Official UC blog

Legacy Re-Mapping NIST 800-53 R4 Changes

Written by Vicki M. | Dec 3, 2020 6:53:02 PM

Here is the list of the mapping changes that resulted from the re-mapping of legacy document NIST 800-53 R4.

  • Legacy Document: AD 1374, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4, Deprecated
  • Re-mapped Document: AD 3212, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4

There are two types of changes:

  1. The mandate of the citation maps to a different control.
    This occurs when a better control match is created after the original mapping. This is typically a result of newer control having been written since the initial mapping.
  2. The mandates of the citation map to additional controls.
    Prior mappings typically mapped one citation to one control. We now identify all the mandates in each citation and map each mandate to a control. You can see the color-coded mandates at research.unifiedcompliance.com.

Please note if there were no changes to the mapping, it is not in this table.

Legacy and New Control Mappings
Citation Legacy CC ID Legacy CC Name New CC ID New CC Name
CM-7(4)(b) 868 Establish and maintain a software accountability policy. 11780 Establish, implement, and maintain whitelists and blacklists of software.
CM-8(6) ¶ 1 8710 Establish and maintain a configuration change log. 862 Establish and maintain a current configuration baseline based on the least functionality principle.
8711 Document approved configuration deviations.
AC-3(9)(a) 544 Establish and maintain a Boundary Defense program. 6310 Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control.
AC-3(9)(b) 544 Establish and maintain a Boundary Defense program. 6310 Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control.
AC-3(10) ¶ 1 512 Establish, implement, and maintain access control policies. 645 Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system.
AC-4(15) ¶ 1 6763 Constrain the information flow of restricted data or restricted information. 6763 Constrain the information flow of restricted data or restricted information.
6761 Perform content filtering scans on network traffic.
AC-4(18) ¶ 1 4542 Establish and maintain information flow procedures. 6764 Associate records with their security attributes.
AC-16b. 6764 Associate records with their security attributes. 6764 Associate records with their security attributes.
968 Retain records in accordance with applicable requirements.
AC-16c. 6764 Associate records with their security attributes. 3 Interpret and apply security requirements based upon the information classification of the system.
AC-16d. 6764 Associate records with their security attributes. 1903 Apply security controls to each level of the information classification standard.
AC-16(6) ¶ 1 6764 Associate records with their security attributes. 12304 Document the roles and responsibilities for all activities that protect restricted data in the information security procedures.
AC-16(7) ¶ 1 6764 Associate records with their security attributes. 7184 Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy.
AC-16(9) ¶ 1 6764 Associate records with their security attributes. 13036 Establish and maintain records management systems, as necessary.
AC-16(10) ¶ 1 6765 Reconfigure the security attributes of records as the information changes. 11885 Assign information security responsibilities to interested personnel and affected parties in the information security program.
AC-16(1) ¶ 1 6765 Reconfigure the security attributes of records as the information changes. 6765 Reconfigure the security attributes of records as the information changes.
6764 Associate records with their security attributes.
AC-21(2) ¶ 1 6310 Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. 10010 Provide structures for searching for items stored in the Electronic Document and Records Management system.
AC-24(1) ¶ 1 4553 Enable access control for objects and users on each system. 1410 Establish, implement, and maintain information flow control policies inside the system and between interconnected systems.
AC-24(2) ¶ 1 4553 Enable access control for objects and users on each system. 11836 Include the objects and users subject to access control in the security policy.
AU-5b. 6290 Protect the event logs from failure. 10679 Shut down systems when an integrity violation is detected, as necessary.
14308 Overwrite the oldest records when audit logging fails.
1712 Configure the security parameters for all logs.
AU-5(3) ¶ 1 1619 Establish and maintain system capacity monitoring procedures. 1619 Establish and maintain system capacity monitoring procedures.
6883 Establish, implement, and maintain rate limiting filters.
AU-10(1)(a) 6764 Associate records with their security attributes. 12729 Assign an information owner to organizational assets, as necessary.
AU-10(1)(b) 6764 Associate records with their security attributes. 920 Establish and maintain data input and data access authorization tracking.
AU-10(2)(a) 6764 Associate records with their security attributes. 920 Establish and maintain data input and data access authorization tracking.
AU-10(3) ¶ 1 567 Implement non-repudiation for transactions. 13203 Validate transactions using identifiers and credentials.
AU-13 Control 10419 Search the Internet for evidence of data leakage. 10419 Search the Internet for evidence of data leakage.
10593 Review monitored websites for data leakage.
CA-8(2) ¶ 1 1277 Perform network-layer penetration testing on all systems, as necessary. 12131 Conduct Red Team exercises, as necessary.
PE-18(1) ¶ 1 6351 Define selection criteria for facility locations. 6351 Define selection criteria for facility locations.
6479 Employ risk assessment procedures that take into account the target environment.
PE-20a. 10626 Attach asset location technologies to distributed Information Technology assets. 10626 Attach asset location technologies to distributed Information Technology assets.
11684 Monitor the location of distributed Information Technology assets.
CM-3(3) ¶ 1 2130 Create a Configuration Baseline Documentation Record before promoting the system to a production environment. 12103 Review and update Configuration Baseline Documentation Records, as necessary.
12503 Apply configuration standards to all systems, as necessary.
CM-5(4) ¶ 1 11776 Implement changes according to the change control program. 11776 Implement changes according to the change control program.
887 Manage change requests.
CM-6a. 2132 Establish and maintain an accurate Configuration Management Database with accessible reporting capabilities. 11953 Establish and maintain configuration standards for all systems based upon industry best practices.
CM-7(3) ¶ 1 537 Include a protocols, ports, applications, and services list in the firewall and router configuration standard. 12547 Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard.
CP-2(6) ¶ 1 742 Designate an alternate facility in the continuity plan. 744 Prepare the alternate facility for an emergency offsite relocation.
1169 Include restoration procedures in the continuity plan.
CP-2(7) ¶ 1 1386 Coordinate continuity planning with other business units responsible for related continuity plans. 13242 Coordinate and incorporate supply chain members' continuity plans, as necessary.
CP-4(3) ¶ 1 1389 Automate the off-site testing to more thoroughly test the continuity plan. 755 Test the continuity plan, as necessary.
CP-11 Control 1294 Include Wide Area Network continuity procedures in the continuity plan. 750 Include emergency communications procedures in the continuity plan.
CP-8(5) ¶ 1 755 Test the continuity plan, as necessary. 12777 Validate the emergency communications procedures during continuity plan tests.
IA-2(6) ¶ 1 561 Implement two-factor authentication techniques. 561 Implement two-factor authentication techniques.
6836 Establish and maintain a register of approved third parties, technologies and tools.
IA-2(7) ¶ 1 561 Implement two-factor authentication techniques. 561 Implement two-factor authentication techniques.
6836 Establish and maintain a register of approved third parties, technologies and tools.
IA-2(10) ¶ 1 11841 Include digital identification procedures in the access control program. 553 Enable logon authentication management techniques.
 IA-4 Control 0 UCF CE List 515 Control the addition and modification of user identifiers, user credentials, or other object identifiers.
IA-4(2) ¶ 1 515 Control the addition and modification of user identifiers, user credentials, or other object identifiers. 515 Control the addition and modification of user identifiers, user credentials, or other object identifiers.
6641 Review and approve logical access to all assets based upon organizational policies.
IA-4(6) ¶ 1 515 Control the addition and modification of user identifiers, user credentials, or other object identifiers. 12201 Provide identification mechanisms for the organization's supply chain members.
IA-4(7) ¶ 1 8712 Require multiple forms of personal identification prior to issuing user IDs. 13750 Support the identity proofing process through in-person proofing or remote proofing.
IA-9 Control 513 Establish and maintain an access rights management plan. 14053 Establish, implement, and maintain identification and authentication procedures.
IA-9(1) ¶ 1 1429 Require the system to identify and authenticate approved devices before establishing a connection to restricted data. 14227 Include coordination amongst entities in the identification and authentication policy.
IA-9(2) ¶ 1 1429 Require the system to identify and authenticate approved devices before establishing a connection to restricted data. 14053 Establish, implement, and maintain identification and authentication procedures.
IR-3(1) ¶ 1 6752 Use automated mechanisms in the training environment, where appropriate. 1216 Test the incident response procedures.
IR-4(10) ¶ 1 1212 Share incident information with interested personnel and affected parties. 13196 Coordinate incident response activities with interested personnel and affected parties.
MA-4(4) ¶ 1 0 UCF CE List 1433 Control remote maintenance according to the system's asset classification.
MA-4(7) ¶ 1 4262 Activate third party maintenance accounts and user identifiers, as necessary. 12083 Terminate remote maintenance sessions when the remote maintenance is complete.
MA-5(4)(b) 1434 Conduct maintenance with authorized personnel. 11873 Control granting access to third parties performing maintenance on organizational assets.
6509 Include a description of the product or service to be provided in third party contracts.
MP-4a. 11664 Physically secure all electronic storage media that store restricted data or restricted information. 11664 Physically secure all electronic storage media that store restricted data or restricted information.
965 Control the storage of restricted storage media.
MP-4(2) ¶ 1 371 Establish and maintain access controls for all records. 12462 Authorize physical access to sensitive areas based on job functions.
6797 Monitor for unauthorized physical access at physical entry points.
12080 Establish and maintain a physical access log.
PE-2(2) ¶ 1 713 Establish and maintain physical identification procedures. 6701 Check the visitor's stated identity against a provided government issued identification.
PE-3(2) ¶ 1 1441 Control the delivery of assets through physical entry points and physical exit points. 11681 Control the removal of assets through physical entry points and physical exit points.
PE-3(3) ¶ 1 6653 Employ security guards to provide physical security, as necessary. 6653 Employ security guards to provide physical security, as necessary.
11669 Maintain all security alarm systems.
PE-5(1)(b) 926 Establish, implement, and maintain document handling procedures for paper documents. 11656 Establish and maintain document security requirements for the output of records.
PE-5(2)(a) 926 Establish, implement, and maintain document handling procedures for paper documents. 371 Establish and maintain access controls for all records.
PE-5(2)(b) 926 Establish, implement, and maintain document handling procedures for paper documents. 372 Provide audit trails for all pertinent records.
PL-9 Control 6328 Adhere to operating procedures as defined in the Standard Operating Procedures Manual. 12415 Establish and maintain a baseline of internal controls.
RA-3b. 6481 Include the results of the risk assessment in the risk assessment report. 6481 Include the results of the risk assessment in the risk assessment report.
6481 Include the results of the risk assessment in the risk assessment report. 11978 Include risk assessment results in the risk treatment plan.
6481 Include the results of the risk assessment in the risk assessment report.
SA-4(3) ¶ 1 1447 Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired Information Technology assets. 1447 Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired Information Technology assets.
1124 Include security requirements in system acquisition contracts.
14256 Include a description of the development environment and operational environment in system acquisition contracts.
1100 Perform Quality Management on all newly developed or modified systems.
SA-4(5)(b) 1446 Provide a Configuration Management plan by the Information System developer for all newly acquired information technology assets. 12503 Apply configuration standards to all systems, as necessary.
SA-4(6)(a) 1133 Establish, implement, and maintain a product and services acquisition strategy. 6836 Establish and maintain a register of approved third parties, technologies and tools.
SA-11(3)(b) 11638 Assign vulnerability scanning to qualified personnel or external third parties. 11638 Assign vulnerability scanning to qualified personnel or external third parties.
12186 Grant access to authorized personnel.
SA-11(7) ¶ 1 1100 Perform Quality Management on all newly developed or modified systems. 1447 Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired Information Technology assets.
SA-12(5) ¶ 1 8808 Establish, implement, and maintain a supply chain management policy. 8811 Include risk management procedures in the supply chain management policy.
SA-12(7) ¶ 1 1135 Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. 1129 Conduct an acquisition feasibility study prior to acquiring Information Technology assets.
1144  Establish, implement, and maintain facilities, assets, and services acceptance procedures.
12218 Establish and maintain product update procedures.
SA-12(11) ¶ 1 8811 Include risk management procedures in the supply chain management policy. 8854 Conduct all parts of the supply chain due diligence process.
8861 Assign the appropriate individuals or groups to oversee and support supply chain due diligence.
655 Perform penetration tests, as necessary.
SA-12(8) ¶ 1 8811 Include risk management procedures in the supply chain management policy. 8854 Conduct all parts of the supply chain due diligence process.
SA-12(9) ¶ 1 8818 Use third parties that are compliant with the applicable requirements. 13109 Establish and maintain information security controls for the supply chain.
SA-12(13) ¶ 1 1435 Perform periodic maintenance according to organizational standards. 6388 Maintain contact with the device manufacturer or component manufacturer for maintenance requests.
SA-12(14) ¶ 1 8958 Include a unique reference identifier on products for sale. 8958 Include a unique reference identifier on products for sale.
968 Retain records in accordance with applicable requirements.
SA-12(15) ¶ 1 8810 Include a clear management process in the supply chain management policy. 8815 Implement measurable improvement plans with all third parties.
SA-13b. 1124 Include security requirements in system acquisition contracts. 1125 Include security controls in system acquisition contracts.
SA-15(1)(b) 8667 Include measurable system performance requirements in the system design specification. 1100 Perform Quality Management on all newly developed or modified systems.
SA-15(2) ¶ 1 1096 Supervise and monitor outsourced development projects. 14307 Require the information system developer to create a continuous monitoring plan.
SA-15(4) ¶ 1 0 UCF CE List 6829 Include threat models in the system design specification.
11828 Perform vulnerability assessments, as necessary.
SA-15(7)(a) 11637 Perform vulnerability scans, as necessary. 11637 Perform vulnerability scans, as necessary.
SA-15(7)(b) 11744 Establish and maintain system testing procedures. 11940 Rank discovered vulnerabilities.
SA-15(7)(c) 6910 Change the scope, definition, and work breakdown of the system development project after corrective actions are taken. 6909 Initiate preventive actions to achieve the system development project's goals and outputs.
SA-15(7)(d) 4881 Recommend mitigation techniques based on penetration test results. 11639 Recommend mitigation techniques based on vulnerability scan reports.
SA-15(8) ¶ 1 11637 Perform vulnerability scans, as necessary. 6829 Include threat models in the system design specification.
1000 Perform a risk assessment for each system development project.
SA-15(9) ¶ 1 1103 Restrict production data from being used in the test environment. 11744 Establish and maintain system testing procedures.
6609 Document the procedures and environment used to create the system or software.
1103 Restrict production data from being used in the test environment.
SA-15(10) ¶ 1 588 Include intrusion detection procedures in the Incident Management program. 12056 Establish and maintain an incident response plan.
SA-17(2)(a) 4558 Establish, implement, and maintain a system implementation representation document. 8666 Include hardware requirements in the system design specification.
8664 Include supporting software requirements in the system design specification.
SA-17(3)(c) 4556 Include all confidentiality, integrity, and availability functions in the system design specification. 4559 Include the relationships and dependencies between modules in the system design specification.
SA-17(3)(e) 4556 Include all confidentiality, integrity, and availability functions in the system design specification. 11734 Include a description of each module and asset in the system design specification.
SA-17(4)(c) 4556 Include all confidentiality, integrity, and availability functions in the system design specification. 4559 Include the relationships and dependencies between modules in the system design specification.
SA-17(4)(d) 4556 Include all confidentiality, integrity, and availability functions in the system design specification. 4559 Include the relationships and dependencies between modules in the system design specification.
SA-17(4)(e) 4556 Include all confidentiality, integrity, and availability functions in the system design specification. 11734 Include a description of each module and asset in the system design specification.
SA-17(6) 11744 Establish and maintain system testing procedures. 1101 Establish and maintain a system testing program for all system development projects.
SA-19a. 10641 Establish and maintain an anti-counterfeit program for acquiring new systems. 10641 Establish and maintain an anti-counterfeit program for acquiring new systems.
10643 Scan for potential counterfeit parts and potential counterfeit components.
11510 Seize counterfeit products.
SA-19b. 10642 Create and distribute a counterfeit product report. 11494 Disseminate and communicate the counterfeit product report to the supplier.
10642 Create and distribute a counterfeit product report. 11490 Disseminate and communicate the counterfeit product report to appropriate law enforcement authorities.
10642 Create and distribute a counterfeit product report. 10642 Create and distribute a counterfeit product report.
SA-19(2) ¶ 1 863 Establish and maintain configuration control and Configuration Status Accounting for each system. 863 Establish and maintain configuration control and Configuration Status Accounting for each system.
863 Establish and maintain configuration control and Configuration Status Accounting for each system.
SA-21a. 6507 Include compliance with the organization's access policy as a requirement in third party contracts. 12186 Grant access to authorized personnel.
SA-21b. 790 Include third party requirements for personnel security in third party contracts. 11700 Establish and maintain personnel screening procedures.
SA-21(1) ¶ 1 790 Include third party requirements for personnel security in third party contracts. 11663 Establish, implement, and maintain access control procedures.
11700 Establish and maintain personnel screening procedures.
SA-22b. 10645 Obtain justification for the continued use of system components when third party support is no longer available. 10645 Obtain justification for the continued use of system components when third party support is no longer available.
912 Capture the records required by organizational compliance requirements.
SA-22(1) ¶ 1 6389 Plan and conduct maintenance so that it does not interfere with scheduled operations. 1435 Perform periodic maintenance according to organizational standards.
SA-15(4)(b) 11637 Perform vulnerability scans, as necessary. 14282 Implement scanning tools, as necessary.
11828 Perform vulnerability assessments, as necessary.
SC-3(1) ¶ 1 11858 Separate user functionality from system management functionality. 12254 Design the hardware security module to enforce the separation between applications.
SC-3(3) ¶ 1 6767 Separate processing domains to segregate user privileges and enhance information flow control. 11858 Separate user functionality from system management functionality.
SC-3(5) ¶ 1 6767 Separate processing domains to segregate user privileges and enhance information flow control. 6767 Separate processing domains to segregate user privileges and enhance information flow control.
6767 Separate processing domains to segregate user privileges and enhance information flow control.
11843 Implement segregation of duties.
SC-5(3)(b) 11752 Establish and maintain system performance monitoring procedures. 1619 Establish and maintain system capacity monitoring procedures.
SC-7(9)(a) 1295 Restrict outbound network traffic from systems that contain restricted data or restricted information. 1295 Restrict outbound network traffic from systems that contain restricted data or restricted information.
6761 Perform content filtering scans on network traffic.
SC-7(14) ¶ 1 11852 Deny network access to rogue devices until network access approval has been received. 718 Establish and maintain physical security controls for distributed Information Technology assets.
SC-7(15) ¶ 1 11842 Manage all external network connections. 1421 Control remote access through a network access control.
SC-7(17) ¶ 1 544 Establish and maintain a Boundary Defense program. 11845 Include configuration management and rulesets in the network access control standard.
SC-16(1) ¶ 1 6764 Associate records with their security attributes. 923 Establish and maintain data processing integrity controls.
SC-18(1) ¶ 1 574 Establish, implement, and maintain a malicious code protection program. 10034 Monitor systems for unauthorized mobile code.
13691 Remove malware when malicious code is discovered.
SC-18(2) ¶ 1 1136 Establish, implement, and maintain a product and services acquisition program. 1138 Establish, implement, and maintain a software product acquisition methodology.
1094 Develop systems in accordance with the system design specifications and system design standards.
1355 Include asset use policies in the Acceptable Use Policy.
SC-18(3) ¶ 1 4576 Restrict downloading to reduce malicious code attacks. 4576 Restrict downloading to reduce malicious code attacks.
11081 Configure the "Prevent launch an application" setting to organizational standards.
SC-18(4) ¶ 1 10034 Monitor systems for unauthorized mobile code. 11081 Configure the "Prevent launch an application" setting to organizational standards.
10034 Monitor systems for unauthorized mobile code.
SC-23(3) ¶ 1 7074 Use randomly generated session identifiers. 7074 Use randomly generated session identifiers.
4553 Enable access control for objects and users on each system.
SC-25 Control 882 Remove all unnecessary functionality. 882 Remove all unnecessary functionality.
7599 Configure Least Functionality and Least Privilege settings to organizational standards.
SC-27 Control 0 UCF CE List 895 Establish and maintain software asset management procedures.
SC-28(2) ¶ 1 951 Establish and maintain a records lifecycle management program. 968 Retain records in accordance with applicable requirements.
SC-29 Control 1046 Identify system design strategies. 1115 Manage the system implementation process.
SC-30(3) ¶ 1 10651 Change the locations of processing facilities at random intervals. 10651 Change the locations of processing facilities at random intervals.
10661 Change the locations of storage facilities at random intervals.
SC-30(5) ¶ 1 582 Determine if honeypots should be installed, and if so, where the honeypots should be placed. 7110 Establish, implement, and maintain virtualization configuration settings.
SC-31(3) ¶ 1 10655 Reduce the maximum bandwidth of covert channels. 10653 Estimate the maximum bandwidth of any covert channels.
SC-34(2) ¶ 1 946 Implement electronic storage media integrity controls. 946 Implement electronic storage media integrity controls.
969 Maintain continued integrity for all stored data and stored records.
SC-37 Control 10665 Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. 10665 Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary.
1441 Control the delivery of assets through physical entry points and physical exit points.
SC-38 Control 6491 Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. 13479 Protect confidential information during the system development life cycle program.
SC-40(3) ¶ 1 6078 Configure wireless communication to be encrypted using strong cryptography. 11623 Scan wireless networks for rogue devices.
11852 Deny network access to rogue devices until network access approval has been received.
SC-42a. 10666 Prohibit the remote activation of environmental sensors on mobile devices. 10666 Prohibit the remote activation of environmental sensors on mobile devices.
10667 Configure environmental sensors on mobile devices.
SC-43a. 1350 Establish and maintain an Acceptable Use Policy. 1350 Establish and maintain an Acceptable Use Policy.
1111 Establish and maintain a system implementation standard.
SC-43b. 1351 Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. 1351 Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy.
585 Monitor systems for inappropriate usage and other security violations.
11665 Control user privileges.
SC-8 Control 564 Use strong data encryption to transmit restricted data or restricted information over public networks. 11859 Protect data from unauthorized disclosure while transmitting between separate parts of the system.
4554 Protect data from modification or loss while transmitting between separate parts of the system.
SC-13 Control 4546 Establish, implement, and maintain an encryption management and cryptographic controls policy. 570 Manage the use of encryption controls and cryptographic controls.
12491 Employ only secure versions of cryptographic controls.
SI-3(6)(b) 661 Create specific test plans to test each system component. 11901 Test security systems and associated security procedures, as necessary.
11901 Test security systems and associated security procedures, as necessary.
SI-3(8) ¶ 1 585 Monitor systems for inappropriate usage and other security violations. 585 Monitor systems for inappropriate usage and other security violations.
12045 Alert interested personnel and affected parties when an unauthorized modification to critical files is detected.
645 Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system.
558 Enforce privileged accounts and non-privileged accounts for system access.
SI-3(9) ¶ 1 562 Protect remote access accounts with encryption. 559 Control all methods of remote access and teleworking.
SI-3(10)(b) 10673 Incorporate the malicious code analysis into the patch management program. 10673 Incorporate the malicious code analysis into the patch management program.
14016 Communicate threat intelligence to interested personnel and affected parties.
SI-4(7) ¶ 1 6430 Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. 6430 Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System.
6942 Respond to and triage when a security incident is detected.
SI-4(9) ¶ 1 1216 Test the incident response procedures. 11901 Test security systems and associated security procedures, as necessary.
SI-4(13)(b) 596 Review and update event logs and audit logs, as necessary. 643 Include a standard to collect and interpret event logs in the event logging procedures.
SI-4(17) ¶ 1 596 Review and update event logs and audit logs, as necessary. 1424 Compile the event logs of multiple components into a system-wide time-correlated audit trail.
SI-7(8) ¶ 1 6332 Configure all logs to capture auditable events or actionable events. 640 Enable logging for all systems that meet a traceability criteria.
1337 Configure the log to send alerts for each auditable events success or failure. 6332 Configure all logs to capture auditable events or actionable events.
1337 Configure the log to send alerts for each auditable events success or failure. 1337 Configure the log to send alerts for each auditable events success or failure.
1552 Enable and configure auditing operations and logging operations, as necessary. 1337 Configure the log to send alerts for each auditable events success or failure.
10678 Automatically respond when an integrity violation is detected.
SI-7(9) ¶ 1 1905 Establish and maintain the systems' availability level. 1906 Establish and maintain the systems' integrity level.
SI-7(10) ¶ 1 1905 Establish and maintain the systems' availability level. 1909 Define integrity controls.
SI-7(11) ¶ 1 868 Establish and maintain a software accountability policy. 6749 Include a software installation policy in the Acceptable Use Policy.
SI-7(12) ¶ 1 868 Establish and maintain a software accountability policy. 6749 Include a software installation policy in the Acceptable Use Policy.
SI-7(13) ¶ 1 6551 Establish and maintain a virtual environment and shared resources security program. 10648 Execute permitted mobile code in confined virtual machine environments.
6749 Include a software installation policy in the Acceptable Use Policy.
SI-10(1)(b) 924 Establish and maintain Automated Data Processing validation checks and editing checks. 558 Enforce privileged accounts and non-privileged accounts for system access.
SI-10(1)(c) 6332 Configure all logs to capture auditable events or actionable events. 645 Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system.
SI-13(1) ¶ 1 1256 Reconfigure restored systems to meet the Recovery Point Objectives. 6276 Establish, implement, and maintain a system redeployment program.
SI-13(3) ¶ 1 1256 Reconfigure restored systems to meet the Recovery Point Objectives. 13476 Restore systems and environments to be operational.
SI-13(4)(a) 1256 Reconfigure restored systems to meet the Recovery Point Objectives. 11693 Reconfigure restored systems to meet the Recovery Time Objectives.
SI-13(4)(b) 4544 Monitor systems for errors and faults. 10678 Automatically respond when an integrity violation is detected.
10679 Shut down systems when an integrity violation is detected, as necessary.
SI-14(1) ¶ 1 4890 Establish and maintain a core supply inventory required to support critical business functions. 6836 Establish and maintain a register of approved third parties, technologies and tools.
SI-4a. 0 UCF CE List 585 Monitor systems for inappropriate usage and other security violations.
SI-6d. 1206 Establish and maintain incident response procedures. 10679 Shut down systems when an integrity violation is detected, as necessary.
10680 Restart systems when an integrity violation is detected, as necessary.
SI-13b. 1256 Reconfigure restored systems to meet the Recovery Point Objectives. 11693 Reconfigure restored systems to meet the Recovery Time Objectives.
13476 Restore systems and environments to be operational.
SI-15 Control 930 Establish and maintain paper document integrity requirements for the output of records. 6627 Perform regularly scheduled quality and integrity control reviews of output of records.
PM-1a. 0 UCF CE List 812 Establish and maintain an information security program.
815 Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties.
PM-1a.1. 820 Establish and maintain an internal control framework. 11740 Establish and maintain an information security policy.
820 Establish and maintain an internal control framework.
PM-1a.2. 820 Establish and maintain an internal control framework. 11885 Assign information security responsibilities to interested personnel and affected parties in the information security program.
11999 Provide management direction and support for the information security program.
12294 Describe the group activities that protect restricted data in the information security procedures.
6384 Comply with all implemented policies in the organization's compliance framework.
PM-1a.3. 815 Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. 812 Establish and maintain an information security program.
PM-1a.4. 815 Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. 11737 Approve the information security policy at the organization's management level or higher.
PM-3a. 6279 Establish, implement, and maintain a Capital Planning and Investment Control policy. 6279 Establish, implement, and maintain a Capital Planning and Investment Control policy.
1630 Document compliance exceptions, as necessary.
PM-3b. 6279 Establish, implement, and maintain a Capital Planning and Investment Control policy. 6846 Document the business case and return on investment in each Information Technology project plan.
PM-4a.2. 6777 Implement a corrective action plan in response to the audit report. 705 Document and communicate a corrective action plan based on the risk assessment findings.
PM-4a.3. 6777 Implement a corrective action plan in response to the audit report. 705 Document and communicate a corrective action plan based on the risk assessment findings.
PM-4b. 675 Create a corrective action plan to correct control deficiencies identified in an audit. 11645 Include monitoring in the corrective action plan.
PM-6 671 Establish and maintain a compliance monitoring policy. 671 Establish and maintain a compliance monitoring policy.
12857 Monitor the performance of the governance, risk, and compliance capability.
676 Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary.
PM-8 710 Establish and maintain facility maintenance procedures. 6486 Take into account the need for protecting information confidentiality during infrastructure planning.
PM-9a. 685 Establish and maintain the risk assessment framework. 13209 Establish and maintain risk management strategies, as necessary.
PM-9b. 6446 Establish, implement, and maintain risk assessment procedures. 13661 Integrate the risk management program with the organization's business activities.
PM-9c. 6460 Review the risk assessment procedures, as necessary. 13049 Review and update the risk management program, as necessary.
PM-10a. 7109 Approve the results of the risk assessment as documented in the risk assessment report. 12004 Review systems for compliance with organizational information security policies.
711 Establish and maintain a facility physical security program.
PM-10c. 6446 Establish, implement, and maintain risk assessment procedures. 14228 Review and update the security assessment and authorization procedures, as necessary.
PM-11a. 6495 Address Information Security during the business planning processes. 6495 Address Information Security during the business planning processes.
698 Include the risks to the organization's critical personnel and assets in the threat and risk classification scheme.
PM-11b. 704 Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. 12155 Observe processes to determine the effectiveness of in scope controls.
675 Create a corrective action plan to correct control deficiencies identified in an audit.
PM-13 Control 785 Train all personnel and third parties, as necessary. 828 Establish and implement training plans.
PM-14a.1. 1406 Establish, implement, and maintain a Governance, Risk, and Compliance framework. 654 Establish, implement, and maintain a testing program.
828 Establish and implement training plans.
637 Establish, implement, and maintain logging and monitoring operations.
PM-14a.2. 1406 Establish, implement, and maintain a Governance, Risk, and Compliance framework. 818 Implement and comply with the Governance, Risk, and Compliance framework.
PM-14b. 817 Review and update the Governance, Risk, and Compliance framework, as necessary. 654 Establish, implement, and maintain a testing program.
828 Establish and implement training plans.
637 Establish, implement, and maintain logging and monitoring operations.
PM-15a. 11732 Share relevant security information with Special Interest Groups, as necessary. 2217 Tailor training to meet published guidance on the subject being taught.
PM-15b. 11732 Share relevant security information with Special Interest Groups, as necessary. 6489 Include security information sharing procedures in the internal control framework.
PM-16 6494 Monitor the organization's exposure to threats, as necessary. 6494 Monitor the organization's exposure to threats, as necessary.
6489 Include security information sharing procedures in the internal control framework.
PM-1b. 1348 Review the internal control framework, as necessary. 12744 Monitor and review the effectiveness of the information security program.
PM-1c. 1348 Review the internal control framework, as necessary. 817 Review and update the Governance, Risk, and Compliance framework, as necessary.
13501 Correct errors and deficiencies in a timely manner.
AP-1 Control 6487 Establish and maintain a personal data collection program. 103 Document the law that requires personal data to be collected.
AP-2 Control 6281 Establish, implement, and maintain a privacy policy. 406 Include the processing purpose in the privacy policy.
AR-1b. 7113 Establish and maintain a list of compliance documents. 604 Monitor regulatory trends to maintain compliance.
AR-1d. 6281 Establish, implement, and maintain a privacy policy. 11850 Establish and maintain a privacy framework that protects restricted data.
AR-1e. 6281 Establish, implement, and maintain a privacy policy. 11850 Establish and maintain a privacy framework that protects restricted data.
13346 Disseminate and communicate the privacy policy, as necessary.
AR-2b. 357 Conduct personal data risk assessments. 13712 Establish, implement, and maintain a privacy impact assessment.
AR-3a. 11610 Include text about access, use, disclosure, and transfer of data or information in third party contracts. 11610 Include text about access, use, disclosure, and transfer of data or information in third party contracts.
1364 Include third party acknowledgement of their data protection responsibilities in third party contracts.
AR-5a. 828 Establish and implement training plans. 828 Establish and implement training plans.
12868 Update training plans, as necessary.
AR-5b. 6664 Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment. 785 Train all personnel and third parties, as necessary.
6674 Tailor training to be taught at each person's level of responsibility.
AR-6 Control 383 Register with public bodies and notify the Data Commissioner before processing personal data. 383 Register with public bodies and notify the Data Commissioner before processing personal data.
7029 Include the organization's privacy practices in the audit report.
AR-8a. 372 Provide audit trails for all pertinent records. 13022 Establish and maintain a disclosure accounting record.
AR-8a.(1) 7133 Include the disclosure date in the disclosure accounting record. 7133 Include the disclosure date in the disclosure accounting record.
7135 Include the disclosure purpose in the disclosure accounting record. 7135 Include the disclosure purpose in the disclosure accounting record.
4680 Include what information was disclosed and to whom in the disclosure accounting record.
AR-8a.(2) 4680 Include what information was disclosed and to whom in the disclosure accounting record. 7134 Include the disclosure recipient in the disclosure accounting record.
AR-8b. 167 Establish and maintain personal data retention procedures. 968 Retain records in accordance with applicable requirements.
DI-1a. 88 Check the accuracy of personal data. 88 Check the accuracy of personal data.
90 Check that personal data is complete. 90 Check that personal data is complete.
11831 Use personal data for specified purposes.
91 Keep personal data up-to-date and valid.
DI-1c. 88 Check the accuracy of personal data. 88 Check the accuracy of personal data.
462 Change or destroy any personal data that is incorrect.
DI-1(1) ¶ 1 89 Record personal data correctly. 13187 Establish and maintain customer data authentication procedures.
DI-2a. 88 Check the accuracy of personal data. 923 Establish and maintain data processing integrity controls.
DI-2b. 843 Review and approve all Service Level Agreements. 806 Establish and maintain high level operational roles and responsibilities.
DI-2(1) ¶ 1 375 Establish, implement, and maintain a personal data transparency program. 379 Publish a description of activities about processing personal data in an official register.
DM-1a. 27 Collect and record personal data for specific, explicit, and legitimate purposes. 78 Collect the minimum amount of personal data necessary.
DM-1b. 27 Collect and record personal data for specific, explicit, and legitimate purposes. 78 Collect the minimum amount of personal data necessary.
167 Establish and maintain personal data retention procedures.
DM-1c. 11756 Establish and maintain data handling procedures. 507 Establish and maintain personal data collection limitation boundaries.
13428 Establish and maintain a personal data use limitation program.
DM-1(1) ¶ 1 7126 Establish, implement, and maintain de-identifying and re-identifying procedures. 13498 Establish, implement, and maintain personal data disposition procedures.
7126 Establish, implement, and maintain de-identifying and re-identifying procedures.
DM-2b. 125 Dispose of media and personal data in a timely manner. 125 Dispose of media and personal data in a timely manner.
7126 Establish, implement, and maintain de-identifying and re-identifying procedures.
DM-2c. 125 Dispose of media and personal data in a timely manner. 13498 Establish, implement, and maintain personal data disposition procedures.
DM-2(1) ¶ 1 167 Establish and maintain personal data retention procedures. 11890 Configure the log to capture creates, reads, updates, or deletes of records containing personal data.
11890 Configure the log to capture creates, reads, updates, or deletes of records containing personal data.
DM-3b. 96 Refrain from using personal data collected for research and statistics for other purposes. 13606 Implement security measures to protect personal data.
DM-3(1) ¶ 1 96 Refrain from using personal data collected for research and statistics for other purposes. 13606 Implement security measures to protect personal data.
IP-2d. 103 Document the law that requires personal data to be collected. 4794 Follow legal obligations while processing personal data.
IP-3b. 467 Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. 467 Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections.
463 Notify the data subject of changes made to personal data as the result of a dispute.
SE-1b. 689 Establish and maintain an Information Technology inventory with asset discovery audit trails. 6631 Establish, implement, and maintain an asset inventory.
SE-2a. 588 Include intrusion detection procedures in the Incident Management program. 12056 Establish and maintain an incident response plan.
SE-2b. 364 Include data loss event notifications in the Incident Response program. 6942 Respond to and triage when a security incident is detected.
TR-1a.(i) 393 Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. 379 Publish a description of activities about processing personal data in an official register.
101 Post the collection purpose.
397 Provide the data subject with a description of the type of information held by the organization and a general account of its use.
399 Provide the data subject with what personal data is made available to related organizations or subsidiaries.
12585 Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data.
393 Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request.
12587 Provide the data subject with the data retention period for personal data.
TR-1a.(ii) 393 Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. 103 Document the law that requires personal data to be collected.
AC-6(6) 2 Include business security requirements in the access classification scheme. 558 Enforce privileged accounts and non-privileged accounts for system access.
AR-8c. 399 Provide the data subject with what personal data is made available to related organizations or subsidiaries. 14433 Provide the data subject with a copy of the disclosure accounting record.
TR-1a.(iii) 393 Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. 406 Include the processing purpose in the privacy policy.
13111 Include the consequences of refusing to provide required information in the privacy policy.
TR-1a.(iv) 396 Provide the data subject with the means of gaining access to personal data held by the organization. 396 Provide the data subject with the means of gaining access to personal data held by the organization.
457 Notify individuals of their right to challenge personal data.
TR-1b.(i) 6487 Establish and maintain a personal data collection program. 397 Provide the data subject with a description of the type of information held by the organization and a general account of its use.
101 Post the collection purpose.
TR-1b.(ii) N/A N/A 397 Provide the data subject with a description of the type of information held by the organization and a general account of its use.
TR-1b.(iii) 409 Include other organizations that personal data is being disclosed to in the privacy policy. 409 Include other organizations that personal data is being disclosed to in the privacy policy.
13459 Include the types of third parties to which personal data is disclosed in the privacy notice.
399 Provide the data subject with what personal data is made available to related organizations or subsidiaries.
TR-1b.(iv) 30 Collect personal data when an individual gives consent. 13503 Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice.
469 Give individuals the ability to change the uses of their personal data.
TR-1b.(vi) 353 Establish, implement, and maintain data handling policies. 12585 Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data.
TR-1c. 6281 Establish, implement, and maintain a privacy policy. 13474 Update and redeliver privacy notices, as necessary.
TR-1(1) ¶ 1 95 Notify the data subject of the collection purpose. 132 Notify the data subject before personal data is collected, used, or disclosed.
TR-2c. N/A N/A 13444 Deliver privacy notices to data subjects, as necessary.
TR-2(1) ¶ 1 375 Establish, implement, and maintain a personal data transparency program. 379 Publish a description of activities about processing personal data in an official register.
TR-3a. 394 Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. 379 Publish a description of activities about processing personal data in an official register.
394 Provide the data subject with the name, title, and address of the individual accountable for the organizational policies.
UL-2a. 93 Establish, implement, and maintain a personal data use purpose specification. 133 Establish and maintain personal data disclosure procedures.
UL-2b. 6518 Include compliance with the organization's privacy policy in third party contracts. 6510 Include a description of the data or information to be covered in third party contracts.
838 Establish and maintain Service Level Agreements with the organization's supply chain. 11610 Include text about access, use, disclosure, and transfer of data or information in third party contracts.
UL-2c. 785 Train all personnel and third parties, as necessary. 12971 Monitor systems for unauthorized data transfers.
296 Include disciplinary actions in the Acceptable Use Policy. 12679 Include the stipulation of allowing auditing for compliance in the Data Processing Contract.
13757 Conduct personal data processing training.
11747 Establish and maintain consequences for non-compliance with the organizational compliance framework.
PM-15c. 1358 Include continuous security warning monitoring procedures in the internal control framework. 11732 Share relevant security information with Special Interest Groups, as necessary.
CP-8(4)(c) 1365 Review all third party's continuity plan test results. 1365 Review all third party's continuity plan test results.
1423 Document all training in a training record.
SC-7(4)(e) 1632 Review the compliance exceptions in the exceptions document, as necessary. 1632 Review the compliance exceptions in the exceptions document, as necessary.
882 Remove all unnecessary functionality.
CP-9(6) ¶ 1 1250 Include technical preparation considerations for backup operations in the continuity plan. 742 Designate an alternate facility in the continuity plan.
SC-8(2) ¶ 1 812 Establish and maintain an information security program. 356 Limit data leakage.
923 Establish and maintain data processing integrity controls.
SI-2(6) ¶ 1 10671 Remove outdated computer firmware after the computer firmware has been updated. 10671 Remove outdated computer firmware after the computer firmware has been updated.
11792 Remove outdated software after software has been updated.
AU-5(4) ¶ 1 6290 Protect the event logs from failure. 10679 Shut down systems when an integrity violation is detected, as necessary.
10678 Automatically respond when an integrity violation is detected.
SC-34(3)(b) 10660 Implement procedures to manually disable hardware write-protect to change firmware. 10660 Implement procedures to manually disable hardware write-protect to change firmware.
10659 Implement hardware-based, write-protect for system firmware components.
SI-4(13)(c) 7047 Eliminate false positives in event logs and audit logs. 7047 Eliminate false positives in event logs and audit logs.
596 Review and update event logs and audit logs, as necessary.