Access Control

• AC-1 Access Control Policy and Procedures
• AC-2 Account Management *
• AC-3 Access Enforcement *
• AC-4 Information Flow Enforcement *
• AC-5 Separation of Duties *
• AC-6 Least Privilege *
• AC-7 Unsuccessful Login Attempts *
• AC-8 System Use Notification *
• AC-9 Previous Logon Notification *
• AC-10 Concurrent Session Control *
• AC-11 Session Lock *
• AC-12 Session Termination *
• AC-13 Supervision and Review - Access Control *
• AC-14 Permitted Actions without Identification or Authentication *
• AC-15 Automated Marking *
• AC-16 Automated Labeling *
• AC-17 Remote Access *
• AC-18 Wireless Access Restrictions
• AC-19 Access Control for Portable and Mobile Devices
• AC-20 Use of External Information Systems

Awareness and Training

• AT-1 Security Awareness and Training Policy and Procedures
• AT-2 Security Awareness
• AT-3 Security Training
• AT-4 Security Training Records
• AT-5 Contacts with Security Groups and Associations

Audit and Accountability

• AU-1 Audit and Accountability Policy and Procedures
• AU-2 Auditable Events *
• AU-3 Content of Audit Records
• AU-4 Audit Storage Capacity *
• AU-5 Response to Audit Processing Failures *
• AU-6 Audit Monitoring, Analysis, and Reporting *
• AU-7 Audit Reduction and Report Generation
• AU-8 Time Stamps *
• AU-9 Protection of Audit Information *
• AU-10 Non-repudiation
• AU-11 Audit Record Retention *

Certification, Accreditation, and Security Assessments

• CA-1 Certification, Accreditation, and Security Assessment Policies and Procedures
• CA-2 Security Assessments *
• CA-3 Information System Connections
• CA-4 Security Certification *
• CA-5 Plan of Action and Milestones *
• CA-6 Security Accreditation
• CA-7 Continuous Monitoring *

Configuration Management

• CM-1 Configuration Management Policy and Procedures
• CM-2 Baseline Configuration
• CM-3 Configuration Change Control *
• CM-4 Monitoring Configuration Changes *
• CM-5 Access Restrictions for Change *
• CM-6 Configuration Settings *
• CM-7 Least Functionality *
• CM-8 Information System Component Inventory

Contingency Planning

• CP-1 Contingency Planning Policy and Procedures
• CP-2 Contingency Plan
• CP-3 Contingency Training
• CP-4 Contingency Plan Testing and Exercises
• CP-5 Contingency Plan Update
• CP-6 Alternate Storage Sites
• CP-7 Alternate Processing Sites
• CP-8 Telecommunications Services
• CP-9 Information System Backup *
• CP-10 Information System Recovery and Reconstitution

Identification and Authentication

• IA-1 Identification and Authentication Policy and Procedures
• IA-2 User Identification and Authentication *
• IA-3 Device Identification and Authentication *
• IA-4 Identifier Management *
• IA-5 Authenticator Management *
• IA-6 Authenticator Feedback *
• IA-7 Cryptographic Module Authentication *

Incident Response

• IR-1 Incident Response Policy and Procedures
• IR-2 Incident Response Training
• IR-3 Incident Response Testing and Exercises
• IR-4 Incident Handling
• IR-5 Incident Monitoring
• IR-6 Incident Reporting
• IR-7 Incident Response Assistance

Maintenance

• MA-1 System Maintenance Policy and Procedures
• MA-2 Controlled Maintenance *
• MA-3 Maintenance Tools Not Selected
• MA-4 Remote Maintenance
• MA-5 Maintenance Personnel
• MA-6 Timely Maintenance

Media Protection

• MP-1 Media Protection Policy and Procedures
• MP-2 Media Access
• MP-3 Media Labeling *
• MP-4 Media Storage
• MP-5 Media Transport
• MP-6 Media Sanitization and Disposal

Physical and Environmental Protection

• PE-1 Physical and Environmental Protection Policy and Procedures
• PE-2 Physical Access Authorizations
• PE-3 Physical Access Control
• PE-4 Access Control for Transmission Medium
• PE-5 Access Control for Display Medium
• PE-6 Monitoring Physical Access
• PE-7 Visitor Control
• PE-8 Access Records
• PE-9 Power Equipment and Power Cabling
• PE-10 Emergency Shutoff
• PE-11 Emergency Power
• PE-12 Emergency Lighting
• PE-13 Fire Protection
• PE-14 Temperature and Humidity Controls
• PE-15 Water Damage Protection
• PE-16 Delivery and Removal
• PE-17 Alternate Work Site
• PE-18 Location of Information System Components
• PE-19 Information Leakage

Planning

• PL-1 Security Planning Policy and Procedures
• PL-2 System Security Plan
• PL-3 System Security Plan Update
• PL-4 Rules of Behavior
• PL-5 Privacy Impact Assessment
• PL-6 Security-Related Activity Planning

Personnel Security

• PS-1 Personnel Security Policy and Procedures
• PS-2 Position Categorization
• PS-3 Personnel Screening
• PS-4 Personnel Termination
• PS-5 Personnel Transfer
• PS-6 Access Agreements
• PS-7 Third-Party Personnel Security
• PS-8 Personnel Sanctions

Risk Assessment

• RA-1 Risk Assessment Policy and Procedures
• RA-2 Security Categorization
• RA-3 Risk Assessment
• RA-4 Risk Assessment Update
• RA-5 Vulnerability Scanning *

System and Services Acquisition

• SA-1 System and Services Acquisition Policy and Procedures
• SA-2 Allocation of Resources
• SA-3 Life Cycle Support
• SA-4 Acquisitions
• SA-5 Information System Documentation
• SA-6 Software Usage Restrictions
• SA-7 User Installed Software
• SA-8 Security Engineering Principles
• SA-9 External Information System Services
• SA-10 Developer Configuration Management
• SA-11 Developer Security Testing

System and Communications Protection

• SC-1 System and Communications Protection Policy and Procedures
• SC-2 Application Partitioning
• SC-3 Security Function Isolation
• SC-4 Information Remnance *
• SC-5 Denial of Service Protection *
• SC-6 Resource Priority *
• SC-7 Boundary Protection *
• SC-8 Transmission Integrity
• SC-9 Transmission Confidentiality
• SC-10 Network Disconnect *
• SC-11 Trusted Path *
• SC-12 Cryptographic Key Establishment and Management
• SC-13 Use of Cryptography
• SC-14 Public Access Protections
• SC-15 Collaborative Computing
• SC-16 Transmission of Security Parameters *
• SC-17 Public Key Infrastructure Certificates
• SC-18 Mobile Code
• SC-19 Voice Over Internet Protocol
• SC-20 Secure Name /Address Resolution Service (Authoritative Source)
• SC-21 Secure Name /Address Resolution Service (Recursive or Caching Resolver)
• SC-22 Architecture and Provisioning for Name/Address Resolution Service
• SC-23 Session Authenticity

System and Information Integrity

• SI-1 System and Information Integrity Policy and Procedures
• SI-2 Flaw Remediation *
• SI-3 Malicious Code Protection *
• SI-4 Information System Monitoring Tools and Techniques *
• SI-5 Security Alerts and Advisories
• SI-6 Security Functionality Verification *
• SI-7 Software and Information Integrity *
• SI-8 Spam Protection
• SI-9 Information Input Restrictions
• SI-10 Information Accuracy, Completeness, Validity, and Authenticity
• SI-11 Error Handling
• SI-12 Information Output Handling and Retention