Appendix G Control Baselines

Open table as spreadsheet

CONTROL

CONTROL BASELINES

NO.

NAME

LOW

MOD

HIGH

AU-10

Non-repudiation

Not Selected

Not Selected

Not Selected

AU-11

Audit Retention

AU-11

AU-11

AU-11

CERTIFICATION, ACCREDITATION, AND SECURITY ASSESSMENTS

CA-1

Certification, Accreditation, and Security Assessment Policies and Procedures

CA-1

CA-1

CA-1

CA-2

Security Assessments

Not Selected

CA-2

CA-3

CA-3

Information System Connections

CA-3

CA-3

CA-3

CA-4

Security Certification

CA-4

CA-4

CA-4

CA-5

Plan of Action and Milestones

CA-5

CA-5

CA-5

CA-6

Security Accreditation

CA-6

CA-6

CA-6

CA-7

Continuous Monitoring

CA-7

CA-7

CA-7

CONFIGURATION MANAGEMENT

CM-1

Configuration Management Policy and Procedures

CM-1

CM-1

CM-1

CM-2

Baseline Configuration

CM-2

CM-2 (1)

CM-2 (1) (2)

CM-3

Configuration Change Control

Not Selected

CM-3

CM-3 (1)

CM-4

Monitoring Configuration Changes

Not Selected

CM-4

CM-4

CM-5

Access Restrictions for Change

Not Selected

CM-5

CM-5 (1)

CM-6

Configuration Settings

CM-6

CM-6

CM-6 (1)

CM-7

Least Functionality

Not Selected

CM-7

CM-7 (1)

CONTINGENCY PLANNING

CP-1

Contingency Planning Policy and Procedures

CP-1

CP-1

CP-1

CP-2

Contingency Plan

CP-2

CP-2 (1)

CP-2 (1)

CP-3

Contingency Training

Not Selected

CP-3

CP-3 (1)

CP-4

Contingency Plan Testing

Not Selected

CP-4 (1)

CP-4 (1) (2)

CP-5

Contingency Plan Update

CP-5

CP-5

CP-5

CP-6

Alternate Storage Sites

Not Selected

CP-6 (1)

CP-6 (1) (2) (3)

CP-7

Alternate Processing Sites

Not Selected

CP-7 (1) (2) (3)

CP-7 (1) (2) (3) (4)

CP-8

Telecommunications Services

Not Selected

CP-8 (1) (2)

CP-8 (1) (2) (3) (4)

CP-9

Information System Backup

CP-9

CP-9 (1)

CP-9 (1) (2) (3)

CP-10

Information System Recovery and Reconstitution

CP-10

CP-10

CP-10 (1)

IDENTIFICATION AND AUTHENTICATION

IA-1

Identification and Authentication Policy and Procedures

IA-1

IA-1

IA-1

IA-2

User Identification and Authentication

IA-2

IA-2

IA-2 (1)

IA-3

Device Identification and Authentication

Not Selected

IA-3

IA-3

IA-4

Identifier Management

IA-4

IA-4

IA-4

IA-5

Authenticator Management

IA-5

IA-5

IA-5

IA-6

Authenticator Feedback

IA-6

IA-6

IA-6

IA-7

Cryptographic Module Authorization

IA-7

IA-7

IA-7

INCIDENT RESPONSE

IR-1

Incident Response Policy and Procedures

IR-1

IR-1

IR-1

IR-2

Incident Response Training

Not Selected

IR-2

IR-2 (1) (2)

IR-3

Incident Response Testing

Not Selected

IR-3

IR-3 (1)

IR-4

Incident Handling

IR-4

IR-4 (1)

IR-4 (1)

IR-5

Incident Monitoring

Not Selected

IR-5

IR-5 (1)

IR-6

Incident Reporting

IR-6

IR-6 (1)

IR-6 (1)

IR-7

Incident Response Assistance

IR-7

IR-7 (1)

IR-7 (1)

MAINTENANCE

MA-1

System Maintenance Policy and Procedures

MA-1

MA-1

MA-1

MA-2

Periodic Maintenance

MA-2

MA-2 (1)

MA-2 (1) (2)

MA-3

Maintenance Tools

Not Selected

MA-3

MA-3 (1) (2) (3)

MA-4

Remote Maintenance

MA-4

MA-4

MA-4 (1) (2) (3)

MA-5

Maintenance Personnel

MA-5

MA-5

MA-5

MA-6

Timely Maintenance

Not Selected

MA-6

MA-6

MEDIA PROTECTION

MP-1

Media Protection Policy and Procedures

MP-1

MP-1

MP-1

MP-2

Media Access

MP-2

MP-2

MP-2 (1)

MP-3

Media Labeling

Not Selected

MP-3

MP-3

MP-4

Media Storage

Not Selected

MP-4

MP-4

MP-5

Media Transport

Not Selected

MP-5

MP-5

MP-6

Media Sanitization

Not Selected

MP-6

MP-6

MP-7

Media Destruction and Disposal

MP-7

MP-7

MP-7

PHYSICAL AND ENVIRONMENTAL PROTECTION

PE-1

Physical and Environmental Protection Policy and Procedures

PE-1

PE-1

PE-1

PE-2

Physical Access Authorization

PE-2

PE-2

PE-2

PE-3

Physical Access Control

PE-3

PE-3

PE-3

PE-4

Access Control for Transmission Medium

Not Selected

Not Selected

Not Selected

PE-5

Access Control for Display Medium

Not Selected

PE-5

PE-5

PE-6

Monitoring Physical Access

PE-6

PE-6 (1)

PE-6 (1) (2)

PE-7

Visitor Control

PE-7

PE-7 (1)

PE-7 (1)

PE-8

Access Logs

PE-8

PE-8 (1)

PE-8 (1)

PE-9

Power Equipment and Power Cabling

Not Selected

PE-9

PE-9

PE-10

Emergency Shutoff

Not Selected

PE-9

PE-9

PE-11

Emergency Power

Not Selected

PE-10

PE-10

PE-12

Emergency Lighting

PE-12

PE-12

PE-12

PE-13

Fire Protection

PE-13

PE-13 (1)

PE-13 (1) (2)

PE-14

Temperature and Humidity Controls

PE-14

PE-14

PE-14

PE-15

Water Damage Protection

PE-15

PE-15

PE-15 (1)

PE-16

Delivery and Removal

PE-16

PE-16

PE-16

PE-17

Alternate Work Site

Not Selected

PE-17

PE-17

PLANNING

PL-1

Security Planning Policy and Procedures

PL-1

PL-1

PL-1

PL-2

System Security Plan

PL-2

PL-2

PL-2

PL-3

System Security Plan Update

PL-3

PL-3

PL-3

PL-4

Rules of Behavior

PL-4

PL-4

PL-4

PL-5

Privacy Impact Assessment

PL-5

PL-5

PL-5

PERSONNEL SECURITY

PS-1

Personnel Security Policy and Procedures

PS-1

PS-1

PS-1

PS-2

Position Categorization

PS-2

PS-2

PS-2

PS-3

Personnel Screening

PS-3

PS-3

PS-3

PS-4

Personnel Termination

PS-4

PS-4

PS-4

PS-5

Personnel Transfer

PS-5

PS-5

PS-5

PS-6

Access Agreements

PS-6

PS-6

PS-6

PS-7

Third-Party Personnel Security

PS-7

PS-7

PS-7

PS-8

Personnel Sanctions

PS-8

PS-8

PS-8

RISK ASSESSMENT

RA-1

Risk Assessment Policy and Procedures

RA-1

RA-1

RA-1

RA-2

Security Categorization

RA-2

RA-2

RA-2

RA-3

Risk Assessment

RA-3

RA-3

RA-3

RA-4

Risk Assessment Update

RA-4

RA-4

RA-4

RA-5

Vulnerability Scanning

Not Selected

RA-5

RA-5 (1) (2)

SYSTEM AND SERVICES ACQUISITION

SA-1

System and Services Acquisition Policy and Procedures

SA-1

SA-1

SA-1

SA-2

Allocation of Resources

SA-2

SA-2

SA-2

SA-3

Life Cycle Support

SA-3

SA-3

SA-3

SA-4

Acquisitions

SA-4

SA-4

SA-4

SA-5

Information Systems Documentation

SA-5

SA-5 (1)

SA-5 (1) (2)

SA-6

Software Usage Restrictions

SA-6

SA-6

SA-6

SA-7

User Installed Software

SA-7

SA-7

SA-7

SA-8

Security Design Principles

Not Selected

SA-8

SA-8

SA-9

Outsourced Information System Services

SA-9

SA-9

SA-9

SA-10

Developer Configuration Management

Not Selected

Not Selected

SA-10

SA-11

Developer Security Testing

Not Selected

SA-11

SA-11

SYSTEM AND COMMUNICATIONS PROTECTION

SC-1

System and Communications Protection Policy and Procedures

SC-1

SC-1

SC-1

SC-2

Application Partitioning

Not Selected

SC-2

SC-2

SC-3

Security Function Isolation

Not Selected

Not Selected

SC-3

SC-4

Information Remnants

Not Selected

SC-4

SC-4

SC-5

Denial of Service Protection

SC-5

SC-5

SC-5

SC-6

Resource Priority

Not Selected

SC-6

SC-6

SC-7

Boundary Protection

SC-7

SC-7 (1)

SC-7 (1)

SC-8

Transmission Integrity

Not Selected

SC-8

SC-8 (1)

SC-9

Transmission Confidentiality

Not Selected

SC-9

SC-9 (1)

SC-10

Network Disconnect

Not Selected

SC-10

SC-10

SC-11

Trusted Path

Not Selected

Not Selected

Not Selected

SC-12

Cryptographic Key Establishment and Management

Not Selected

SC-12

SC-12

SC-13

Use of Validated Cryptography

SC-13

SC-13

SC-13

SC-14

Public Access Protections

SC-14

SC-14

SC-14

SC-15

Collaborative Computing

Not Selected

SC-15

SC-15

SC-16

Transmission of Security Parameters

Not Selected

Not Selected

Not Selected

SC-17

Public Key Infrastructure Certificates

Not Selected

SC-17

SC-17

SC-18

Mobile Code

Not Selected

SC-18

SC-18

SC-19

Voice Over Internet Protocol

Not Selected

SC-19

SC-19

SYSTEMS AND INFORMATION INTEGRITY

SI-1

Systems and Information Integrity Policy and Procedures

SI-1

SI-1

SI-1

SI-2

Flaw Remediation

SI-2

SI-2

SI-2

SI-3

Malicious Code Protection

SI-3

SI-3 (1)

SI-3 (1) (2)

SI-4

Intrusion Detection Tools and Techniques

Not Selected

SI-4

SI-4

SI-5

Security Alerts and Advisories

SI-5

SI-5

SI-5

SI-6

Security Functionality Verification

Not Selected

SI-6

SI-6 (1)

SI-7

Software and Information Integrity

Not Selected

Not Selected

SI-7

SI-8

Spam and Spyware Protection

Not Selected

SI-8

SI-8 (1)

SI-9

Information Input Restrictions

Not Selected

SI-9

SI-9

SI-10

Information Input Accuracy, Completeness, and Validity

Not Selected

SI-10

SI-10

SI-11

Error Handling

Not Selected

SI-11

SI-11

SI-12

Information Output Handling and Retention

Not Selected

SI-12

SI-12

Категории