Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
NIST SP 800-53 Full Control List
| Num. | Title | Impact | Priority | Subject Area |
|---|---|---|---|---|
| AC-1 | ACCESS CONTROL POLICY AND PROCEDURES | LOW | P1 | Access Control |
| AC-2 | ACCOUNT MANAGEMENT | LOW | P1 | Access Control |
| AC-3 | ACCESS ENFORCEMENT | LOW | P1 | Access Control |
| AC-4 | INFORMATION FLOW ENFORCEMENT | MODERATE | P1 | Access Control |
| AC-5 | SEPARATION OF DUTIES | MODERATE | P1 | Access Control |
| AC-6 | LEAST PRIVILEGE | MODERATE | P1 | Access Control |
| AC-7 | UNSUCCESSFUL LOGON ATTEMPTS | LOW | P2 | Access Control |
| AC-8 | SYSTEM USE NOTIFICATION | LOW | P1 | Access Control |
| AC-9 | PREVIOUS LOGON (ACCESS) NOTIFICATION | P0 | Access Control | |
| AC-10 | CONCURRENT SESSION CONTROL | HIGH | P3 | Access Control |
| AC-11 | SESSION LOCK | MODERATE | P3 | Access Control |
| AC-12 | SESSION TERMINATION | MODERATE | P2 | Access Control |
| AC-13 | SUPERVISION AND REVIEW � ACCESS CONTROL | Access Control | ||
| AC-14 | PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION | LOW | P3 | Access Control |
| AC-15 | AUTOMATED MARKING | Access Control | ||
| AC-16 | SECURITY ATTRIBUTES | P0 | Access Control | |
| AC-17 | REMOTE ACCESS | LOW | P1 | Access Control |
| AC-18 | WIRELESS ACCESS | LOW | P1 | Access Control |
| AC-19 | ACCESS CONTROL FOR MOBILE DEVICES | LOW | P1 | Access Control |
| AC-20 | USE OF EXTERNAL INFORMATION SYSTEMS | LOW | P1 | Access Control |
| AC-21 | INFORMATION SHARING | MODERATE | P2 | Access Control |
| AC-22 | PUBLICLY ACCESSIBLE CONTENT | LOW | P3 | Access Control |
| AC-23 | DATA MINING PROTECTION | P0 | Access Control | |
| AC-24 | ACCESS CONTROL DECISIONS | P0 | Access Control | |
| AC-25 | REFERENCE MONITOR | P0 | Access Control | |
| AT-1 | SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES | LOW | P1 | Awareness And Training |
| AT-2 | SECURITY AWARENESS TRAINING | LOW | P1 | Awareness And Training |
| AT-3 | ROLE-BASED SECURITY TRAINING | LOW | P1 | Awareness And Training |
| AT-4 | SECURITY TRAINING RECORDS | LOW | P3 | Awareness And Training |
| AT-5 | CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS | Awareness And Training | ||
| AU-1 | AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES | LOW | P1 | Audit And Accountability |
| AU-2 | AUDIT EVENTS | LOW | P1 | Audit And Accountability |
| AU-3 | CONTENT OF AUDIT RECORDS | LOW | P1 | Audit And Accountability |
| AU-4 | AUDIT STORAGE CAPACITY | LOW | P1 | Audit And Accountability |
| AU-5 | RESPONSE TO AUDIT PROCESSING FAILURES | LOW | P1 | Audit And Accountability |
| AU-6 | AUDIT REVIEW, ANALYSIS, AND REPORTING | LOW | P1 | Audit And Accountability |
| AU-7 | AUDIT REDUCTION AND REPORT GENERATION | MODERATE | P2 | Audit And Accountability |
| AU-8 | TIME STAMPS | LOW | P1 | Audit And Accountability |
| AU-9 | PROTECTION OF AUDIT INFORMATION | LOW | P1 | Audit And Accountability |
| AU-10 | NON-REPUDIATION | HIGH | P2 | Audit And Accountability |
| AU-11 | AUDIT RECORD RETENTION | LOW | P3 | Audit And Accountability |
| AU-12 | AUDIT GENERATION | LOW | P1 | Audit And Accountability |
| AU-13 | MONITORING FOR INFORMATION DISCLOSURE | P0 | Audit And Accountability | |
| AU-14 | SESSION AUDIT | P0 | Audit And Accountability | |
| AU-15 | ALTERNATE AUDIT CAPABILITY | P0 | Audit And Accountability | |
| AU-16 | CROSS-ORGANIZATIONAL AUDITING | P0 | Audit And Accountability | |
| CA-1 | SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES | LOW | P1 | Security Assessment And Authorization |
| CA-2 | SECURITY ASSESSMENTS | LOW | P2 | Security Assessment And Authorization |
| CA-3 | SYSTEM INTERCONNECTIONS | LOW | P1 | Security Assessment And Authorization |
| CA-4 | SECURITY CERTIFICATION | Security Assessment And Authorization | ||
| CA-5 | PLAN OF ACTION AND MILESTONES | LOW | P3 | Security Assessment And Authorization |
| CA-6 | SECURITY AUTHORIZATION | LOW | P2 | Security Assessment And Authorization |
| CA-7 | CONTINUOUS MONITORING | LOW | P2 | Security Assessment And Authorization |
| CA-8 | PENETRATION TESTING | HIGH | P2 | Security Assessment And Authorization |
| CA-9 | INTERNAL SYSTEM CONNECTIONS | LOW | P2 | Security Assessment And Authorization |
| CM-1 | CONFIGURATION MANAGEMENT POLICY AND PROCEDURES | LOW | P1 | Configuration Management |
| CM-2 | BASELINE CONFIGURATION | LOW | P1 | Configuration Management |
| CM-3 | CONFIGURATION CHANGE CONTROL | MODERATE | P1 | Configuration Management |
| CM-4 | SECURITY IMPACT ANALYSIS | LOW | P2 | Configuration Management |
| CM-5 | ACCESS RESTRICTIONS FOR CHANGE | MODERATE | P1 | Configuration Management |
| CM-6 | CONFIGURATION SETTINGS | LOW | P1 | Configuration Management |
| CM-7 | LEAST FUNCTIONALITY | LOW | P1 | Configuration Management |
| CM-8 | INFORMATION SYSTEM COMPONENT INVENTORY | LOW | P1 | Configuration Management |
| CM-9 | CONFIGURATION MANAGEMENT PLAN | MODERATE | P1 | Configuration Management |
| CM-10 | SOFTWARE USAGE RESTRICTIONS | LOW | P2 | Configuration Management |
| CM-11 | USER-INSTALLED SOFTWARE | LOW | P1 | Configuration Management |
| CP-1 | CONTINGENCY PLANNING POLICY AND PROCEDURES | LOW | P1 | Contingency Planning |
| CP-2 | CONTINGENCY PLAN | LOW | P1 | Contingency Planning |
| CP-3 | CONTINGENCY TRAINING | LOW | P2 | Contingency Planning |
| CP-4 | CONTINGENCY PLAN TESTING | LOW | P2 | Contingency Planning |
| CP-5 | CONTINGENCY PLAN UPDATE | Contingency Planning | ||
| CP-6 | ALTERNATE STORAGE SITE | MODERATE | P1 | Contingency Planning |
| CP-7 | ALTERNATE PROCESSING SITE | MODERATE | P1 | Contingency Planning |
| CP-8 | TELECOMMUNICATIONS SERVICES | MODERATE | P1 | Contingency Planning |
| CP-9 | INFORMATION SYSTEM BACKUP | LOW | P1 | Contingency Planning |
| CP-10 | INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | LOW | P1 | Contingency Planning |
| CP-11 | ALTERNATE COMMUNICATIONS PROTOCOLS | P0 | Contingency Planning | |
| CP-12 | SAFE MODE | P0 | Contingency Planning | |
| CP-13 | ALTERNATIVE SECURITY MECHANISMS | P0 | Contingency Planning | |
| IA-1 | IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES | LOW | P1 | Identification And Authentication |
| IA-2 | IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | LOW | P1 | Identification And Authentication |
| IA-3 | DEVICE IDENTIFICATION AND AUTHENTICATION | MODERATE | P1 | Identification And Authentication |
| IA-4 | IDENTIFIER MANAGEMENT | LOW | P1 | Identification And Authentication |
| IA-5 | AUTHENTICATOR MANAGEMENT | LOW | P1 | Identification And Authentication |
| IA-6 | AUTHENTICATOR FEEDBACK | LOW | P2 | Identification And Authentication |
| IA-7 | CRYPTOGRAPHIC MODULE AUTHENTICATION | LOW | P1 | Identification And Authentication |
| IA-8 | IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | LOW | P1 | Identification And Authentication |
| IA-9 | SERVICE IDENTIFICATION AND AUTHENTICATION | P0 | Identification And Authentication | |
| IA-10 | ADAPTIVE IDENTIFICATION AND AUTHENTICATION | P0 | Identification And Authentication | |
| IA-11 | RE-AUTHENTICATION | P0 | Identification And Authentication | |
| IR-1 | INCIDENT RESPONSE POLICY AND PROCEDURES | LOW | P1 | Incident Response |
| IR-2 | INCIDENT RESPONSE TRAINING | LOW | P2 | Incident Response |
| IR-3 | INCIDENT RESPONSE TESTING | MODERATE | P2 | Incident Response |
| IR-4 | INCIDENT HANDLING | LOW | P1 | Incident Response |
| IR-5 | INCIDENT MONITORING | LOW | P1 | Incident Response |
| IR-6 | INCIDENT REPORTING | LOW | P1 | Incident Response |
| IR-7 | INCIDENT RESPONSE ASSISTANCE | LOW | P2 | Incident Response |
| IR-8 | INCIDENT RESPONSE PLAN | LOW | P1 | Incident Response |
| IR-9 | INFORMATION SPILLAGE RESPONSE | P0 | Incident Response | |
| IR-10 | INTEGRATED INFORMATION SECURITY ANALYSIS TEAM | P0 | Incident Response | |
| MA-1 | SYSTEM MAINTENANCE POLICY AND PROCEDURES | LOW | P1 | Maintenance |
| MA-2 | CONTROLLED MAINTENANCE | LOW | P2 | Maintenance |
| MA-3 | MAINTENANCE TOOLS | MODERATE | P3 | Maintenance |
| MA-4 | NONLOCAL MAINTENANCE | LOW | P2 | Maintenance |
| MA-5 | MAINTENANCE PERSONNEL | LOW | P2 | Maintenance |
| MA-6 | TIMELY MAINTENANCE | MODERATE | P2 | Maintenance |
| MP-1 | MEDIA PROTECTION POLICY AND PROCEDURES | LOW | P1 | Media Protection |
| MP-2 | MEDIA ACCESS | LOW | P1 | Media Protection |
| MP-3 | MEDIA MARKING | MODERATE | P2 | Media Protection |
| MP-4 | MEDIA STORAGE | MODERATE | P1 | Media Protection |
| MP-5 | MEDIA TRANSPORT | MODERATE | P1 | Media Protection |
| MP-6 | MEDIA SANITIZATION | LOW | P1 | Media Protection |
| MP-7 | MEDIA USE | LOW | P1 | Media Protection |
| MP-8 | MEDIA DOWNGRADING | P0 | Media Protection | |
| PE-1 | PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES | LOW | P1 | Physical And Environmental Protection |
| PE-2 | PHYSICAL ACCESS AUTHORIZATIONS | LOW | P1 | Physical And Environmental Protection |
| PE-3 | PHYSICAL ACCESS CONTROL | LOW | P1 | Physical And Environmental Protection |
| PE-4 | ACCESS CONTROL FOR TRANSMISSION MEDIUM | MODERATE | P1 | Physical And Environmental Protection |
| PE-5 | ACCESS CONTROL FOR OUTPUT DEVICES | MODERATE | P2 | Physical And Environmental Protection |
| PE-6 | MONITORING PHYSICAL ACCESS | LOW | P1 | Physical And Environmental Protection |
| PE-7 | VISITOR CONTROL | Physical And Environmental Protection | ||
| PE-8 | VISITOR ACCESS RECORDS | LOW | P3 | Physical And Environmental Protection |
| PE-9 | POWER EQUIPMENT AND CABLING | MODERATE | P1 | Physical And Environmental Protection |
| PE-10 | EMERGENCY SHUTOFF | MODERATE | P1 | Physical And Environmental Protection |
| PE-11 | EMERGENCY POWER | MODERATE | P1 | Physical And Environmental Protection |
| PE-12 | EMERGENCY LIGHTING | LOW | P1 | Physical And Environmental Protection |
| PE-13 | FIRE PROTECTION | LOW | P1 | Physical And Environmental Protection |
| PE-14 | TEMPERATURE AND HUMIDITY CONTROLS | LOW | P1 | Physical And Environmental Protection |
| PE-15 | WATER DAMAGE PROTECTION | LOW | P1 | Physical And Environmental Protection |
| PE-16 | DELIVERY AND REMOVAL | LOW | P2 | Physical And Environmental Protection |
| PE-17 | ALTERNATE WORK SITE | MODERATE | P2 | Physical And Environmental Protection |
| PE-18 | LOCATION OF INFORMATION SYSTEM COMPONENTS | HIGH | P3 | Physical And Environmental Protection |
| PE-19 | INFORMATION LEAKAGE | P0 | Physical And Environmental Protection | |
| PE-20 | ASSET MONITORING AND TRACKING | P0 | Physical And Environmental Protection | |
| PL-1 | SECURITY PLANNING POLICY AND PROCEDURES | LOW | P1 | Planning |
| PL-2 | SYSTEM SECURITY PLAN | LOW | P1 | Planning |
| PL-3 | SYSTEM SECURITY PLAN UPDATE | Planning | ||
| PL-4 | RULES OF BEHAVIOR | LOW | P2 | Planning |
| PL-5 | PRIVACY IMPACT ASSESSMENT | Planning | ||
| PL-6 | SECURITY-RELATED ACTIVITY PLANNING | Planning | ||
| PL-7 | SECURITY CONCEPT OF OPERATIONS | P0 | Planning | |
| PL-8 | INFORMATION SECURITY ARCHITECTURE | MODERATE | P1 | Planning |
| PL-9 | CENTRAL MANAGEMENT | P0 | Planning | |
| PS-1 | PERSONNEL SECURITY POLICY AND PROCEDURES | LOW | P1 | Personnel Security |
| PS-2 | POSITION RISK DESIGNATION | LOW | P1 | Personnel Security |
| PS-3 | PERSONNEL SCREENING | LOW | P1 | Personnel Security |
| PS-4 | PERSONNEL TERMINATION | LOW | P1 | Personnel Security |
| PS-5 | PERSONNEL TRANSFER | LOW | P2 | Personnel Security |
| PS-6 | ACCESS AGREEMENTS | LOW | P3 | Personnel Security |
| PS-7 | THIRD-PARTY PERSONNEL SECURITY | LOW | P1 | Personnel Security |
| PS-8 | PERSONNEL SANCTIONS | LOW | P3 | Personnel Security |
| RA-1 | RISK ASSESSMENT POLICY AND PROCEDURES | LOW | P1 | Risk Assessment |
| RA-2 | SECURITY CATEGORIZATION | LOW | P1 | Risk Assessment |
| RA-3 | RISK ASSESSMENT | LOW | P1 | Risk Assessment |
| RA-4 | RISK ASSESSMENT UPDATE | Risk Assessment | ||
| RA-5 | VULNERABILITY SCANNING | LOW | P1 | Risk Assessment |
| RA-6 | TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY | P0 | Risk Assessment | |
| SA-1 | SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES | LOW | P1 | System And Services Acquisition |
| SA-2 | ALLOCATION OF RESOURCES | LOW | P1 | System And Services Acquisition |
| SA-3 | SYSTEM DEVELOPMENT LIFE CYCLE | LOW | P1 | System And Services Acquisition |
| SA-4 | ACQUISITION PROCESS | LOW | P1 | System And Services Acquisition |
| SA-5 | INFORMATION SYSTEM DOCUMENTATION | LOW | P2 | System And Services Acquisition |
| SA-6 | SOFTWARE USAGE RESTRICTIONS | System And Services Acquisition | ||
| SA-7 | USER-INSTALLED SOFTWARE | System And Services Acquisition | ||
| SA-8 | SECURITY ENGINEERING PRINCIPLES | MODERATE | P1 | System And Services Acquisition |
| SA-9 | EXTERNAL INFORMATION SYSTEM SERVICES | LOW | P1 | System And Services Acquisition |
| SA-10 | DEVELOPER CONFIGURATION MANAGEMENT | MODERATE | P1 | System And Services Acquisition |
| SA-11 | DEVELOPER SECURITY TESTING AND EVALUATION | MODERATE | P1 | System And Services Acquisition |
| SA-12 | SUPPLY CHAIN PROTECTION | HIGH | P1 | System And Services Acquisition |
| SA-13 | TRUSTWORTHINESS | P0 | System And Services Acquisition | |
| SA-14 | CRITICALITY ANALYSIS | P0 | System And Services Acquisition | |
| SA-15 | DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | HIGH | P2 | System And Services Acquisition |
| SA-16 | DEVELOPER-PROVIDED TRAINING | HIGH | P2 | System And Services Acquisition |
| SA-17 | DEVELOPER SECURITY ARCHITECTURE AND DESIGN | HIGH | P1 | System And Services Acquisition |
| SA-18 | TAMPER RESISTANCE AND DETECTION | P0 | System And Services Acquisition | |
| SA-19 | COMPONENT AUTHENTICITY | P0 | System And Services Acquisition | |
| SA-20 | CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS | P0 | System And Services Acquisition | |
| SA-21 | DEVELOPER SCREENING | P0 | System And Services Acquisition | |
| SA-22 | UNSUPPORTED SYSTEM COMPONENTS | P0 | System And Services Acquisition | |
| SC-1 | SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES | LOW | P1 | System And Communications Protection |
| SC-2 | APPLICATION PARTITIONING | MODERATE | P1 | System And Communications Protection |
| SC-3 | SECURITY FUNCTION ISOLATION | HIGH | P1 | System And Communications Protection |
| SC-4 | INFORMATION IN SHARED RESOURCES | MODERATE | P1 | System And Communications Protection |
| SC-5 | DENIAL OF SERVICE PROTECTION | LOW | P1 | System And Communications Protection |
| SC-6 | RESOURCE AVAILABILITY | P0 | System And Communications Protection | |
| SC-7 | BOUNDARY PROTECTION | LOW | P1 | System And Communications Protection |
| SC-8 | TRANSMISSION CONFIDENTIALITY AND INTEGRITY | MODERATE | P1 | System And Communications Protection |
| SC-9 | TRANSMISSION CONFIDENTIALITY | System And Communications Protection | ||
| SC-10 | NETWORK DISCONNECT | MODERATE | P2 | System And Communications Protection |
| SC-11 | TRUSTED PATH | P0 | System And Communications Protection | |
| SC-12 | CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | LOW | P1 | System And Communications Protection |
| SC-13 | CRYPTOGRAPHIC PROTECTION | LOW | P1 | System And Communications Protection |
| SC-14 | PUBLIC ACCESS PROTECTIONS | System And Communications Protection | ||
| SC-15 | COLLABORATIVE COMPUTING DEVICES | LOW | P1 | System And Communications Protection |
| SC-16 | TRANSMISSION OF SECURITY ATTRIBUTES | P0 | System And Communications Protection | |
| SC-17 | PUBLIC KEY INFRASTRUCTURE CERTIFICATES | MODERATE | P1 | System And Communications Protection |
| SC-18 | MOBILE CODE | MODERATE | P2 | System And Communications Protection |
| SC-19 | VOICE OVER INTERNET PROTOCOL | MODERATE | P1 | System And Communications Protection |
| SC-20 | SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) | LOW | P1 | System And Communications Protection |
| SC-21 | SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) | LOW | P1 | System And Communications Protection |
| SC-22 | ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE | LOW | P1 | System And Communications Protection |
| SC-23 | SESSION AUTHENTICITY | MODERATE | P1 | System And Communications Protection |
| SC-24 | FAIL IN KNOWN STATE | HIGH | P1 | System And Communications Protection |
| SC-25 | THIN NODES | P0 | System And Communications Protection | |
| SC-26 | HONEYPOTS | P0 | System And Communications Protection | |
| SC-27 | PLATFORM-INDEPENDENT APPLICATIONS | P0 | System And Communications Protection | |
| SC-28 | PROTECTION OF INFORMATION AT REST | MODERATE | P1 | System And Communications Protection |
| SC-29 | HETEROGENEITY | P0 | System And Communications Protection | |
| SC-30 | CONCEALMENT AND MISDIRECTION | P0 | System And Communications Protection | |
| SC-31 | COVERT CHANNEL ANALYSIS | P0 | System And Communications Protection | |
| SC-32 | INFORMATION SYSTEM PARTITIONING | P0 | System And Communications Protection | |
| SC-33 | TRANSMISSION PREPARATION INTEGRITY | System And Communications Protection | ||
| SC-34 | NON-MODIFIABLE EXECUTABLE PROGRAMS | P0 | System And Communications Protection | |
| SC-35 | HONEYCLIENTS | P0 | System And Communications Protection | |
| SC-36 | DISTRIBUTED PROCESSING AND STORAGE | P0 | System And Communications Protection | |
| SC-37 | OUT-OF-BAND CHANNELS | P0 | System And Communications Protection | |
| SC-38 | OPERATIONS SECURITY | P0 | System And Communications Protection | |
| SC-39 | PROCESS ISOLATION | LOW | P1 | System And Communications Protection |
| SC-40 | WIRELESS LINK PROTECTION | P0 | System And Communications Protection | |
| SC-41 | PORT AND I/O DEVICE ACCESS | P0 | System And Communications Protection | |
| SC-42 | SENSOR CAPABILITY AND DATA | P0 | System And Communications Protection | |
| SC-43 | USAGE RESTRICTIONS | P0 | System And Communications Protection | |
| SC-44 | DETONATION CHAMBERS | P0 | System And Communications Protection | |
| SI-1 | SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES | LOW | P1 | System And Information Integrity |
| SI-2 | FLAW REMEDIATION | LOW | P1 | System And Information Integrity |
| SI-3 | MALICIOUS CODE PROTECTION | LOW | P1 | System And Information Integrity |
| SI-4 | INFORMATION SYSTEM MONITORING | LOW | P1 | System And Information Integrity |
| SI-5 | SECURITY ALERTS, ADVISORIES, AND DIRECTIVES | LOW | P1 | System And Information Integrity |
| SI-6 | SECURITY FUNCTION VERIFICATION | HIGH | P1 | System And Information Integrity |
| SI-7 | SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | MODERATE | P1 | System And Information Integrity |
| SI-8 | SPAM PROTECTION | MODERATE | P2 | System And Information Integrity |
| SI-9 | INFORMATION INPUT RESTRICTIONS | System And Information Integrity | ||
| SI-10 | INFORMATION INPUT VALIDATION | MODERATE | P1 | System And Information Integrity |
| SI-11 | ERROR HANDLING | MODERATE | P2 | System And Information Integrity |
| SI-12 | INFORMATION HANDLING AND RETENTION | LOW | P2 | System And Information Integrity |
| SI-13 | PREDICTABLE FAILURE PREVENTION | P0 | System And Information Integrity | |
| SI-14 | NON-PERSISTENCE | P0 | System And Information Integrity | |
| SI-15 | INFORMATION OUTPUT FILTERING | P0 | System And Information Integrity | |
| SI-16 | MEMORY PROTECTION | MODERATE | P1 | System And Information Integrity |
| SI-17 | FAIL-SAFE PROCEDURES | P0 | System And Information Integrity | |
| PM-1 | INFORMATION SECURITY PROGRAM PLAN | Program Management | ||
| PM-2 | SENIOR INFORMATION SECURITY OFFICER | Program Management | ||
| PM-3 | INFORMATION SECURITY RESOURCES | Program Management | ||
| PM-4 | PLAN OF ACTION AND MILESTONES PROCESS | Program Management | ||
| PM-5 | INFORMATION SYSTEM INVENTORY | Program Management | ||
| PM-6 | INFORMATION SECURITY MEASURES OF PERFORMANCE | Program Management | ||
| PM-7 | ENTERPRISE ARCHITECTURE | Program Management | ||
| PM-8 | CRITICAL INFRASTRUCTURE PLAN | Program Management | ||
| PM-9 | RISK MANAGEMENT STRATEGY | Program Management | ||
| PM-10 | SECURITY AUTHORIZATION PROCESS | Program Management | ||
| PM-11 | MISSION/BUSINESS PROCESS DEFINITION | Program Management | ||
| PM-12 | INSIDER THREAT PROGRAM | Program Management | ||
| PM-13 | INFORMATION SECURITY WORKFORCE | Program Management | ||
| PM-14 | TESTING, TRAINING, AND MONITORING | Program Management | ||
| PM-15 | CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS | Program Management | ||
| PM-16 | THREAT AWARENESS PROGRAM | Program Management |