Legacy Re-Mapping NIST 800-53 R4 Changes
Here is the list of the mapping changes that resulted from the re-mapping of legacy document NIST...
Here is the list of the mapping changes that resulted from the re-mapping of legacy document NIST 800-53 R4.
- Legacy Document: AD 1374, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4, Deprecated
- Re-mapped Document: AD 3212, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4
There are two types of changes:
- The mandate of the citation maps to a different control.
This occurs when a better control match is created after the original mapping. This is typically a result of newer control having been written since the initial mapping. - The mandates of the citation map to additional controls.
Prior mappings typically mapped one citation to one control. We now identify all the mandates in each citation and map each mandate to a control. You can see the color-coded mandates at research.unifiedcompliance.com.
Please note if there were no changes to the mapping, it is not in this table.
Legacy and New Control Mappings
| Citation | Legacy CC ID | Legacy CC Name | New CC ID | New CC Name | |
| CM-7(4)(b) | 868 | Establish and maintain a software accountability policy. | 11780 | Establish, implement, and maintain whitelists and blacklists of software. | |
| CM-8(6) ¶ 1 | 8710 | Establish and maintain a configuration change log. | 862 | Establish and maintain a current configuration baseline based on the least functionality principle. | |
| 8711 | Document approved configuration deviations. | ||||
| AC-3(9)(a) | 544 | Establish and maintain a Boundary Defense program. | 6310 | Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. | |
| AC-3(9)(b) | 544 | Establish and maintain a Boundary Defense program. | 6310 | Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. | |
| AC-3(10) ¶ 1 | 512 | Establish, implement, and maintain access control policies. | 645 | Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. | |
| AC-4(15) ¶ 1 | 6763 | Constrain the information flow of restricted data or restricted information. | 6763 | Constrain the information flow of restricted data or restricted information. | |
| 6761 | Perform content filtering scans on network traffic. | ||||
| AC-4(18) ¶ 1 | 4542 | Establish and maintain information flow procedures. | 6764 | Associate records with their security attributes. | |
| AC-16b. | 6764 | Associate records with their security attributes. | 6764 | Associate records with their security attributes. | |
| 968 | Retain records in accordance with applicable requirements. | ||||
| AC-16c. | 6764 | Associate records with their security attributes. | 3 | Interpret and apply security requirements based upon the information classification of the system. | |
| AC-16d. | 6764 | Associate records with their security attributes. | 1903 | Apply security controls to each level of the information classification standard. | |
| AC-16(6) ¶ 1 | 6764 | Associate records with their security attributes. | 12304 | Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. | |
| AC-16(7) ¶ 1 | 6764 | Associate records with their security attributes. | 7184 | Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. | |
| AC-16(9) ¶ 1 | 6764 | Associate records with their security attributes. | 13036 | Establish and maintain records management systems, as necessary. | |
| AC-16(10) ¶ 1 | 6765 | Reconfigure the security attributes of records as the information changes. | 11885 | Assign information security responsibilities to interested personnel and affected parties in the information security program. | |
| AC-16(1) ¶ 1 | 6765 | Reconfigure the security attributes of records as the information changes. | 6765 | Reconfigure the security attributes of records as the information changes. | |
| 6764 | Associate records with their security attributes. | ||||
| AC-21(2) ¶ 1 | 6310 | Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. | 10010 | Provide structures for searching for items stored in the Electronic Document and Records Management system. | |
| AC-24(1) ¶ 1 | 4553 | Enable access control for objects and users on each system. | 1410 | Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. | |
| AC-24(2) ¶ 1 | 4553 | Enable access control for objects and users on each system. | 11836 | Include the objects and users subject to access control in the security policy. | |
| AU-5b. | 6290 | Protect the event logs from failure. | 10679 | Shut down systems when an integrity violation is detected, as necessary. | |
| 14308 | Overwrite the oldest records when audit logging fails. | ||||
| 1712 | Configure the security parameters for all logs. | ||||
| AU-5(3) ¶ 1 | 1619 | Establish and maintain system capacity monitoring procedures. | 1619 | Establish and maintain system capacity monitoring procedures. | |
| 6883 | Establish, implement, and maintain rate limiting filters. | ||||
| AU-10(1)(a) | 6764 | Associate records with their security attributes. | 12729 | Assign an information owner to organizational assets, as necessary. | |
| AU-10(1)(b) | 6764 | Associate records with their security attributes. | 920 | Establish and maintain data input and data access authorization tracking. | |
| AU-10(2)(a) | 6764 | Associate records with their security attributes. | 920 | Establish and maintain data input and data access authorization tracking. | |
| AU-10(3) ¶ 1 | 567 | Implement non-repudiation for transactions. | 13203 | Validate transactions using identifiers and credentials. | |
| AU-13 Control | 10419 | Search the Internet for evidence of data leakage. | 10419 | Search the Internet for evidence of data leakage. | |
| 10593 | Review monitored websites for data leakage. | ||||
| CA-8(2) ¶ 1 | 1277 | Perform network-layer penetration testing on all systems, as necessary. | 12131 | Conduct Red Team exercises, as necessary. | |
| PE-18(1) ¶ 1 | 6351 | Define selection criteria for facility locations. | 6351 | Define selection criteria for facility locations. | |
| 6479 | Employ risk assessment procedures that take into account the target environment. | ||||
| PE-20a. | 10626 | Attach asset location technologies to distributed Information Technology assets. | 10626 | Attach asset location technologies to distributed Information Technology assets. | |
| 11684 | Monitor the location of distributed Information Technology assets. | ||||
| CM-3(3) ¶ 1 | 2130 | Create a Configuration Baseline Documentation Record before promoting the system to a production environment. | 12103 | Review and update Configuration Baseline Documentation Records, as necessary. | |
| 12503 | Apply configuration standards to all systems, as necessary. | ||||
| CM-5(4) ¶ 1 | 11776 | Implement changes according to the change control program. | 11776 | Implement changes according to the change control program. | |
| 887 | Manage change requests. | ||||
| CM-6a. | 2132 | Establish and maintain an accurate Configuration Management Database with accessible reporting capabilities. | 11953 | Establish and maintain configuration standards for all systems based upon industry best practices. | |
| CM-7(3) ¶ 1 | 537 | Include a protocols, ports, applications, and services list in the firewall and router configuration standard. | 12547 | Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. | |
| CP-2(6) ¶ 1 | 742 | Designate an alternate facility in the continuity plan. | 744 | Prepare the alternate facility for an emergency offsite relocation. | |
| 1169 | Include restoration procedures in the continuity plan. | ||||
| CP-2(7) ¶ 1 | 1386 | Coordinate continuity planning with other business units responsible for related continuity plans. | 13242 | Coordinate and incorporate supply chain members' continuity plans, as necessary. | |
| CP-4(3) ¶ 1 | 1389 | Automate the off-site testing to more thoroughly test the continuity plan. | 755 | Test the continuity plan, as necessary. | |
| CP-11 Control | 1294 | Include Wide Area Network continuity procedures in the continuity plan. | 750 | Include emergency communications procedures in the continuity plan. | |
| CP-8(5) ¶ 1 | 755 | Test the continuity plan, as necessary. | 12777 | Validate the emergency communications procedures during continuity plan tests. | |
| IA-2(6) ¶ 1 | 561 | Implement two-factor authentication techniques. | 561 | Implement two-factor authentication techniques. | |
| 6836 | Establish and maintain a register of approved third parties, technologies and tools. | ||||
| IA-2(7) ¶ 1 | 561 | Implement two-factor authentication techniques. | 561 | Implement two-factor authentication techniques. | |
| 6836 | Establish and maintain a register of approved third parties, technologies and tools. | ||||
| IA-2(10) ¶ 1 | 11841 | Include digital identification procedures in the access control program. | 553 | Enable logon authentication management techniques. | |
| IA-4 Control | 0 | UCF CE List | 515 | Control the addition and modification of user identifiers, user credentials, or other object identifiers. | |
| IA-4(2) ¶ 1 | 515 | Control the addition and modification of user identifiers, user credentials, or other object identifiers. | 515 | Control the addition and modification of user identifiers, user credentials, or other object identifiers. | |
| 6641 | Review and approve logical access to all assets based upon organizational policies. | ||||
| IA-4(6) ¶ 1 | 515 | Control the addition and modification of user identifiers, user credentials, or other object identifiers. | 12201 | Provide identification mechanisms for the organization's supply chain members. | |
| IA-4(7) ¶ 1 | 8712 | Require multiple forms of personal identification prior to issuing user IDs. | 13750 | Support the identity proofing process through in-person proofing or remote proofing. | |
| IA-9 Control | 513 | Establish and maintain an access rights management plan. | 14053 | Establish, implement, and maintain identification and authentication procedures. | |
| IA-9(1) ¶ 1 | 1429 | Require the system to identify and authenticate approved devices before establishing a connection to restricted data. | 14227 | Include coordination amongst entities in the identification and authentication policy. | |
| IA-9(2) ¶ 1 | 1429 | Require the system to identify and authenticate approved devices before establishing a connection to restricted data. | 14053 | Establish, implement, and maintain identification and authentication procedures. | |
| IR-3(1) ¶ 1 | 6752 | Use automated mechanisms in the training environment, where appropriate. | 1216 | Test the incident response procedures. | |
| IR-4(10) ¶ 1 | 1212 | Share incident information with interested personnel and affected parties. | 13196 | Coordinate incident response activities with interested personnel and affected parties. | |
| MA-4(4) ¶ 1 | 0 | UCF CE List | 1433 | Control remote maintenance according to the system's asset classification. | |
| MA-4(7) ¶ 1 | 4262 | Activate third party maintenance accounts and user identifiers, as necessary. | 12083 | Terminate remote maintenance sessions when the remote maintenance is complete. | |
| MA-5(4)(b) | 1434 | Conduct maintenance with authorized personnel. | 11873 | Control granting access to third parties performing maintenance on organizational assets. | |
| 6509 | Include a description of the product or service to be provided in third party contracts. | ||||
| MP-4a. | 11664 | Physically secure all electronic storage media that store restricted data or restricted information. | 11664 | Physically secure all electronic storage media that store restricted data or restricted information. | |
| 965 | Control the storage of restricted storage media. | ||||
| MP-4(2) ¶ 1 | 371 | Establish and maintain access controls for all records. | 12462 | Authorize physical access to sensitive areas based on job functions. | |
| 6797 | Monitor for unauthorized physical access at physical entry points. | ||||
| 12080 | Establish and maintain a physical access log. | ||||
| PE-2(2) ¶ 1 | 713 | Establish and maintain physical identification procedures. | 6701 | Check the visitor's stated identity against a provided government issued identification. | |
| PE-3(2) ¶ 1 | 1441 | Control the delivery of assets through physical entry points and physical exit points. | 11681 | Control the removal of assets through physical entry points and physical exit points. | |
| PE-3(3) ¶ 1 | 6653 | Employ security guards to provide physical security, as necessary. | 6653 | Employ security guards to provide physical security, as necessary. | |
| 11669 | Maintain all security alarm systems. | ||||
| PE-5(1)(b) | 926 | Establish, implement, and maintain document handling procedures for paper documents. | 11656 | Establish and maintain document security requirements for the output of records. | |
| PE-5(2)(a) | 926 | Establish, implement, and maintain document handling procedures for paper documents. | 371 | Establish and maintain access controls for all records. | |
| PE-5(2)(b) | 926 | Establish, implement, and maintain document handling procedures for paper documents. | 372 | Provide audit trails for all pertinent records. | |
| PL-9 Control | 6328 | Adhere to operating procedures as defined in the Standard Operating Procedures Manual. | 12415 | Establish and maintain a baseline of internal controls. | |
| RA-3b. | 6481 | Include the results of the risk assessment in the risk assessment report. | 6481 | Include the results of the risk assessment in the risk assessment report. | |
| 6481 | Include the results of the risk assessment in the risk assessment report. | 11978 | Include risk assessment results in the risk treatment plan. | ||
| 6481 | Include the results of the risk assessment in the risk assessment report. | ||||
| SA-4(3) ¶ 1 | 1447 | Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired Information Technology assets. | 1447 | Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired Information Technology assets. | |
| 1124 | Include security requirements in system acquisition contracts. | ||||
| 14256 | Include a description of the development environment and operational environment in system acquisition contracts. | ||||
| 1100 | Perform Quality Management on all newly developed or modified systems. | ||||
| SA-4(5)(b) | 1446 | Provide a Configuration Management plan by the Information System developer for all newly acquired information technology assets. | 12503 | Apply configuration standards to all systems, as necessary. | |
| SA-4(6)(a) | 1133 | Establish, implement, and maintain a product and services acquisition strategy. | 6836 | Establish and maintain a register of approved third parties, technologies and tools. | |
| SA-11(3)(b) | 11638 | Assign vulnerability scanning to qualified personnel or external third parties. | 11638 | Assign vulnerability scanning to qualified personnel or external third parties. | |
| 12186 | Grant access to authorized personnel. | ||||
| SA-11(7) ¶ 1 | 1100 | Perform Quality Management on all newly developed or modified systems. | 1447 | Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired Information Technology assets. | |
| SA-12(5) ¶ 1 | 8808 | Establish, implement, and maintain a supply chain management policy. | 8811 | Include risk management procedures in the supply chain management policy. | |
| SA-12(7) ¶ 1 | 1135 | Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. | 1129 | Conduct an acquisition feasibility study prior to acquiring Information Technology assets. | |
| 1144 | Establish, implement, and maintain facilities, assets, and services acceptance procedures. | ||||
| 12218 | Establish and maintain product update procedures. | ||||
| SA-12(11) ¶ 1 | 8811 | Include risk management procedures in the supply chain management policy. | 8854 | Conduct all parts of the supply chain due diligence process. | |
| 8861 | Assign the appropriate individuals or groups to oversee and support supply chain due diligence. | ||||
| 655 | Perform penetration tests, as necessary. | ||||
| SA-12(8) ¶ 1 | 8811 | Include risk management procedures in the supply chain management policy. | 8854 | Conduct all parts of the supply chain due diligence process. | |
| SA-12(9) ¶ 1 | 8818 | Use third parties that are compliant with the applicable requirements. | 13109 | Establish and maintain information security controls for the supply chain. | |
| SA-12(13) ¶ 1 | 1435 | Perform periodic maintenance according to organizational standards. | 6388 | Maintain contact with the device manufacturer or component manufacturer for maintenance requests. | |
| SA-12(14) ¶ 1 | 8958 | Include a unique reference identifier on products for sale. | 8958 | Include a unique reference identifier on products for sale. | |
| 968 | Retain records in accordance with applicable requirements. | ||||
| SA-12(15) ¶ 1 | 8810 | Include a clear management process in the supply chain management policy. | 8815 | Implement measurable improvement plans with all third parties. | |
| SA-13b. | 1124 | Include security requirements in system acquisition contracts. | 1125 | Include security controls in system acquisition contracts. | |
| SA-15(1)(b) | 8667 | Include measurable system performance requirements in the system design specification. | 1100 | Perform Quality Management on all newly developed or modified systems. | |
| SA-15(2) ¶ 1 | 1096 | Supervise and monitor outsourced development projects. | 14307 | Require the information system developer to create a continuous monitoring plan. | |
| SA-15(4) ¶ 1 | 0 | UCF CE List | 6829 | Include threat models in the system design specification. | |
| 11828 | Perform vulnerability assessments, as necessary. | ||||
| SA-15(7)(a) | 11637 | Perform vulnerability scans, as necessary. | 11637 | Perform vulnerability scans, as necessary. | |
| SA-15(7)(b) | 11744 | Establish and maintain system testing procedures. | 11940 | Rank discovered vulnerabilities. | |
| SA-15(7)(c) | 6910 | Change the scope, definition, and work breakdown of the system development project after corrective actions are taken. | 6909 | Initiate preventive actions to achieve the system development project's goals and outputs. | |
| SA-15(7)(d) | 4881 | Recommend mitigation techniques based on penetration test results. | 11639 | Recommend mitigation techniques based on vulnerability scan reports. | |
| SA-15(8) ¶ 1 | 11637 | Perform vulnerability scans, as necessary. | 6829 | Include threat models in the system design specification. | |
| 1000 | Perform a risk assessment for each system development project. | ||||
| SA-15(9) ¶ 1 | 1103 | Restrict production data from being used in the test environment. | 11744 | Establish and maintain system testing procedures. | |
| 6609 | Document the procedures and environment used to create the system or software. | ||||
| 1103 | Restrict production data from being used in the test environment. | ||||
| SA-15(10) ¶ 1 | 588 | Include intrusion detection procedures in the Incident Management program. | 12056 | Establish and maintain an incident response plan. | |
| SA-17(2)(a) | 4558 | Establish, implement, and maintain a system implementation representation document. | 8666 | Include hardware requirements in the system design specification. | |
| 8664 | Include supporting software requirements in the system design specification. | ||||
| SA-17(3)(c) | 4556 | Include all confidentiality, integrity, and availability functions in the system design specification. | 4559 | Include the relationships and dependencies between modules in the system design specification. | |
| SA-17(3)(e) | 4556 | Include all confidentiality, integrity, and availability functions in the system design specification. | 11734 | Include a description of each module and asset in the system design specification. | |
| SA-17(4)(c) | 4556 | Include all confidentiality, integrity, and availability functions in the system design specification. | 4559 | Include the relationships and dependencies between modules in the system design specification. | |
| SA-17(4)(d) | 4556 | Include all confidentiality, integrity, and availability functions in the system design specification. | 4559 | Include the relationships and dependencies between modules in the system design specification. | |
| SA-17(4)(e) | 4556 | Include all confidentiality, integrity, and availability functions in the system design specification. | 11734 | Include a description of each module and asset in the system design specification. | |
| SA-17(6) | 11744 | Establish and maintain system testing procedures. | 1101 | Establish and maintain a system testing program for all system development projects. | |
| SA-19a. | 10641 | Establish and maintain an anti-counterfeit program for acquiring new systems. | 10641 | Establish and maintain an anti-counterfeit program for acquiring new systems. | |
| 10643 | Scan for potential counterfeit parts and potential counterfeit components. | ||||
| 11510 | Seize counterfeit products. | ||||
| SA-19b. | 10642 | Create and distribute a counterfeit product report. | 11494 | Disseminate and communicate the counterfeit product report to the supplier. | |
| 10642 | Create and distribute a counterfeit product report. | 11490 | Disseminate and communicate the counterfeit product report to appropriate law enforcement authorities. | ||
| 10642 | Create and distribute a counterfeit product report. | 10642 | Create and distribute a counterfeit product report. | ||
| SA-19(2) ¶ 1 | 863 | Establish and maintain configuration control and Configuration Status Accounting for each system. | 863 | Establish and maintain configuration control and Configuration Status Accounting for each system. | |
| 863 | Establish and maintain configuration control and Configuration Status Accounting for each system. | ||||
| SA-21a. | 6507 | Include compliance with the organization's access policy as a requirement in third party contracts. | 12186 | Grant access to authorized personnel. | |
| SA-21b. | 790 | Include third party requirements for personnel security in third party contracts. | 11700 | Establish and maintain personnel screening procedures. | |
| SA-21(1) ¶ 1 | 790 | Include third party requirements for personnel security in third party contracts. | 11663 | Establish, implement, and maintain access control procedures. | |
| 11700 | Establish and maintain personnel screening procedures. | ||||
| SA-22b. | 10645 | Obtain justification for the continued use of system components when third party support is no longer available. | 10645 | Obtain justification for the continued use of system components when third party support is no longer available. | |
| 912 | Capture the records required by organizational compliance requirements. | ||||
| SA-22(1) ¶ 1 | 6389 | Plan and conduct maintenance so that it does not interfere with scheduled operations. | 1435 | Perform periodic maintenance according to organizational standards. | |
| SA-15(4)(b) | 11637 | Perform vulnerability scans, as necessary. | 14282 | Implement scanning tools, as necessary. | |
| 11828 | Perform vulnerability assessments, as necessary. | ||||
| SC-3(1) ¶ 1 | 11858 | Separate user functionality from system management functionality. | 12254 | Design the hardware security module to enforce the separation between applications. | |
| SC-3(3) ¶ 1 | 6767 | Separate processing domains to segregate user privileges and enhance information flow control. | 11858 | Separate user functionality from system management functionality. | |
| SC-3(5) ¶ 1 | 6767 | Separate processing domains to segregate user privileges and enhance information flow control. | 6767 | Separate processing domains to segregate user privileges and enhance information flow control. | |
| 6767 | Separate processing domains to segregate user privileges and enhance information flow control. | ||||
| 11843 | Implement segregation of duties. | ||||
| SC-5(3)(b) | 11752 | Establish and maintain system performance monitoring procedures. | 1619 | Establish and maintain system capacity monitoring procedures. | |
| SC-7(9)(a) | 1295 | Restrict outbound network traffic from systems that contain restricted data or restricted information. | 1295 | Restrict outbound network traffic from systems that contain restricted data or restricted information. | |
| 6761 | Perform content filtering scans on network traffic. | ||||
| SC-7(14) ¶ 1 | 11852 | Deny network access to rogue devices until network access approval has been received. | 718 | Establish and maintain physical security controls for distributed Information Technology assets. | |
| SC-7(15) ¶ 1 | 11842 | Manage all external network connections. | 1421 | Control remote access through a network access control. | |
| SC-7(17) ¶ 1 | 544 | Establish and maintain a Boundary Defense program. | 11845 | Include configuration management and rulesets in the network access control standard. | |
| SC-16(1) ¶ 1 | 6764 | Associate records with their security attributes. | 923 | Establish and maintain data processing integrity controls. | |
| SC-18(1) ¶ 1 | 574 | Establish, implement, and maintain a malicious code protection program. | 10034 | Monitor systems for unauthorized mobile code. | |
| 13691 | Remove malware when malicious code is discovered. | ||||
| SC-18(2) ¶ 1 | 1136 | Establish, implement, and maintain a product and services acquisition program. | 1138 | Establish, implement, and maintain a software product acquisition methodology. | |
| 1094 | Develop systems in accordance with the system design specifications and system design standards. | ||||
| 1355 | Include asset use policies in the Acceptable Use Policy. | ||||
| SC-18(3) ¶ 1 | 4576 | Restrict downloading to reduce malicious code attacks. | 4576 | Restrict downloading to reduce malicious code attacks. | |
| 11081 | Configure the "Prevent launch an application" setting to organizational standards. | ||||
| SC-18(4) ¶ 1 | 10034 | Monitor systems for unauthorized mobile code. | 11081 | Configure the "Prevent launch an application" setting to organizational standards. | |
| 10034 | Monitor systems for unauthorized mobile code. | ||||
| SC-23(3) ¶ 1 | 7074 | Use randomly generated session identifiers. | 7074 | Use randomly generated session identifiers. | |
| 4553 | Enable access control for objects and users on each system. | ||||
| SC-25 Control | 882 | Remove all unnecessary functionality. | 882 | Remove all unnecessary functionality. | |
| 7599 | Configure Least Functionality and Least Privilege settings to organizational standards. | ||||
| SC-27 Control | 0 | UCF CE List | 895 | Establish and maintain software asset management procedures. | |
| SC-28(2) ¶ 1 | 951 | Establish and maintain a records lifecycle management program. | 968 | Retain records in accordance with applicable requirements. | |
| SC-29 Control | 1046 | Identify system design strategies. | 1115 | Manage the system implementation process. | |
| SC-30(3) ¶ 1 | 10651 | Change the locations of processing facilities at random intervals. | 10651 | Change the locations of processing facilities at random intervals. | |
| 10661 | Change the locations of storage facilities at random intervals. | ||||
| SC-30(5) ¶ 1 | 582 | Determine if honeypots should be installed, and if so, where the honeypots should be placed. | 7110 | Establish, implement, and maintain virtualization configuration settings. | |
| SC-31(3) ¶ 1 | 10655 | Reduce the maximum bandwidth of covert channels. | 10653 | Estimate the maximum bandwidth of any covert channels. | |
| SC-34(2) ¶ 1 | 946 | Implement electronic storage media integrity controls. | 946 | Implement electronic storage media integrity controls. | |
| 969 | Maintain continued integrity for all stored data and stored records. | ||||
| SC-37 Control | 10665 | Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. | 10665 | Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. | |
| 1441 | Control the delivery of assets through physical entry points and physical exit points. | ||||
| SC-38 Control | 6491 | Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. | 13479 | Protect confidential information during the system development life cycle program. | |
| SC-40(3) ¶ 1 | 6078 | Configure wireless communication to be encrypted using strong cryptography. | 11623 | Scan wireless networks for rogue devices. | |
| 11852 | Deny network access to rogue devices until network access approval has been received. | ||||
| SC-42a. | 10666 | Prohibit the remote activation of environmental sensors on mobile devices. | 10666 | Prohibit the remote activation of environmental sensors on mobile devices. | |
| 10667 | Configure environmental sensors on mobile devices. | ||||
| SC-43a. | 1350 | Establish and maintain an Acceptable Use Policy. | 1350 | Establish and maintain an Acceptable Use Policy. | |
| 1111 | Establish and maintain a system implementation standard. | ||||
| SC-43b. | 1351 | Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. | 1351 | Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. | |
| 585 | Monitor systems for inappropriate usage and other security violations. | ||||
| 11665 | Control user privileges. | ||||
| SC-8 Control | 564 | Use strong data encryption to transmit restricted data or restricted information over public networks. | 11859 | Protect data from unauthorized disclosure while transmitting between separate parts of the system. | |
| 4554 | Protect data from modification or loss while transmitting between separate parts of the system. | ||||
| SC-13 Control | 4546 | Establish, implement, and maintain an encryption management and cryptographic controls policy. | 570 | Manage the use of encryption controls and cryptographic controls. | |
| 12491 | Employ only secure versions of cryptographic controls. | ||||
| SI-3(6)(b) | 661 | Create specific test plans to test each system component. | 11901 | Test security systems and associated security procedures, as necessary. | |
| 11901 | Test security systems and associated security procedures, as necessary. | ||||
| SI-3(8) ¶ 1 | 585 | Monitor systems for inappropriate usage and other security violations. | 585 | Monitor systems for inappropriate usage and other security violations. | |
| 12045 | Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. | ||||
| 645 | Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. | ||||
| 558 | Enforce privileged accounts and non-privileged accounts for system access. | ||||
| SI-3(9) ¶ 1 | 562 | Protect remote access accounts with encryption. | 559 | Control all methods of remote access and teleworking. | |
| SI-3(10)(b) | 10673 | Incorporate the malicious code analysis into the patch management program. | 10673 | Incorporate the malicious code analysis into the patch management program. | |
| 14016 | Communicate threat intelligence to interested personnel and affected parties. | ||||
| SI-4(7) ¶ 1 | 6430 | Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. | 6430 | Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. | |
| 6942 | Respond to and triage when a security incident is detected. | ||||
| SI-4(9) ¶ 1 | 1216 | Test the incident response procedures. | 11901 | Test security systems and associated security procedures, as necessary. | |
| SI-4(13)(b) | 596 | Review and update event logs and audit logs, as necessary. | 643 | Include a standard to collect and interpret event logs in the event logging procedures. | |
| SI-4(17) ¶ 1 | 596 | Review and update event logs and audit logs, as necessary. | 1424 | Compile the event logs of multiple components into a system-wide time-correlated audit trail. | |
| SI-7(8) ¶ 1 | 6332 | Configure all logs to capture auditable events or actionable events. | 640 | Enable logging for all systems that meet a traceability criteria. | |
| 1337 | Configure the log to send alerts for each auditable events success or failure. | 6332 | Configure all logs to capture auditable events or actionable events. | ||
| 1337 | Configure the log to send alerts for each auditable events success or failure. | 1337 | Configure the log to send alerts for each auditable events success or failure. | ||
| 1552 | Enable and configure auditing operations and logging operations, as necessary. | 1337 | Configure the log to send alerts for each auditable events success or failure. | ||
| 10678 | Automatically respond when an integrity violation is detected. | ||||
| SI-7(9) ¶ 1 | 1905 | Establish and maintain the systems' availability level. | 1906 | Establish and maintain the systems' integrity level. | |
| SI-7(10) ¶ 1 | 1905 | Establish and maintain the systems' availability level. | 1909 | Define integrity controls. | |
| SI-7(11) ¶ 1 | 868 | Establish and maintain a software accountability policy. | 6749 | Include a software installation policy in the Acceptable Use Policy. | |
| SI-7(12) ¶ 1 | 868 | Establish and maintain a software accountability policy. | 6749 | Include a software installation policy in the Acceptable Use Policy. | |
| SI-7(13) ¶ 1 | 6551 | Establish and maintain a virtual environment and shared resources security program. | 10648 | Execute permitted mobile code in confined virtual machine environments. | |
| 6749 | Include a software installation policy in the Acceptable Use Policy. | ||||
| SI-10(1)(b) | 924 | Establish and maintain Automated Data Processing validation checks and editing checks. | 558 | Enforce privileged accounts and non-privileged accounts for system access. | |
| SI-10(1)(c) | 6332 | Configure all logs to capture auditable events or actionable events. | 645 | Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. | |
| SI-13(1) ¶ 1 | 1256 | Reconfigure restored systems to meet the Recovery Point Objectives. | 6276 | Establish, implement, and maintain a system redeployment program. | |
| SI-13(3) ¶ 1 | 1256 | Reconfigure restored systems to meet the Recovery Point Objectives. | 13476 | Restore systems and environments to be operational. | |
| SI-13(4)(a) | 1256 | Reconfigure restored systems to meet the Recovery Point Objectives. | 11693 | Reconfigure restored systems to meet the Recovery Time Objectives. | |
| SI-13(4)(b) | 4544 | Monitor systems for errors and faults. | 10678 | Automatically respond when an integrity violation is detected. | |
| 10679 | Shut down systems when an integrity violation is detected, as necessary. | ||||
| SI-14(1) ¶ 1 | 4890 | Establish and maintain a core supply inventory required to support critical business functions. | 6836 | Establish and maintain a register of approved third parties, technologies and tools. | |
| SI-4a. | 0 | UCF CE List | 585 | Monitor systems for inappropriate usage and other security violations. | |
| SI-6d. | 1206 | Establish and maintain incident response procedures. | 10679 | Shut down systems when an integrity violation is detected, as necessary. | |
| 10680 | Restart systems when an integrity violation is detected, as necessary. | ||||
| SI-13b. | 1256 | Reconfigure restored systems to meet the Recovery Point Objectives. | 11693 | Reconfigure restored systems to meet the Recovery Time Objectives. | |
| 13476 | Restore systems and environments to be operational. | ||||
| SI-15 Control | 930 | Establish and maintain paper document integrity requirements for the output of records. | 6627 | Perform regularly scheduled quality and integrity control reviews of output of records. | |
| PM-1a. | 0 | UCF CE List | 812 | Establish and maintain an information security program. | |
| 815 | Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. | ||||
| PM-1a.1. | 820 | Establish and maintain an internal control framework. | 11740 | Establish and maintain an information security policy. | |
| 820 | Establish and maintain an internal control framework. | ||||
| PM-1a.2. | 820 | Establish and maintain an internal control framework. | 11885 | Assign information security responsibilities to interested personnel and affected parties in the information security program. | |
| 11999 | Provide management direction and support for the information security program. | ||||
| 12294 | Describe the group activities that protect restricted data in the information security procedures. | ||||
| 6384 | Comply with all implemented policies in the organization's compliance framework. | ||||
| PM-1a.3. | 815 | Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. | 812 | Establish and maintain an information security program. | |
| PM-1a.4. | 815 | Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. | 11737 | Approve the information security policy at the organization's management level or higher. | |
| PM-3a. | 6279 | Establish, implement, and maintain a Capital Planning and Investment Control policy. | 6279 | Establish, implement, and maintain a Capital Planning and Investment Control policy. | |
| 1630 | Document compliance exceptions, as necessary. | ||||
| PM-3b. | 6279 | Establish, implement, and maintain a Capital Planning and Investment Control policy. | 6846 | Document the business case and return on investment in each Information Technology project plan. | |
| PM-4a.2. | 6777 | Implement a corrective action plan in response to the audit report. | 705 | Document and communicate a corrective action plan based on the risk assessment findings. | |
| PM-4a.3. | 6777 | Implement a corrective action plan in response to the audit report. | 705 | Document and communicate a corrective action plan based on the risk assessment findings. | |
| PM-4b. | 675 | Create a corrective action plan to correct control deficiencies identified in an audit. | 11645 | Include monitoring in the corrective action plan. | |
| PM-6 | 671 | Establish and maintain a compliance monitoring policy. | 671 | Establish and maintain a compliance monitoring policy. | |
| 12857 | Monitor the performance of the governance, risk, and compliance capability. | ||||
| 676 | Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. | ||||
| PM-8 | 710 | Establish and maintain facility maintenance procedures. | 6486 | Take into account the need for protecting information confidentiality during infrastructure planning. | |
| PM-9a. | 685 | Establish and maintain the risk assessment framework. | 13209 | Establish and maintain risk management strategies, as necessary. | |
| PM-9b. | 6446 | Establish, implement, and maintain risk assessment procedures. | 13661 | Integrate the risk management program with the organization's business activities. | |
| PM-9c. | 6460 | Review the risk assessment procedures, as necessary. | 13049 | Review and update the risk management program, as necessary. | |
| PM-10a. | 7109 | Approve the results of the risk assessment as documented in the risk assessment report. | 12004 | Review systems for compliance with organizational information security policies. | |
| 711 | Establish and maintain a facility physical security program. | ||||
| PM-10c. | 6446 | Establish, implement, and maintain risk assessment procedures. | 14228 | Review and update the security assessment and authorization procedures, as necessary. | |
| PM-11a. | 6495 | Address Information Security during the business planning processes. | 6495 | Address Information Security during the business planning processes. | |
| 698 | Include the risks to the organization's critical personnel and assets in the threat and risk classification scheme. | ||||
| PM-11b. | 704 | Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. | 12155 | Observe processes to determine the effectiveness of in scope controls. | |
| 675 | Create a corrective action plan to correct control deficiencies identified in an audit. | ||||
| PM-13 Control | 785 | Train all personnel and third parties, as necessary. | 828 | Establish and implement training plans. | |
| PM-14a.1. | 1406 | Establish, implement, and maintain a Governance, Risk, and Compliance framework. | 654 | Establish, implement, and maintain a testing program. | |
| 828 | Establish and implement training plans. | ||||
| 637 | Establish, implement, and maintain logging and monitoring operations. | ||||
| PM-14a.2. | 1406 | Establish, implement, and maintain a Governance, Risk, and Compliance framework. | 818 | Implement and comply with the Governance, Risk, and Compliance framework. | |
| PM-14b. | 817 | Review and update the Governance, Risk, and Compliance framework, as necessary. | 654 | Establish, implement, and maintain a testing program. | |
| 828 | Establish and implement training plans. | ||||
| 637 | Establish, implement, and maintain logging and monitoring operations. | ||||
| PM-15a. | 11732 | Share relevant security information with Special Interest Groups, as necessary. | 2217 | Tailor training to meet published guidance on the subject being taught. | |
| PM-15b. | 11732 | Share relevant security information with Special Interest Groups, as necessary. | 6489 | Include security information sharing procedures in the internal control framework. | |
| PM-16 | 6494 | Monitor the organization's exposure to threats, as necessary. | 6494 | Monitor the organization's exposure to threats, as necessary. | |
| 6489 | Include security information sharing procedures in the internal control framework. | ||||
| PM-1b. | 1348 | Review the internal control framework, as necessary. | 12744 | Monitor and review the effectiveness of the information security program. | |
| PM-1c. | 1348 | Review the internal control framework, as necessary. | 817 | Review and update the Governance, Risk, and Compliance framework, as necessary. | |
| 13501 | Correct errors and deficiencies in a timely manner. | ||||
| AP-1 Control | 6487 | Establish and maintain a personal data collection program. | 103 | Document the law that requires personal data to be collected. | |
| AP-2 Control | 6281 | Establish, implement, and maintain a privacy policy. | 406 | Include the processing purpose in the privacy policy. | |
| AR-1b. | 7113 | Establish and maintain a list of compliance documents. | 604 | Monitor regulatory trends to maintain compliance. | |
| AR-1d. | 6281 | Establish, implement, and maintain a privacy policy. | 11850 | Establish and maintain a privacy framework that protects restricted data. | |
| AR-1e. | 6281 | Establish, implement, and maintain a privacy policy. | 11850 | Establish and maintain a privacy framework that protects restricted data. | |
| 13346 | Disseminate and communicate the privacy policy, as necessary. | ||||
| AR-2b. | 357 | Conduct personal data risk assessments. | 13712 | Establish, implement, and maintain a privacy impact assessment. | |
| AR-3a. | 11610 | Include text about access, use, disclosure, and transfer of data or information in third party contracts. | 11610 | Include text about access, use, disclosure, and transfer of data or information in third party contracts. | |
| 1364 | Include third party acknowledgement of their data protection responsibilities in third party contracts. | ||||
| AR-5a. | 828 | Establish and implement training plans. | 828 | Establish and implement training plans. | |
| 12868 | Update training plans, as necessary. | ||||
| AR-5b. | 6664 | Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment. | 785 | Train all personnel and third parties, as necessary. | |
| 6674 | Tailor training to be taught at each person's level of responsibility. | ||||
| AR-6 Control | 383 | Register with public bodies and notify the Data Commissioner before processing personal data. | 383 | Register with public bodies and notify the Data Commissioner before processing personal data. | |
| 7029 | Include the organization's privacy practices in the audit report. | ||||
| AR-8a. | 372 | Provide audit trails for all pertinent records. | 13022 | Establish and maintain a disclosure accounting record. | |
| AR-8a.(1) | 7133 | Include the disclosure date in the disclosure accounting record. | 7133 | Include the disclosure date in the disclosure accounting record. | |
| 7135 | Include the disclosure purpose in the disclosure accounting record. | 7135 | Include the disclosure purpose in the disclosure accounting record. | ||
| 4680 | Include what information was disclosed and to whom in the disclosure accounting record. | ||||
| AR-8a.(2) | 4680 | Include what information was disclosed and to whom in the disclosure accounting record. | 7134 | Include the disclosure recipient in the disclosure accounting record. | |
| AR-8b. | 167 | Establish and maintain personal data retention procedures. | 968 | Retain records in accordance with applicable requirements. | |
| DI-1a. | 88 | Check the accuracy of personal data. | 88 | Check the accuracy of personal data. | |
| 90 | Check that personal data is complete. | 90 | Check that personal data is complete. | ||
| 11831 | Use personal data for specified purposes. | ||||
| 91 | Keep personal data up-to-date and valid. | ||||
| DI-1c. | 88 | Check the accuracy of personal data. | 88 | Check the accuracy of personal data. | |
| 462 | Change or destroy any personal data that is incorrect. | ||||
| DI-1(1) ¶ 1 | 89 | Record personal data correctly. | 13187 | Establish and maintain customer data authentication procedures. | |
| DI-2a. | 88 | Check the accuracy of personal data. | 923 | Establish and maintain data processing integrity controls. | |
| DI-2b. | 843 | Review and approve all Service Level Agreements. | 806 | Establish and maintain high level operational roles and responsibilities. | |
| DI-2(1) ¶ 1 | 375 | Establish, implement, and maintain a personal data transparency program. | 379 | Publish a description of activities about processing personal data in an official register. | |
| DM-1a. | 27 | Collect and record personal data for specific, explicit, and legitimate purposes. | 78 | Collect the minimum amount of personal data necessary. | |
| DM-1b. | 27 | Collect and record personal data for specific, explicit, and legitimate purposes. | 78 | Collect the minimum amount of personal data necessary. | |
| 167 | Establish and maintain personal data retention procedures. | ||||
| DM-1c. | 11756 | Establish and maintain data handling procedures. | 507 | Establish and maintain personal data collection limitation boundaries. | |
| 13428 | Establish and maintain a personal data use limitation program. | ||||
| DM-1(1) ¶ 1 | 7126 | Establish, implement, and maintain de-identifying and re-identifying procedures. | 13498 | Establish, implement, and maintain personal data disposition procedures. | |
| 7126 | Establish, implement, and maintain de-identifying and re-identifying procedures. | ||||
| DM-2b. | 125 | Dispose of media and personal data in a timely manner. | 125 | Dispose of media and personal data in a timely manner. | |
| 7126 | Establish, implement, and maintain de-identifying and re-identifying procedures. | ||||
| DM-2c. | 125 | Dispose of media and personal data in a timely manner. | 13498 | Establish, implement, and maintain personal data disposition procedures. | |
| DM-2(1) ¶ 1 | 167 | Establish and maintain personal data retention procedures. | 11890 | Configure the log to capture creates, reads, updates, or deletes of records containing personal data. | |
| 11890 | Configure the log to capture creates, reads, updates, or deletes of records containing personal data. | ||||
| DM-3b. | 96 | Refrain from using personal data collected for research and statistics for other purposes. | 13606 | Implement security measures to protect personal data. | |
| DM-3(1) ¶ 1 | 96 | Refrain from using personal data collected for research and statistics for other purposes. | 13606 | Implement security measures to protect personal data. | |
| IP-2d. | 103 | Document the law that requires personal data to be collected. | 4794 | Follow legal obligations while processing personal data. | |
| IP-3b. | 467 | Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. | 467 | Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. | |
| 463 | Notify the data subject of changes made to personal data as the result of a dispute. | ||||
| SE-1b. | 689 | Establish and maintain an Information Technology inventory with asset discovery audit trails. | 6631 | Establish, implement, and maintain an asset inventory. | |
| SE-2a. | 588 | Include intrusion detection procedures in the Incident Management program. | 12056 | Establish and maintain an incident response plan. | |
| SE-2b. | 364 | Include data loss event notifications in the Incident Response program. | 6942 | Respond to and triage when a security incident is detected. | |
| TR-1a.(i) | 393 | Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. | 379 | Publish a description of activities about processing personal data in an official register. | |
| 101 | Post the collection purpose. | ||||
| 397 | Provide the data subject with a description of the type of information held by the organization and a general account of its use. | ||||
| 399 | Provide the data subject with what personal data is made available to related organizations or subsidiaries. | ||||
| 12585 | Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. | ||||
| 393 | Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. | ||||
| 12587 | Provide the data subject with the data retention period for personal data. | ||||
| TR-1a.(ii) | 393 | Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. | 103 | Document the law that requires personal data to be collected. | |
| AC-6(6) | 2 | Include business security requirements in the access classification scheme. | 558 | Enforce privileged accounts and non-privileged accounts for system access. | |
| AR-8c. | 399 | Provide the data subject with what personal data is made available to related organizations or subsidiaries. | 14433 | Provide the data subject with a copy of the disclosure accounting record. | |
| TR-1a.(iii) | 393 | Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. | 406 | Include the processing purpose in the privacy policy. | |
| 13111 | Include the consequences of refusing to provide required information in the privacy policy. | ||||
| TR-1a.(iv) | 396 | Provide the data subject with the means of gaining access to personal data held by the organization. | 396 | Provide the data subject with the means of gaining access to personal data held by the organization. | |
| 457 | Notify individuals of their right to challenge personal data. | ||||
| TR-1b.(i) | 6487 | Establish and maintain a personal data collection program. | 397 | Provide the data subject with a description of the type of information held by the organization and a general account of its use. | |
| 101 | Post the collection purpose. | ||||
| TR-1b.(ii) | N/A | N/A | 397 | Provide the data subject with a description of the type of information held by the organization and a general account of its use. | |
| TR-1b.(iii) | 409 | Include other organizations that personal data is being disclosed to in the privacy policy. | 409 | Include other organizations that personal data is being disclosed to in the privacy policy. | |
| 13459 | Include the types of third parties to which personal data is disclosed in the privacy notice. | ||||
| 399 | Provide the data subject with what personal data is made available to related organizations or subsidiaries. | ||||
| TR-1b.(iv) | 30 | Collect personal data when an individual gives consent. | 13503 | Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. | |
| 469 | Give individuals the ability to change the uses of their personal data. | ||||
| TR-1b.(vi) | 353 | Establish, implement, and maintain data handling policies. | 12585 | Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. | |
| TR-1c. | 6281 | Establish, implement, and maintain a privacy policy. | 13474 | Update and redeliver privacy notices, as necessary. | |
| TR-1(1) ¶ 1 | 95 | Notify the data subject of the collection purpose. | 132 | Notify the data subject before personal data is collected, used, or disclosed. | |
| TR-2c. | N/A | N/A | 13444 | Deliver privacy notices to data subjects, as necessary. | |
| TR-2(1) ¶ 1 | 375 | Establish, implement, and maintain a personal data transparency program. | 379 | Publish a description of activities about processing personal data in an official register. | |
| TR-3a. | 394 | Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. | 379 | Publish a description of activities about processing personal data in an official register. | |
| 394 | Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. | ||||
| UL-2a. | 93 | Establish, implement, and maintain a personal data use purpose specification. | 133 | Establish and maintain personal data disclosure procedures. | |
| UL-2b. | 6518 | Include compliance with the organization's privacy policy in third party contracts. | 6510 | Include a description of the data or information to be covered in third party contracts. | |
| 838 | Establish and maintain Service Level Agreements with the organization's supply chain. | 11610 | Include text about access, use, disclosure, and transfer of data or information in third party contracts. | ||
| UL-2c. | 785 | Train all personnel and third parties, as necessary. | 12971 | Monitor systems for unauthorized data transfers. | |
| 296 | Include disciplinary actions in the Acceptable Use Policy. | 12679 | Include the stipulation of allowing auditing for compliance in the Data Processing Contract. | ||
| 13757 | Conduct personal data processing training. | ||||
| 11747 | Establish and maintain consequences for non-compliance with the organizational compliance framework. | ||||
| PM-15c. | 1358 | Include continuous security warning monitoring procedures in the internal control framework. | 11732 | Share relevant security information with Special Interest Groups, as necessary. | |
| CP-8(4)(c) | 1365 | Review all third party's continuity plan test results. | 1365 | Review all third party's continuity plan test results. | |
| 1423 | Document all training in a training record. | ||||
| SC-7(4)(e) | 1632 | Review the compliance exceptions in the exceptions document, as necessary. | 1632 | Review the compliance exceptions in the exceptions document, as necessary. | |
| 882 | Remove all unnecessary functionality. | ||||
| CP-9(6) ¶ 1 | 1250 | Include technical preparation considerations for backup operations in the continuity plan. | 742 | Designate an alternate facility in the continuity plan. | |
| SC-8(2) ¶ 1 | 812 | Establish and maintain an information security program. | 356 | Limit data leakage. | |
| 923 | Establish and maintain data processing integrity controls. | ||||
| SI-2(6) ¶ 1 | 10671 | Remove outdated computer firmware after the computer firmware has been updated. | 10671 | Remove outdated computer firmware after the computer firmware has been updated. | |
| 11792 | Remove outdated software after software has been updated. | ||||
| AU-5(4) ¶ 1 | 6290 | Protect the event logs from failure. | 10679 | Shut down systems when an integrity violation is detected, as necessary. | |
| 10678 | Automatically respond when an integrity violation is detected. | ||||
| SC-34(3)(b) | 10660 | Implement procedures to manually disable hardware write-protect to change firmware. | 10660 | Implement procedures to manually disable hardware write-protect to change firmware. | |
| 10659 | Implement hardware-based, write-protect for system firmware components. | ||||
| SI-4(13)(c) | 7047 | Eliminate false positives in event logs and audit logs. | 7047 | Eliminate false positives in event logs and audit logs. | |
| 596 | Review and update event logs and audit logs, as necessary. | ||||