject Access

No policies mapped to PRI-06

PRI-06.1: Correcting Inaccurate Personal Data

No policies mapped to PRI-06.1

PRI-06.2: Notice of Correction or Processing Change

No policies mapped to PRI-06.2

PRI-06.3: Appeal Adverse Decision

No policies mapped to PRI-06.3

PRI-06.4: User Feedback Management

No policies mapped to PRI-06.4

PRI-06.5: Right to Erasure

No policies mapped to PRI-06.5

PRI-06.6: Data Portability

No policies mapped to PRI-06.6

PRI-06.7: Personal Data Exportability

No policies mapped to PRI-06.7

PRI-07: Information Sharing With Third Parties

No policies mapped to PRI-07

PRI-07.1: Data Privacy Requirements for Contractors & Service Providers

No policies mapped to PRI-07.1

PRI-07.2: Joint Processing of Personal Data

No policies mapped to PRI-07.2

PRI-07.3: Obligation To Inform Third-Parties

No policies mapped to PRI-07.3

PRI-07.4: Reject Unauthorized Disclosure Requests

No policies mapped to PRI-07.4

PRI-08: Testing, Training & Monitoring

No policies mapped to PRI-08

PRI-09: Personal Data Lineage

No policies mapped to PRI-09

PRI-10: Data Quality Management

No policies mapped to PRI-10

PRI-10.1: Automation

No policies mapped to PRI-10.1

PRI-10.2: Data Analytics Bias

No policies mapped to PRI-10.2

PRI-11: Data Tagging

No policies mapped to PRI-11

PRI-12: Updating Personal Data (PD)

No policies mapped to PRI-12

PRI-13: Data Management Board

No policies mapped to PRI-13

PRI-14: Data Privacy Records & Reporting

No policies mapped to PRI-14

PRI-14.1: Accounting of Disclosures

No policies mapped to PRI-14.1

PRI-14.2: Notification of Disclosure Request To Data Subject

No policies mapped to PRI-14.2

PRI-15: Register As A Data Controller and/or Data Processor

No policies mapped to PRI-15

PRI-16: Potential Human Rights Abuses

No policies mapped to PRI-16

PRI-17: Data Subject Communications

No policies mapped to PRI-17

PRI-17.1: Conspicuous Link To Data Privacy Notice

No policies mapped to PRI-17.1

PRI-17.2: Notice of Financial Incentive

No policies mapped to PRI-17.2

PRI-18: Data Controller Communications

No policies mapped to PRI-18

Project & Resource Management 0/10

PRM-01: Cybersecurity & Data Privacy Portfolio Management

No policies mapped to PRM-01

PRM-01.1: Strategic Plan & Objectives

No policies mapped to PRM-01.1

PRM-01.2: Targeted Capability Maturity Levels

No policies mapped to PRM-01.2

PRM-02: Cybersecurity & Data Privacy Resource Management

No policies mapped to PRM-02

PRM-03: Allocation of Resources

No policies mapped to PRM-03

PRM-04: Cybersecurity & Data Privacy In Project Management

No policies mapped to PRM-04

PRM-05: Cybersecurity & Data Privacy Requirements Definition

No policies mapped to PRM-05

PRM-06: Business Process Definition

No policies mapped to PRM-06

PRM-07: Secure Development Life Cycle (SDLC) Management

No policies mapped to PRM-07

PRM-08: Manage Organizational Knowledge

No policies mapped to PRM-08

Risk Management 0/24

RSK-01: Risk Management Program

No policies mapped to RSK-01

RSK-01.1: Risk Framing

No policies mapped to RSK-01.1

RSK-01.2: Risk Management Resourcing

No policies mapped to RSK-01.2

RSK-01.3: Risk Tolerance

No policies mapped to RSK-01.3

RSK-01.4: Risk Threshold

No policies mapped to RSK-01.4

RSK-01.5: Risk Appetite

No policies mapped to RSK-01.5

RSK-02: Risk-Based Security Categorization

No policies mapped to RSK-02

RSK-02.1: Impact-Level Prioritization

No policies mapped to RSK-02.1

RSK-03: Risk Identification

No policies mapped to RSK-03

RSK-03.1: Risk Catalog

No policies mapped to RSK-03.1

RSK-04: Risk Assessment

No policies mapped to RSK-04

RSK-04.1: Risk Register

No policies mapped to RSK-04.1

RSK-05: Risk Ranking

No policies mapped to RSK-05

RSK-06: Risk Remediation

No policies mapped to RSK-06

RSK-06.1: Risk Response

No policies mapped to RSK-06.1

RSK-06.2: Compensating Countermeasures

No policies mapped to RSK-06.2

RSK-07: Risk Assessment Update

No policies mapped to RSK-07

RSK-08: Business Impact Analysis (BIA)

No policies mapped to RSK-08

RSK-09: Supply Chain Risk Management (SCRM) Plan

No policies mapped to RSK-09

RSK-09.1: Supply Chain Risk Assessment

No policies mapped to RSK-09.1

RSK-09.2: AI & Autonomous Technologies Supply Chain Impacts

No policies mapped to RSK-09.2

RSK-10: Data Protection Impact Assessment (DPIA)

No policies mapped to RSK-10

RSK-11: Risk Monitoring

No policies mapped to RSK-11

RSK-12: Risk Culture

No policies mapped to RSK-12

Secure Engineering & Architecture 0/42

SEA-01: Secure Engineering Principles

No policies mapped to SEA-01

SEA-01.1: Centralized Management of Cybersecurity & Data Privacy Controls

No policies mapped to SEA-01.1

SEA-01.2: Achieving Resilience Requirements

No policies mapped to SEA-01.2

SEA-02: Alignment With Enterprise Architecture

No policies mapped to SEA-02

SEA-02.1: Standardized Terminology

No policies mapped to SEA-02.1

SEA-02.2: Outsourcing Non-Essential Functions or Services

No policies mapped to SEA-02.2

SEA-02.3: Technical Debt Reviews

No policies mapped to SEA-02.3

SEA-03: Defense-In-Depth (DiD) Architecture

No policies mapped to SEA-03

SEA-03.1: System Partitioning

No policies mapped to SEA-03.1

SEA-03.2: Application Partitioning

No policies mapped to SEA-03.2

SEA-04: Process Isolation

No policies mapped to SEA-04

SEA-04.1: Security Function Isolation

No policies mapped to SEA-04.1

SEA-04.2: Hardware Separation

No policies mapped to SEA-04.2

SEA-04.3: Thread Separation

No policies mapped to SEA-04.3

SEA-04.4: System Privileges Isolation

No policies mapped to SEA-04.4

SEA-05: Information In Shared Resources

No policies mapped to SEA-05

SEA-06: Prevent Program Execution

No policies mapped to SEA-06

SEA-07: Predictable Failure Analysis

No policies mapped to SEA-07

SEA-07.1: Technology Lifecycle Management

No policies mapped to SEA-07.1

SEA-07.2: Fail Secure

No policies mapped to SEA-07.2

SEA-07.3: Fail Safe

No policies mapped to SEA-07.3

SEA-08: Non-Persistence

No policies mapped to SEA-08

SEA-08.1: Refresh from Trusted Sources

No policies mapped to SEA-08.1

SEA-09: Information Output Filtering

No policies mapped to SEA-09

SEA-09.1: Limit Personal Data (PD) Dissemination

No policies mapped to SEA-09.1

SEA-10: Memory Protection

No policies mapped to SEA-10

SEA-11: Honeypots

No policies mapped to SEA-11

SEA-12: Honeyclients

No policies mapped to SEA-12

SEA-13: Heterogeneity

No policies mapped to SEA-13

SEA-13.1: Virtualization Techniques

No policies mapped to SEA-13.1

SEA-14: Concealment & Misdirection

No policies mapped to SEA-14

SEA-14.1: Randomness

No policies mapped to SEA-14.1

SEA-14.2: Change Processing & Storage Locations

No policies mapped to SEA-14.2

SEA-15: Distributed Processing & Storage

No policies mapped to SEA-15

SEA-16: Non-Modifiable Executable Programs

No policies mapped to SEA-16

SEA-17: Secure Log-On Procedures

No policies mapped to SEA-17

SEA-18: System Use Notification (Logon Banner)

No policies mapped to SEA-18

SEA-18.1: Standardized Microsoft Windows Banner

No policies mapped to SEA-18.1

SEA-18.2: Truncated Banner

No policies mapped to SEA-18.2

SEA-19: Previous Logon Notification

No policies mapped to SEA-19

SEA-20: Clock Synchronization

No policies mapped to SEA-20

SEA-21: Application Container

No policies mapped to SEA-21

Security Operations 0/8

OPS-01: Operations Security

No policies mapped to OPS-01

OPS-01.1: Standardized Operating Procedures (SOP)

No policies mapped to OPS-01.1

OPS-02: Security Concept Of Operations (CONOPS)

No policies mapped to OPS-02

OPS-03: Service Delivery (Business Process Support)

No policies mapped to OPS-03

OPS-04: Security Operations Center (SOC)

No policies mapped to OPS-04

OPS-05: Secure Practices Guidelines

No policies mapped to OPS-05

OPS-06: Security Orchestration, Automation, and Response (SOAR)

No policies mapped to OPS-06

OPS-07: Shadow Information Technology Detection

No policies mapped to OPS-07

Security Awareness & Training 0/15

SAT-01: Cybersecurity & Data Privacy-Minded Workforce

No policies mapped to SAT-01

SAT-02: Cybersecurity & Data Privacy Awareness Training

No policies mapped to SAT-02

SAT-02.1: Simulated Cyber Attack Scenario Training

No policies mapped to SAT-02.1

SAT-02.2: Social Engineering & Mining

No policies mapped to SAT-02.2

SAT-03: Role-Based Cybersecurity & Data Privacy Training

No policies mapped to SAT-03

SAT-03.1: Practical Exercises

No policies mapped to SAT-03.1

SAT-03.2: Suspicious Communications & Anomalous System Behavior

No policies mapped to SAT-03.2

SAT-03.3: Sensitive Information Storage, Handling & Processing

No policies mapped to SAT-03.3

SAT-03.4: Vendor Cybersecurity & Data Privacy Training

No policies mapped to SAT-03.4

SAT-03.5: Privileged Users

No policies mapped to SAT-03.5

SAT-03.6: Cyber Threat Environment

No policies mapped to SAT-03.6

SAT-03.7: Continuing Professional Education (CPE) - Cybersecurity & Data Privacy Personnel

No policies mapped to SAT-03.7

SAT-03.8: Continuing Professional Education (CPE) - DevOps Personnel

No policies mapped to SAT-03.8

SAT-03.9: Counterintelligence Training

No policies mapped to SAT-03.9

SAT-04: Cybersecurity & Data Privacy Training Records

No policies mapped to SAT-04

Technology Development & Acquisition 0/58

TDA-01: Technology Development & Acquisition

No policies mapped to TDA-01

TDA-01.1: Product Management

No policies mapped to TDA-01.1

TDA-01.2: Integrity Mechanisms for Software / Firmware Updates

No policies mapped to TDA-01.2

TDA-01.3: Malware Testing Prior to Release

No policies mapped to TDA-01.3

TDA-01.4: DevSecOps

No policies mapped to TDA-01.4

TDA-02: Minimum Viable Product (MVP) Security Requirements

No policies mapped to TDA-02

TDA-02.1: Ports, Protocols & Services In Use

No policies mapped to TDA-02.1

TDA-02.2: Information Assurance Enabled Products

No policies mapped to TDA-02.2

TDA-02.3: Development Methods, Techniques & Processes

No policies mapped to TDA-02.3

TDA-02.4: Pre-Established Secure Configurations

No policies mapped to TDA-02.4

TDA-02.5: Identification & Justification of Ports, Protocols & Services

No policies mapped to TDA-02.5

TDA-02.6: Insecure Ports, Protocols & Services

No policies mapped to TDA-02.6

TDA-02.7: Cybersecurity & Data Privacy Representatives For Product Changes

No policies mapped to TDA-02.7

TDA-03: Commercial Off-The-Shelf (COTS) Security Solutions

No policies mapped to TDA-03

TDA-03.1: Supplier Diversity

No policies mapped to TDA-03.1

TDA-04: Documentation Requirements

No policies mapped to TDA-04

TDA-04.1: Functional Properties

No policies mapped to TDA-04.1

TDA-04.2: Software Bill of Materials (SBOM)

No policies mapped to TDA-04.2

TDA-05: Developer Architecture & Design

No policies mapped to TDA-05

TDA-05.1: Physical Diagnostic & Test Interfaces

No policies mapped to TDA-05.1

TDA-05.2: Diagnostic & Test Interface Monitoring

No policies mapped to TDA-05.2

TDA-06: Secure Coding

No policies mapped to TDA-06

TDA-06.1: Criticality Analysis

No policies mapped to TDA-06.1

TDA-06.2: Threat Modeling

No policies mapped to TDA-06.2

TDA-06.3: Software Assurance Maturity Model (SAMM)

No policies mapped to TDA-06.3

TDA-06.4: Supporting Toolchain

No policies mapped to TDA-06.4

TDA-06.5: Software Design Review

No policies mapped to TDA-06.5

TDA-07: Secure Development Environments

No policies mapped to TDA-07

TDA-08: Separation of Development, Testing and Operational Environments

No policies mapped to TDA-08

TDA-08.1: Secure Migration Practices

No policies mapped to TDA-08.1

TDA-09: Cybersecurity & Data Privacy Testing Throughout Development

No policies mapped to TDA-09

TDA-09.1: Continuous Monitoring Plan

No policies mapped to TDA-09.1

TDA-09.2: Static Code Analysis

No policies mapped to TDA-09.2

TDA-09.3: Dynamic Code Analysis

No policies mapped to TDA-09.3

TDA-09.4: Malformed Input Testing

No policies mapped to TDA-09.4

TDA-09.5: Application Penetration Testing

No policies mapped to TDA-09.5

TDA-09.6: Secure Settings By Default

No policies mapped to TDA-09.6

TDA-09.7: Manual Code Review

No policies mapped to TDA-09.7

TDA-10: Use of Live Data

No policies mapped to TDA-10

TDA-10.1: Test Data Integrity

No policies mapped to TDA-10.1

TDA-11: Product Tampering and Counterfeiting (PTC)

No policies mapped to TDA-11

TDA-11.1: Anti-Counterfeit Training

No policies mapped to TDA-11.1

TDA-11.2: Component Disposal

No policies mapped to TDA-11.2

TDA-12: Customized Development of Critical Components

No policies mapped to TDA-12

TDA-13: Developer Screening

No policies mapped to TDA-13

TDA-14: Developer Configuration Management

No policies mapped to TDA-14

TDA-14.1: Software / Firmware Integrity Verification

No policies mapped to TDA-14.1

TDA-14.2: Hardware Integrity Verification

No policies mapped to TDA-14.2

TDA-15: Developer Threat Analysis & Flaw Remediation

No policies mapped to TDA-15

TDA-16: Developer-Provided Training

No policies mapped to TDA-16

TDA-17: Unsupported Systems

No policies mapped to TDA-17

TDA-17.1: Alternate Sources for Continued Support

No policies mapped to TDA-17.1

TDA-18: Input Data Validation

No policies mapped to TDA-18

TDA-19: Error Handling

No policies mapped to TDA-19

TDA-20: Access to Program Source Code

No policies mapped to TDA-20

TDA-20.1: Software Release Integrity Verification

No policies mapped to TDA-20.1

TDA-20.2: Archiving Software Releases

No policies mapped to TDA-20.2

TDA-20.3: Software Escrow

No policies mapped to TDA-20.3

Third-Party Management 0/28

TPM-01: Third-Party Management

No policies mapped to TPM-01

TPM-01.1: Third-Party Inventories

No policies mapped to TPM-01.1

TPM-02: Third-Party Criticality Assessments

No policies mapped to TPM-02

TPM-03: Supply Chain Protection

No policies mapped to TPM-03

TPM-03.1: Acquisition Strategies, Tools & Methods

No policies mapped to TPM-03.1

TPM-03.2: Limit Potential Harm

No policies mapped to TPM-03.2

TPM-03.3: Processes To Address Weaknesses or Deficiencies

No policies mapped to TPM-03.3

TPM-03.4: Adequate Supply

No policies mapped to TPM-03.4

TPM-04: Third-Party Services

No policies mapped to TPM-04

TPM-04.1: Third-Party Risk Assessments & Approvals

No policies mapped to TPM-04.1

TPM-04.2: External Connectivity Requirements - Identification of Ports, Protocols & Services

No policies mapped to TPM-04.2

TPM-04.3: Conflict of Interests

No policies mapped to TPM-04.3

TPM-04.4: Third-Party Processing, Storage and Service Locations

No policies mapped to TPM-04.4

TPM-05: Third-Party Contract Requirements

No policies mapped to TPM-05

TPM-05.1: Security Compromise Notification Agreements

No policies mapped to TPM-05.1

TPM-05.2: Contract Flow-Down Requirements

No policies mapped to TPM-05.2

TPM-05.3: Third-Party Authentication Practices

No policies mapped to TPM-05.3

TPM-05.4: Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix

No policies mapped to TPM-05.4

TPM-05.5: Third-Party Scope Review

No policies mapped to TPM-05.5

TPM-05.6: First-Party Declaration (1PD)

No policies mapped to TPM-05.6

TPM-05.7: Break Clauses

No policies mapped to TPM-05.7

TPM-05.8: Third-Party Attestation (3PA)

No policies mapped to TPM-05.8

TPM-06: Third-Party Personnel Security

No policies mapped to TPM-06

TPM-07: Monitoring for Third-Party Information Disclosure

No policies mapped to TPM-07

TPM-08: Review of Third-Party Services

No policies mapped to TPM-08

TPM-09: Third-Party Deficiency Remediation

No policies mapped to TPM-09

TPM-10: Managing Changes To Third-Party Services

No policies mapped to TPM-10

TPM-11: Third-Party Incident Response & Recovery Capabilities

No policies mapped to TPM-11

Threat Management 0/12

THR-01: Threat Intelligence Program

No policies mapped to THR-01

THR-02: Indicators of Exposure (IOE)

No policies mapped to THR-02

THR-03: Threat Intelligence Feeds

No policies mapped to THR-03

THR-03.1: Threat Intelligence Reporting

No policies mapped to THR-03.1

THR-04: Insider Threat Program

No policies mapped to THR-04

THR-05: Insider Threat Awareness

No policies mapped to THR-05

THR-06: Vulnerability Disclosure Program (VDP)

No policies mapped to THR-06

THR-07: Threat Hunting

No policies mapped to THR-07

THR-08: Tainting

No policies mapped to THR-08

THR-09: Threat Catalog

No policies mapped to THR-09

THR-10: Threat Analysis

No policies mapped to THR-10

THR-11: Behavioral Baselining

No policies mapped to THR-11

Vulnerability & Patch Management 0/29

VPM-01: Vulnerability & Patch Management Program (VPMP)

No policies mapped to VPM-01

VPM-01.1: Attack Surface Scope

No policies mapped to VPM-01.1

VPM-02: Vulnerability Remediation Process

No policies mapped to VPM-02

VPM-03: Vulnerability Ranking

No policies mapped to VPM-03

VPM-03.1: Vulnerability Exploitation Analysis

No policies mapped to VPM-03.1

VPM-04: Continuous Vulnerability Remediation Activities

No policies mapped to VPM-04

VPM-04.1: Stable Versions

No policies mapped to VPM-04.1

VPM-04.2: Flaw Remediation with Personal Data (PD)

No policies mapped to VPM-04.2

VPM-05: Software & Firmware Patching

No policies mapped to VPM-05

VPM-05.1: Centralized Management of Flaw Remediation Processes

No policies mapped to VPM-05.1

VPM-05.2: Automated Remediation Status

No policies mapped to VPM-05.2

VPM-05.3: Time To Remediate / Benchmarks For Corrective Action

No policies mapped to VPM-05.3

VPM-05.4: Automated Software & Firmware Updates

No policies mapped to VPM-05.4

VPM-05.5: Removal of Previous Versions

No policies mapped to VPM-05.5

VPM-06: Vulnerability Scanning

No policies mapped to VPM-06

VPM-06.1: Update Tool Capability

No policies mapped to VPM-06.1

VPM-06.2: Breadth / Depth of Coverage

No policies mapped to VPM-06.2

VPM-06.3: Privileged Access

No policies mapped to VPM-06.3

VPM-06.4: Trend Analysis

No policies mapped to VPM-06.4

VPM-06.5: Review Historical event logs

No policies mapped to VPM-06.5

VPM-06.6: External Vulnerability Assessment Scans

No policies mapped to VPM-06.6

VPM-06.7: Internal Vulnerability Assessment Scans

No policies mapped to VPM-06.7

VPM-06.8: Acceptable Discoverable Information

No policies mapped to VPM-06.8

VPM-06.9: Correlate Scanning Information

No policies mapped to VPM-06.9

VPM-07: Penetration Testing

No policies mapped to VPM-07

VPM-07.1: Independent Penetration Agent or Team

No policies mapped to VPM-07.1

VPM-08: Technical Surveillance Countermeasures Security

No policies mapped to VPM-08

VPM-09: Reviewing Vulnerability Scanner Usage

No policies mapped to VPM-09

VPM-10: Red Team Exercises

No policies mapped to VPM-10

Web Security 0/15

WEB-01: Web Security

No policies mapped to WEB-01

WEB-01.1: Unauthorized Code

No policies mapped to WEB-01.1

WEB-02: Use of Demilitarized Zones (DMZ)

No policies mapped to WEB-02

WEB-03: Web Application Firewall (WAF)

No policies mapped to WEB-03

WEB-04: Client-Facing Web Services

No policies mapped to WEB-04

WEB-05: Cookie Management

No policies mapped to WEB-05

WEB-06: Strong Customer Authentication (SCA)

No policies mapped to WEB-06

WEB-07: Web Security Standard

No policies mapped to WEB-07

WEB-08: Web Application Framework

No policies mapped to WEB-08

WEB-09: Validation & Sanitization

No policies mapped to WEB-09

WEB-10: Secure Web Traffic

No policies mapped to WEB-10

WEB-11: Output Encoding

No policies mapped to WEB-11

WEB-12: Web Browser Security

No policies mapped to WEB-12

WEB-13: Website Change Detection

No policies mapped to WEB-13

WEB-14: Publicly Accessible Content Reviews

No policies mapped to WEB-14