Here is the list of the mapping changes that resulted from the re-mapping of legacy document NIST 800-53 R4.
There are two types of changes:
Please note if there were no changes to the mapping, it is not in this table.
| Citation | Legacy CC ID | Legacy CC Name | New CC ID | New CC Name | |
| CM-7(4)(b) | 868 | Establish and maintain a software accountability policy. | 11780 | Establish, implement, and maintain whitelists and blacklists of software. | |
| CM-8(6) ¶ 1 | 8710 | Establish and maintain a configuration change log. | 862 | Establish and maintain a current configuration baseline based on the least functionality principle. | |
| 8711 | Document approved configuration deviations. | ||||
| AC-3(9)(a) | 544 | Establish and maintain a Boundary Defense program. | 6310 | Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. | |
| AC-3(9)(b) | 544 | Establish and maintain a Boundary Defense program. | 6310 | Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. | |
| AC-3(10) ¶ 1 | 512 | Establish, implement, and maintain access control policies. | 645 | Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. | |
| AC-4(15) ¶ 1 | 6763 | Constrain the information flow of restricted data or restricted information. | 6763 | Constrain the information flow of restricted data or restricted information. | |
| 6761 | Perform content filtering scans on network traffic. | ||||
| AC-4(18) ¶ 1 | 4542 | Establish and maintain information flow procedures. | 6764 | Associate records with their security attributes. | |
| AC-16b. | 6764 | Associate records with their security attributes. | 6764 | Associate records with their security attributes. | |
| 968 | Retain records in accordance with applicable requirements. | ||||
| AC-16c. | 6764 | Associate records with their security attributes. | 3 | Interpret and apply security requirements based upon the information classification of the system. | |
| AC-16d. | 6764 | Associate records with their security attributes. | 1903 | Apply security controls to each level of the information classification standard. | |
| AC-16(6) ¶ 1 | 6764 | Associate records with their security attributes. | 12304 | Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. | |
| AC-16(7) ¶ 1 | 6764 | Associate records with their security attributes. | 7184 | Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. | |
| AC-16(9) ¶ 1 | 6764 | Associate records with their security attributes. | 13036 | Establish and maintain records management systems, as necessary. | |
| AC-16(10) ¶ 1 | 6765 | Reconfigure the security attributes of records as the information changes. | 11885 | Assign information security responsibilities to interested personnel and affected parties in the information security program. | |
| AC-16(1) ¶ 1 | 6765 | Reconfigure the security attributes of records as the information changes. | 6765 | Reconfigure the security attributes of records as the information changes. | |
| 6764 | Associate records with their security attributes. | ||||
| AC-21(2) ¶ 1 | 6310 | Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. | 10010 | Provide structures for searching for items stored in the Electronic Document and Records Management system. | |
| AC-24(1) ¶ 1 | 4553 | Enable access control for objects and users on each system. | 1410 | Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. | |
| AC-24(2) ¶ 1 | 4553 | Enable access control for objects and users on each system. | 11836 | Include the objects and users subject to access control in the security policy. | |
| AU-5b. | 6290 | Protect the event logs from failure. | 10679 | Shut down systems when an integrity violation is detected, as necessary. | |
| 14308 | Overwrite the oldest records when audit logging fails. | ||||
| 1712 | Configure the security parameters for all logs. | ||||
| AU-5(3) ¶ 1 | 1619 | Establish and maintain system capacity monitoring procedures. | 1619 | Establish and maintain system capacity monitoring procedures. | |
| 6883 | Establish, implement, and maintain rate limiting filters. | ||||
| AU-10(1)(a) | 6764 | Associate records with their security attributes. | 12729 | Assign an information owner to organizational assets, as necessary. | |
| AU-10(1)(b) | 6764 | Associate records with their security attributes. | 920 | Establish and maintain data input and data access authorization tracking. | |
| AU-10(2)(a) | 6764 | Associate records with their security attributes. | 920 | Establish and maintain data input and data access authorization tracking. | |
| AU-10(3) ¶ 1 | 567 | Implement non-repudiation for transactions. | 13203 | Validate transactions using identifiers and credentials. | |
| AU-13 Control | 10419 | Search the Internet for evidence of data leakage. | 10419 | Search the Internet for evidence of data leakage. | |
| 10593 | Review monitored websites for data leakage. | ||||
| CA-8(2) ¶ 1 | 1277 | Perform network-layer penetration testing on all systems, as necessary. | 12131 | Conduct Red Team exercises, as necessary. | |
| PE-18(1) ¶ 1 | 6351 | Define selection criteria for facility locations. | 6351 | Define selection criteria for facility locations. | |
| 6479 | Employ risk assessment procedures that take into account the target environment. | ||||
| PE-20a. | 10626 | Attach asset location technologies to distributed Information Technology assets. | 10626 | Attach asset location technologies to distributed Information Technology assets. | |
| 11684 | Monitor the location of distributed Information Technology assets. | ||||
| CM-3(3) ¶ 1 | 2130 | Create a Configuration Baseline Documentation Record before promoting the system to a production environment. | 12103 | Review and update Configuration Baseline Documentation Records, as necessary. | |
| 12503 | Apply configuration standards to all systems, as necessary. | ||||
| CM-5(4) ¶ 1 | 11776 | Implement changes according to the change control program. | 11776 | Implement changes according to the change control program. | |
| 887 | Manage change requests. | ||||
| CM-6a. | 2132 | Establish and maintain an accurate Configuration Management Database with accessible reporting capabilities. | 11953 | Establish and maintain configuration standards for all systems based upon industry best practices. | |
| CM-7(3) ¶ 1 | 537 | Include a protocols, ports, applications, and services list in the firewall and router configuration standard. | 12547 | Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. | |
| CP-2(6) ¶ 1 | 742 | Designate an alternate facility in the continuity plan. | 744 | Prepare the alternate facility for an emergency offsite relocation. | |
| 1169 | Include restoration procedures in the continuity plan. | ||||
| CP-2(7) ¶ 1 | 1386 | Coordinate continuity planning with other business units responsible for related continuity plans. | 13242 | Coordinate and incorporate supply chain members' continuity plans, as necessary. | |
| CP-4(3) ¶ 1 | 1389 | Automate the off-site testing to more thoroughly test the continuity plan. | 755 | Test the continuity plan, as necessary. | |
| CP-11 Control | 1294 | Include Wide Area Network continuity procedures in the continuity plan. | 750 | Include emergency communications procedures in the continuity plan. | |
| CP-8(5) ¶ 1 | 755 | Test the continuity plan, as necessary. | 12777 | Validate the emergency communications procedures during continuity plan tests. | |
| IA-2(6) ¶ 1 | 561 | Implement two-factor authentication techniques. | 561 | Implement two-factor authentication techniques. | |
| 6836 | Establish and maintain a register of approved third parties, technologies and tools. | ||||
| IA-2(7) ¶ 1 | 561 | Implement two-factor authentication techniques. | 561 | Implement two-factor authentication techniques. | |
| 6836 | Establish and maintain a register of approved third parties, technologies and tools. | ||||
| IA-2(10) ¶ 1 | 11841 | Include digital identification procedures in the access control program. | 553 | Enable logon authentication management techniques. | |
| IA-4 Control | 0 | UCF CE List | 515 | Control the addition and modification of user identifiers, user credentials, or other object identifiers. | |
| IA-4(2) ¶ 1 | 515 | Control the addition and modification of user identifiers, user credentials, or other object identifiers. | 515 | Control the addition and modification of user identifiers, user credentials, or other object identifiers. | |
| 6641 | Review and approve logical access to all assets based upon organizational policies. | ||||
| IA-4(6) ¶ 1 | 515 | Control the addition and modification of user identifiers, user credentials, or other object identifiers. | 12201 | Provide identification mechanisms for the organization's supply chain members. | |
| IA-4(7) ¶ 1 | 8712 | Require multiple forms of personal identification prior to issuing user IDs. | 13750 | Support the identity proofing process through in-person proofing or remote proofing. | |
| IA-9 Control | 513 | Establish and maintain an access rights management plan. | 14053 | Establish, implement, and maintain identification and authentication procedures. | |
| IA-9(1) ¶ 1 | 1429 | Require the system to identify and authenticate approved devices before establishing a connection to restricted data. | 14227 | Include coordination amongst entities in the identification and authentication policy. | |
| IA-9(2) ¶ 1 | 1429 | Require the system to identify and authenticate approved devices before establishing a connection to restricted data. | 14053 | Establish, implement, and maintain identification and authentication procedures. | |
| IR-3(1) ¶ 1 | 6752 | Use automated mechanisms in the training environment, where appropriate. | 1216 | Test the incident response procedures. | |
| IR-4(10) ¶ 1 | 1212 | Share incident information with interested personnel and affected parties. | 13196 | Coordinate incident response activities with interested personnel and affected parties. | |
| MA-4(4) ¶ 1 | 0 | UCF CE List | 1433 | Control remote maintenance according to the system's asset classification. | |
| MA-4(7) ¶ 1 | 4262 | Activate third party maintenance accounts and user identifiers, as necessary. | 12083 | Terminate remote maintenance sessions when the remote maintenance is complete. | |
| MA-5(4)(b) | 1434 | Conduct maintenance with authorized personnel. | 11873 | Control granting access to third parties performing maintenance on organizational assets. | |
| 6509 | Include a description of the product or service to be provided in third party contracts. | ||||
| MP-4a. | 11664 | Physically secure all electronic storage media that store restricted data or restricted information. | 11664 | Physically secure all electronic storage media that store restricted data or restricted information. | |
| 965 | Control the storage of restricted storage media. | ||||
| MP-4(2) ¶ 1 | 371 | Establish and maintain access controls for all records. | 12462 | Authorize physical access to sensitive areas based on job functions. | |
| 6797 | Monitor for unauthorized physical access at physical entry points. | ||||
| 12080 | Establish and maintain a physical access log. | ||||
| PE-2(2) ¶ 1 | 713 | Establish and maintain physical identification procedures. | 6701 | Check the visitor's stated identity against a provided government issued identification. | |
| PE-3(2) ¶ 1 | 1441 | Control the delivery of assets through physical entry points and physical exit points. | 11681 | Control the removal of assets through physical entry points and physical exit points. | |
| PE-3(3) ¶ 1 | 6653 | Employ security guards to provide physical security, as necessary. | 6653 | Employ security guards to provide physical security, as necessary. | |
| 11669 | Maintain all security alarm systems. | ||||
| PE-5(1)(b) | 926 | Establish, implement, and maintain document handling procedures for paper documents. | 11656 | Establish and maintain document security requirements for the output of records. | |
| PE-5(2)(a) | 926 | Establish, implement, and maintain document handling procedures for paper documents. | 371 | Establish and maintain access controls for all records. | |
| PE-5(2)(b) | 926 | Establish, implement, and maintain document handling procedures for paper documents. | 372 | Provide audit trails for all pertinent records. | |
| PL-9 Control | 6328 | Adhere to operating procedures as defined in the Standard Operating Procedures Manual. | 12415 | Establish and maintain a baseline of internal controls. | |
| RA-3b. | 6481 | Include the results of the risk assessment in the risk assessment report. | 6481 | Include the results of the risk assessment in the risk assessment report. | |
| 6481 | Include the results of the risk assessment in the risk assessment report. | 11978 | Include risk assessment results in the risk treatment plan. | ||
| 6481 | Include the results of the risk assessment in the risk assessment report. | ||||
| SA-4(3) ¶ 1 | 1447 | Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired Information Technology assets. | 1447 | Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired Information Technology assets. | |
| 1124 | Include security requirements in system acquisition contracts. | ||||
| 14256 | Include a description of the development environment and operational environment in system acquisition contracts. | ||||
| 1100 | Perform Quality Management on all newly developed or modified systems. | ||||
| SA-4(5)(b) | 1446 | Provide a Configuration Management plan by the Information System developer for all newly acquired information technology assets. | 12503 | Apply configuration standards to all systems, as necessary. | |
| SA-4(6)(a) | 1133 | Establish, implement, and maintain a product and services acquisition strategy. | 6836 | Establish and maintain a register of approved third parties, technologies and tools. | |
| SA-11(3)(b) | 11638 | Assign vulnerability scanning to qualified personnel or external third parties. | 11638 | Assign vulnerability scanning to qualified personnel or external third parties. | |
| 12186 | Grant access to authorized personnel. | ||||
| SA-11(7) ¶ 1 | 1100 | Perform Quality Management on all newly developed or modified systems. | 1447 | Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired Information Technology assets. | |
| SA-12(5) ¶ 1 | 8808 | Establish, implement, and maintain a supply chain management policy. | 8811 | Include risk management procedures in the supply chain management policy. | |
| SA-12(7) ¶ 1 | 1135 | Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. | 1129 | Conduct an acquisition feasibility study prior to acquiring Information Technology assets. | |
| 1144 | Establish, implement, and maintain facilities, assets, and services acceptance procedures. | ||||
| 12218 | Establish and maintain product update procedures. | ||||
| SA-12(11) ¶ 1 | 8811 | Include risk management procedures in the supply chain management policy. | 8854 | Conduct all parts of the supply chain due diligence process. | |
| 8861 | Assign the appropriate individuals or groups to oversee and support supply chain due diligence. | ||||
| 655 | Perform penetration tests, as necessary. | ||||
| SA-12(8) ¶ 1 | 8811 | Include risk management procedures in the supply chain management policy. | 8854 | Conduct all parts of the supply chain due diligence process. | |
| SA-12(9) ¶ 1 | 8818 | Use third parties that are compliant with the applicable requirements. | 13109 | Establish and maintain information security controls for the supply chain. | |
| SA-12(13) ¶ 1 | 1435 | Perform periodic maintenance according to organizational standards. | 6388 | Maintain contact with the device manufacturer or component manufacturer for maintenance requests. | |
| SA-12(14) ¶ 1 | 8958 | Include a unique reference identifier on products for sale. | 8958 | Include a unique reference identifier on products for sale. | |
| 968 | Retain records in accordance with applicable requirements. | ||||
| SA-12(15) ¶ 1 | 8810 | Include a clear management process in the supply chain management policy. | 8815 | Implement measurable improvement plans with all third parties. | |
| SA-13b. | 1124 | Include security requirements in system acquisition contracts. | 1125 | Include security controls in system acquisition contracts. | |
| SA-15(1)(b) | 8667 | Include measurable system performance requirements in the system design specification. | 1100 | Perform Quality Management on all newly developed or modified systems. | |
| SA-15(2) ¶ 1 | 1096 | Supervise and monitor outsourced development projects. | 14307 | Require the information system developer to create a continuous monitoring plan. | |
| SA-15(4) ¶ 1 | 0 | UCF CE List | 6829 | Include threat models in the system design specification. | |
| 11828 | Perform vulnerability assessments, as necessary. | ||||
| SA-15(7)(a) | 11637 | Perform vulnerability scans, as necessary. | 11637 | Perform vulnerability scans, as necessary. | |
| SA-15(7)(b) | 11744 | Establish and maintain system testing procedures. | 11940 | Rank discovered vulnerabilities. | |
| SA-15(7)(c) | 6910 | Change the scope, definition, and work breakdown of the system development project after corrective actions are taken. | 6909 | Initiate preventive actions to achieve the system development project's goals and outputs. | |
| SA-15(7)(d) | 4881 | Recommend mitigation techniques based on penetration test results. | 11639 | Recommend mitigation techniques based on vulnerability scan reports. | |
| SA-15(8) ¶ 1 | 11637 | Perform vulnerability scans, as necessary. | 6829 | Include threat models in the system design specification. | |
| 1000 | Perform a risk assessment for each system development project. | ||||
| SA-15(9) ¶ 1 | 1103 | Restrict production data from being used in the test environment. | 11744 | Establish and maintain system testing procedures. | |
| 6609 | Document the procedures and environment used to create the system or software. | ||||
| 1103 | Restrict production data from being used in the test environment. | ||||
| SA-15(10) ¶ 1 | 588 | Include intrusion detection procedures in the Incident Management program. | 12056 | Establish and maintain an incident response plan. | |
| SA-17(2)(a) | 4558 | Establish, implement, and maintain a system implementation representation document. | 8666 | Include hardware requirements in the system design specification. | |
| 8664 | Include supporting software requirements in the system design specification. | ||||
| SA-17(3)(c) | 4556 | Include all confidentiality, integrity, and availability functions in the system design specification. | 4559 | Include the relationships and dependencies between modules in the system design specification. | |
| SA-17(3)(e) | 4556 | Include all confidentiality, integrity, and availability functions in the system design specification. | 11734 | Include a description of each module and asset in the system design specification. | |
| SA-17(4)(c) | 4556 | Include all confidentiality, integrity, and availability functions in the system design specification. | 4559 | Include the relationships and dependencies between modules in the system design specification. | |
| SA-17(4)(d) | 4556 | Include all confidentiality, integrity, and availability functions in the system design specification. | 4559 | Include the relationships and dependencies between modules in the system design specification. | |
| SA-17(4)(e) | 4556 | Include all confidentiality, integrity, and availability functions in the system design specification. | 11734 | Include a description of each module and asset in the system design specification. | |
| SA-17(6) | 11744 | Establish and maintain system testing procedures. | 1101 | Establish and maintain a system testing program for all system development projects. | |
| SA-19a. | 10641 | Establish and maintain an anti-counterfeit program for acquiring new systems. | 10641 | Establish and maintain an anti-counterfeit program for acquiring new systems. | |
| 10643 | Scan for potential counterfeit parts and potential counterfeit components. | ||||
| 11510 | Seize counterfeit products. | ||||
| SA-19b. | 10642 | Create and distribute a counterfeit product report. | 11494 | Disseminate and communicate the counterfeit product report to the supplier. | |
| 10642 | Create and distribute a counterfeit product report. | 11490 | Disseminate and communicate the counterfeit product report to appropriate law enforcement authorities. | ||
| 10642 | Create and distribute a counterfeit product report. | 10642 | Create and distribute a counterfeit product report. | ||
| SA-19(2) ¶ 1 | 863 | Establish and maintain configuration control and Configuration Status Accounting for each system. | 863 | Establish and maintain configuration control and Configuration Status Accounting for each system. | |
| 863 | Establish and maintain configuration control and Configuration Status Accounting for each system. | ||||
| SA-21a. | 6507 | Include compliance with the organization's access policy as a requirement in third party contracts. | 12186 | Grant access to authorized personnel. | |
| SA-21b. | 790 | Include third party requirements for personnel security in third party contracts. | 11700 | Establish and maintain personnel screening procedures. | |
| SA-21(1) ¶ 1 | 790 | Include third party requirements for personnel security in third party contracts. | 11663 | Establish, implement, and maintain access control procedures. | |
| 11700 | Establish and maintain personnel screening procedures. | ||||
| SA-22b. | 10645 | Obtain justification for the continued use of system components when third party support is no longer available. | 10645 | Obtain justification for the continued use of system components when third party support is no longer available. | |
| 912 | Capture the records required by organizational compliance requirements. | ||||
| SA-22(1) ¶ 1 | 6389 | Plan and conduct maintenance so that it does not interfere with scheduled operations. | 1435 | Perform periodic maintenance according to organizational standards. | |
| SA-15(4)(b) | 11637 | Perform vulnerability scans, as necessary. | 14282 | Implement scanning tools, as necessary. | |
| 11828 | Perform vulnerability assessments, as necessary. | ||||
| SC-3(1) ¶ 1 | 11858 | Separate user functionality from system management functionality. | 12254 | Design the hardware security module to enforce the separation between applications. | |
| SC-3(3) ¶ 1 | 6767 | Separate processing domains to segregate user privileges and enhance information flow control. | 11858 | Separate user functionality from system management functionality. | |
| SC-3(5) ¶ 1 | 6767 | Separate processing domains to segregate user privileges and enhance information flow control. | 6767 | Separate processing domains to segregate user privileges and enhance information flow control. | |
| 6767 | Separate processing domains to segregate user privileges and enhance information flow control. | ||||
| 11843 | Implement segregation of duties. | ||||
| SC-5(3)(b) | 11752 | Establish and maintain system performance monitoring procedures. | 1619 | Establish and maintain system capacity monitoring procedures. | |
| SC-7(9)(a) | 1295 | Restrict outbound network traffic from systems that contain restricted data or restricted information. | 1295 | Restrict outbound network traffic from systems that contain restricted data or restricted information. | |
| 6761 | Perform content filtering scans on network traffic. | ||||
| SC-7(14) ¶ 1 | 11852 | Deny network access to rogue devices until network access approval has been received. | 718 | Establish and maintain physical security controls for distributed Information Technology assets. | |
| SC-7(15) ¶ 1 | 11842 | Manage all external network connections. | 1421 | Control remote access through a network access control. | |
| SC-7(17) ¶ 1 | 544 | Establish and maintain a Boundary Defense program. | 11845 | Include configuration management and rulesets in the network access control standard. | |
| SC-16(1) ¶ 1 | 6764 | Associate records with their security attributes. | 923 | Establish and maintain data processing integrity controls. | |
| SC-18(1) ¶ 1 | 574 | Establish, implement, and maintain a malicious code protection program. | 10034 | Monitor systems for unauthorized mobile code. | |
| 13691 | Remove malware when malicious code is discovered. | ||||
| SC-18(2) ¶ 1 | 1136 | Establish, implement, and maintain a product and services acquisition program. | 1138 | Establish, implement, and maintain a software product acquisition methodology. | |
| 1094 | Develop systems in accordance with the system design specifications and system design standards. | ||||
| 1355 | Include asset use policies in the Acceptable Use Policy. | ||||
| SC-18(3) ¶ 1 | 4576 | Restrict downloading to reduce malicious code attacks. | 4576 | Restrict downloading to reduce malicious code attacks. | |
| 11081 | Configure the "Prevent launch an application" setting to organizational standards. | ||||
| SC-18(4) ¶ 1 | 10034 | Monitor systems for unauthorized mobile code. | 11081 | Configure the "Prevent launch an application" setting to organizational standards. | |
| 10034 | Monitor systems for unauthorized mobile code. | ||||
| SC-23(3) ¶ 1 | 7074 | Use randomly generated session identifiers. | 7074 | Use randomly generated session identifiers. | |
| 4553 | Enable access control for objects and users on each system. | ||||
| SC-25 Control | 882 | Remove all unnecessary functionality. | 882 | Remove all unnecessary functionality. | |
| 7599 | Configure Least Functionality and Least Privilege settings to organizational standards. | ||||
| SC-27 Control | 0 | UCF CE List | 895 | Establish and maintain software asset management procedures. | |
| SC-28(2) ¶ 1 | 951 | Establish and maintain a records lifecycle management program. | 968 | Retain records in accordance with applicable requirements. | |
| SC-29 Control | 1046 | Identify system design strategies. | 1115 | Manage the system implementation process. | |
| SC-30(3) ¶ 1 | 10651 | Change the locations of processing facilities at random intervals. | 10651 | Change the locations of processing facilities at random intervals. | |
| 10661 | Change the locations of storage facilities at random intervals. | ||||
| SC-30(5) ¶ 1 | 582 | Determine if honeypots should be installed, and if so, where the honeypots should be placed. | 7110 | Establish, implement, and maintain virtualization configuration settings. | |
| SC-31(3) ¶ 1 | 10655 | Reduce the maximum bandwidth of covert channels. | 10653 | Estimate the maximum bandwidth of any covert channels. | |
| SC-34(2) ¶ 1 | 946 | Implement electronic storage media integrity controls. | 946 | Implement electronic storage media integrity controls. | |
| 969 | Maintain continued integrity for all stored data and stored records. | ||||
| SC-37 Control | 10665 | Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. | 10665 | Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. | |
| 1441 | Control the delivery of assets through physical entry points and physical exit points. | ||||
| SC-38 Control | 6491 | Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. | 13479 | Protect confidential information during the system development life cycle program. | |
| SC-40(3) ¶ 1 | 6078 | Configure wireless communication to be encrypted using strong cryptography. | 11623 | Scan wireless networks for rogue devices. | |
| 11852 | Deny network access to rogue devices until network access approval has been received. | ||||
| SC-42a. | 10666 | Prohibit the remote activation of environmental sensors on mobile devices. | 10666 | Prohibit the remote activation of environmental sensors on mobile devices. | |
| 10667 | Configure environmental sensors on mobile devices. | ||||
| SC-43a. | 1350 | Establish and maintain an Acceptable Use Policy. | 1350 | Establish and maintain an Acceptable Use Policy. | |
| 1111 | Establish and maintain a system implementation standard. | ||||
| SC-43b. | 1351 | Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. | 1351 | Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. | |
| 585 | Monitor systems for inappropriate usage and other security violations. | ||||
| 11665 | Control user privileges. | ||||
| SC-8 Control | 564 | Use strong data encryption to transmit restricted data or restricted information over public networks. | 11859 | Protect data from unauthorized disclosure while transmitting between separate parts of the system. | |
| 4554 | Protect data from modification or loss while transmitting between separate parts of the system. | ||||
| SC-13 Control | 4546 | Establish, implement, and maintain an encryption management and cryptographic controls policy. | 570 | Manage the use of encryption controls and cryptographic controls. | |
| 12491 | Employ only secure versions of cryptographic controls. | ||||
| SI-3(6)(b) | 661 | Create specific test plans to test each system component. | 11901 | Test security systems and associated security procedures, as necessary. | |
| 11901 | Test security systems and associated security procedures, as necessary. | ||||
| SI-3(8) ¶ 1 | 585 | Monitor systems for inappropriate usage and other security violations. | 585 | Monitor systems for inappropriate usage and other security violations. | |
| 12045 | Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. | ||||
| 645 | Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. | ||||
| 558 | Enforce privileged accounts and non-privileged accounts for system access. | ||||
| SI-3(9) ¶ 1 | 562 | Protect remote access accounts with encryption. | 559 | Control all methods of remote access and teleworking. | |
| SI-3(10)(b) | 10673 | Incorporate the malicious code analysis into the patch management program. | 10673 | Incorporate the malicious code analysis into the patch management program. | |
| 14016 | Communicate threat intelligence to interested personnel and affected parties. | ||||
| SI-4(7) ¶ 1 | 6430 | Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. | 6430 | Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. | |
| 6942 | Respond to and triage when a security incident is detected. | ||||
| SI-4(9) ¶ 1 | 1216 | Test the incident response procedures. | 11901 | Test security systems and associated security procedures, as necessary. | |
| SI-4(13)(b) | 596 | Review and update event logs and audit logs, as necessary. | 643 | Include a standard to collect and interpret event logs in the event logging procedures. | |
| SI-4(17) ¶ 1 | 596 | Review and update event logs and audit logs, as necessary. | 1424 | Compile the event logs of multiple components into a system-wide time-correlated audit trail. | |
| SI-7(8) ¶ 1 | 6332 | Configure all logs to capture auditable events or actionable events. | 640 | Enable logging for all systems that meet a traceability criteria. | |
| 1337 | Configure the log to send alerts for each auditable events success or failure. | 6332 | Configure all logs to capture auditable events or actionable events. | ||
| 1337 | Configure the log to send alerts for each auditable events success or failure. | 1337 | Configure the log to send alerts for each auditable events success or failure. | ||
| 1552 | Enable and configure auditing operations and logging operations, as necessary. | 1337 | Configure the log to send alerts for each auditable events success or failure. | ||
| 10678 | Automatically respond when an integrity violation is detected. | ||||
| SI-7(9) ¶ 1 | 1905 | Establish and maintain the systems' availability level. | 1906 | Establish and maintain the systems' integrity level. | |
| SI-7(10) ¶ 1 | 1905 | Establish and maintain the systems' availability level. | 1909 | Define integrity controls. | |
| SI-7(11) ¶ 1 | 868 | Establish and maintain a software accountability policy. | 6749 | Include a software installation policy in the Acceptable Use Policy. | |
| SI-7(12) ¶ 1 | 868 | Establish and maintain a software accountability policy. | 6749 | Include a software installation policy in the Acceptable Use Policy. | |
| SI-7(13) ¶ 1 | 6551 | Establish and maintain a virtual environment and shared resources security program. | 10648 | Execute permitted mobile code in confined virtual machine environments. | |
| 6749 | Include a software installation policy in the Acceptable Use Policy. | ||||
| SI-10(1)(b) | 924 | Establish and maintain Automated Data Processing validation checks and editing checks. | 558 | Enforce privileged accounts and non-privileged accounts for system access. | |
| SI-10(1)(c) | 6332 | Configure all logs to capture auditable events or actionable events. | 645 | Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. | |
| SI-13(1) ¶ 1 | 1256 | Reconfigure restored systems to meet the Recovery Point Objectives. | 6276 | Establish, implement, and maintain a system redeployment program. | |
| SI-13(3) ¶ 1 | 1256 | Reconfigure restored systems to meet the Recovery Point Objectives. | 13476 | Restore systems and environments to be operational. | |
| SI-13(4)(a) | 1256 | Reconfigure restored systems to meet the Recovery Point Objectives. | 11693 | Reconfigure restored systems to meet the Recovery Time Objectives. | |
| SI-13(4)(b) | 4544 | Monitor systems for errors and faults. | 10678 | Automatically respond when an integrity violation is detected. | |
| 10679 | Shut down systems when an integrity violation is detected, as necessary. | ||||
| SI-14(1) ¶ 1 | 4890 | Establish and maintain a core supply inventory required to support critical business functions. | 6836 | Establish and maintain a register of approved third parties, technologies and tools. | |
| SI-4a. | 0 | UCF CE List | 585 | Monitor systems for inappropriate usage and other security violations. | |
| SI-6d. | 1206 | Establish and maintain incident response procedures. | 10679 | Shut down systems when an integrity violation is detected, as necessary. | |
| 10680 | Restart systems when an integrity violation is detected, as necessary. | ||||
| SI-13b. | 1256 | Reconfigure restored systems to meet the Recovery Point Objectives. | 11693 | Reconfigure restored systems to meet the Recovery Time Objectives. | |
| 13476 | Restore systems and environments to be operational. | ||||
| SI-15 Control | 930 | Establish and maintain paper document integrity requirements for the output of records. | 6627 | Perform regularly scheduled quality and integrity control reviews of output of records. | |
| PM-1a. | 0 | UCF CE List | 812 | Establish and maintain an information security program. | |
| 815 | Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. | ||||
| PM-1a.1. | 820 | Establish and maintain an internal control framework. | 11740 | Establish and maintain an information security policy. | |
| 820 | Establish and maintain an internal control framework. | ||||
| PM-1a.2. | 820 | Establish and maintain an internal control framework. | 11885 | Assign information security responsibilities to interested personnel and affected parties in the information security program. | |
| 11999 | Provide management direction and support for the information security program. | ||||
| 12294 | Describe the group activities that protect restricted data in the information security procedures. | ||||
| 6384 | Comply with all implemented policies in the organization's compliance framework. | ||||
| PM-1a.3. | 815 | Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. | 812 | Establish and maintain an information security program. | |
| PM-1a.4. | 815 | Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. | 11737 | Approve the information security policy at the organization's management level or higher. | |
| PM-3a. | 6279 | Establish, implement, and maintain a Capital Planning and Investment Control policy. | 6279 | Establish, implement, and maintain a Capital Planning and Investment Control policy. | |
| 1630 | Document compliance exceptions, as necessary. | ||||
| PM-3b. | 6279 | Establish, implement, and maintain a Capital Planning and Investment Control policy. | 6846 | Document the business case and return on investment in each Information Technology project plan. | |
| PM-4a.2. | 6777 | Implement a corrective action plan in response to the audit report. | 705 | Document and communicate a corrective action plan based on the risk assessment findings. | |
| PM-4a.3. | 6777 | Implement a corrective action plan in response to the audit report. | 705 | Document and communicate a corrective action plan based on the risk assessment findings. | |
| PM-4b. | 675 | Create a corrective action plan to correct control deficiencies identified in an audit. | 11645 | Include monitoring in the corrective action plan. | |
| PM-6 | 671 | Establish and maintain a compliance monitoring policy. | 671 | Establish and maintain a compliance monitoring policy. | |
| 12857 | Monitor the performance of the governance, risk, and compliance capability. | ||||
| 676 | Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. | ||||
| PM-8 | 710 | Establish and maintain facility maintenance procedures. | 6486 | Take into account the need for protecting information confidentiality during infrastructure planning. | |
| PM-9a. | 685 | Establish and maintain the risk assessment framework. | 13209 | Establish and maintain risk management strategies, as necessary. | |
| PM-9b. | 6446 | Establish, implement, and maintain risk assessment procedures. | 13661 | Integrate the risk management program with the organization's business activities. | |
| PM-9c. | 6460 | Review the risk assessment procedures, as necessary. | 13049 | Review and update the risk management program, as necessary. | |
| PM-10a. | 7109 | Approve the results of the risk assessment as documented in the risk assessment report. | 12004 | Review systems for compliance with organizational information security policies. | |
| 711 | Establish and maintain a facility physical security program. | ||||
| PM-10c. | 6446 | Establish, implement, and maintain risk assessment procedures. | 14228 | Review and update the security assessment and authorization procedures, as necessary. | |
| PM-11a. | 6495 | Address Information Security during the business planning processes. | 6495 | Address Information Security during the business planning processes. | |
| 698 | Include the risks to the organization's critical personnel and assets in the threat and risk classification scheme. | ||||
| PM-11b. | 704 | Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. | 12155 | Observe processes to determine the effectiveness of in scope controls. | |
| 675 | Create a corrective action plan to correct control deficiencies identified in an audit. | ||||
| PM-13 Control | 785 | Train all personnel and third parties, as necessary. | 828 | Establish and implement training plans. | |
| PM-14a.1. | 1406 | Establish, implement, and maintain a Governance, Risk, and Compliance framework. | 654 | Establish, implement, and maintain a testing program. | |
| 828 | Establish and implement training plans. | ||||
| 637 | Establish, implement, and maintain logging and monitoring operations. | ||||
| PM-14a.2. | 1406 | Establish, implement, and maintain a Governance, Risk, and Compliance framework. | 818 | Implement and comply with the Governance, Risk, and Compliance framework. | |
| PM-14b. | 817 | Review and update the Governance, Risk, and Compliance framework, as necessary. | 654 | Establish, implement, and maintain a testing program. | |
| 828 | Establish and implement training plans. | ||||
| 637 | Establish, implement, and maintain logging and monitoring operations. | ||||
| PM-15a. | 11732 | Share relevant security information with Special Interest Groups, as necessary. | 2217 | Tailor training to meet published guidance on the subject being taught. | |
| PM-15b. | 11732 | Share relevant security information with Special Interest Groups, as necessary. | 6489 | Include security information sharing procedures in the internal control framework. | |
| PM-16 | 6494 | Monitor the organization's exposure to threats, as necessary. | 6494 | Monitor the organization's exposure to threats, as necessary. | |
| 6489 | Include security information sharing procedures in the internal control framework. | ||||
| PM-1b. | 1348 | Review the internal control framework, as necessary. | 12744 | Monitor and review the effectiveness of the information security program. | |
| PM-1c. | 1348 | Review the internal control framework, as necessary. | 817 | Review and update the Governance, Risk, and Compliance framework, as necessary. | |
| 13501 | Correct errors and deficiencies in a timely manner. | ||||
| AP-1 Control | 6487 | Establish and maintain a personal data collection program. | 103 | Document the law that requires personal data to be collected. | |
| AP-2 Control | 6281 | Establish, implement, and maintain a privacy policy. | 406 | Include the processing purpose in the privacy policy. | |
| AR-1b. | 7113 | Establish and maintain a list of compliance documents. | 604 | Monitor regulatory trends to maintain compliance. | |
| AR-1d. | 6281 | Establish, implement, and maintain a privacy policy. | 11850 | Establish and maintain a privacy framework that protects restricted data. | |
| AR-1e. | 6281 | Establish, implement, and maintain a privacy policy. | 11850 | Establish and maintain a privacy framework that protects restricted data. | |
| 13346 | Disseminate and communicate the privacy policy, as necessary. | ||||
| AR-2b. | 357 | Conduct personal data risk assessments. | 13712 | Establish, implement, and maintain a privacy impact assessment. | |
| AR-3a. | 11610 | Include text about access, use, disclosure, and transfer of data or information in third party contracts. | 11610 | Include text about access, use, disclosure, and transfer of data or information in third party contracts. | |
| 1364 | Include third party acknowledgement of their data protection responsibilities in third party contracts. | ||||
| AR-5a. | 828 | Establish and implement training plans. | 828 | Establish and implement training plans. | |
| 12868 | Update training plans, as necessary. | ||||
| AR-5b. | 6664 | Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment. | 785 | Train all personnel and third parties, as necessary. | |
| 6674 | Tailor training to be taught at each person's level of responsibility. | ||||
| AR-6 Control | 383 | Register with public bodies and notify the Data Commissioner before processing personal data. | 383 | Register with public bodies and notify the Data Commissioner before processing personal data. | |
| 7029 | Include the organization's privacy practices in the audit report. | ||||
| AR-8a. | 372 | Provide audit trails for all pertinent records. | 13022 | Establish and maintain a disclosure accounting record. | |
| AR-8a.(1) | 7133 | Include the disclosure date in the disclosure accounting record. | 7133 | Include the disclosure date in the disclosure accounting record. | |
| 7135 | Include the disclosure purpose in the disclosure accounting record. | 7135 | Include the disclosure purpose in the disclosure accounting record. | ||
| 4680 | Include what information was disclosed and to whom in the disclosure accounting record. | ||||
| AR-8a.(2) | 4680 | Include what information was disclosed and to whom in the disclosure accounting record. | 7134 | Include the disclosure recipient in the disclosure accounting record. | |
| AR-8b. | 167 | Establish and maintain personal data retention procedures. | 968 | Retain records in accordance with applicable requirements. | |
| DI-1a. | 88 | Check the accuracy of personal data. | 88 | Check the accuracy of personal data. | |
| 90 | Check that personal data is complete. | 90 | Check that personal data is complete. | ||
| 11831 | Use personal data for specified purposes. | ||||
| 91 | Keep personal data up-to-date and valid. | ||||
| DI-1c. | 88 | Check the accuracy of personal data. | 88 | Check the accuracy of personal data. | |
| 462 | Change or destroy any personal data that is incorrect. | ||||
| DI-1(1) ¶ 1 | 89 | Record personal data correctly. | 13187 | Establish and maintain customer data authentication procedures. | |
| DI-2a. | 88 | Check the accuracy of personal data. | 923 | Establish and maintain data processing integrity controls. | |
| DI-2b. | 843 | Review and approve all Service Level Agreements. | 806 | Establish and maintain high level operational roles and responsibilities. | |
| DI-2(1) ¶ 1 | 375 | Establish, implement, and maintain a personal data transparency program. | 379 | Publish a description of activities about processing personal data in an official register. | |
| DM-1a. | 27 | Collect and record personal data for specific, explicit, and legitimate purposes. | 78 | Collect the minimum amount of personal data necessary. | |
| DM-1b. | 27 | Collect and record personal data for specific, explicit, and legitimate purposes. | 78 | Collect the minimum amount of personal data necessary. | |
| 167 | Establish and maintain personal data retention procedures. | ||||
| DM-1c. | 11756 | Establish and maintain data handling procedures. | 507 | Establish and maintain personal data collection limitation boundaries. | |
| 13428 | Establish and maintain a personal data use limitation program. | ||||
| DM-1(1) ¶ 1 | 7126 | Establish, implement, and maintain de-identifying and re-identifying procedures. | 13498 | Establish, implement, and maintain personal data disposition procedures. | |
| 7126 | Establish, implement, and maintain de-identifying and re-identifying procedures. | ||||
| DM-2b. | 125 | Dispose of media and personal data in a timely manner. | 125 | Dispose of media and personal data in a timely manner. | |
| 7126 | Establish, implement, and maintain de-identifying and re-identifying procedures. | ||||
| DM-2c. | 125 | Dispose of media and personal data in a timely manner. | 13498 | Establish, implement, and maintain personal data disposition procedures. | |
| DM-2(1) ¶ 1 | 167 | Establish and maintain personal data retention procedures. | 11890 | Configure the log to capture creates, reads, updates, or deletes of records containing personal data. | |
| 11890 | Configure the log to capture creates, reads, updates, or deletes of records containing personal data. | ||||
| DM-3b. | 96 | Refrain from using personal data collected for research and statistics for other purposes. | 13606 | Implement security measures to protect personal data. | |
| DM-3(1) ¶ 1 | 96 | Refrain from using personal data collected for research and statistics for other purposes. | 13606 | Implement security measures to protect personal data. | |
| IP-2d. | 103 | Document the law that requires personal data to be collected. | 4794 | Follow legal obligations while processing personal data. | |
| IP-3b. | 467 | Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. | 467 | Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. | |
| 463 | Notify the data subject of changes made to personal data as the result of a dispute. | ||||
| SE-1b. | 689 | Establish and maintain an Information Technology inventory with asset discovery audit trails. | 6631 | Establish, implement, and maintain an asset inventory. | |
| SE-2a. | 588 | Include intrusion detection procedures in the Incident Management program. | 12056 | Establish and maintain an incident response plan. | |
| SE-2b. | 364 | Include data loss event notifications in the Incident Response program. | 6942 | Respond to and triage when a security incident is detected. | |
| TR-1a.(i) | 393 | Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. | 379 | Publish a description of activities about processing personal data in an official register. | |
| 101 | Post the collection purpose. | ||||
| 397 | Provide the data subject with a description of the type of information held by the organization and a general account of its use. | ||||
| 399 | Provide the data subject with what personal data is made available to related organizations or subsidiaries. | ||||
| 12585 | Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. | ||||
| 393 | Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. | ||||
| 12587 | Provide the data subject with the data retention period for personal data. | ||||
| TR-1a.(ii) | 393 | Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. | 103 | Document the law that requires personal data to be collected. | |
| AC-6(6) | 2 | Include business security requirements in the access classification scheme. | 558 | Enforce privileged accounts and non-privileged accounts for system access. | |
| AR-8c. | 399 | Provide the data subject with what personal data is made available to related organizations or subsidiaries. | 14433 | Provide the data subject with a copy of the disclosure accounting record. | |
| TR-1a.(iii) | 393 | Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. | 406 | Include the processing purpose in the privacy policy. | |
| 13111 | Include the consequences of refusing to provide required information in the privacy policy. | ||||
| TR-1a.(iv) | 396 | Provide the data subject with the means of gaining access to personal data held by the organization. | 396 | Provide the data subject with the means of gaining access to personal data held by the organization. | |
| 457 | Notify individuals of their right to challenge personal data. | ||||
| TR-1b.(i) | 6487 | Establish and maintain a personal data collection program. | 397 | Provide the data subject with a description of the type of information held by the organization and a general account of its use. | |
| 101 | Post the collection purpose. | ||||
| TR-1b.(ii) | N/A | N/A | 397 | Provide the data subject with a description of the type of information held by the organization and a general account of its use. | |
| TR-1b.(iii) | 409 | Include other organizations that personal data is being disclosed to in the privacy policy. | 409 | Include other organizations that personal data is being disclosed to in the privacy policy. | |
| 13459 | Include the types of third parties to which personal data is disclosed in the privacy notice. | ||||
| 399 | Provide the data subject with what personal data is made available to related organizations or subsidiaries. | ||||
| TR-1b.(iv) | 30 | Collect personal data when an individual gives consent. | 13503 | Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. | |
| 469 | Give individuals the ability to change the uses of their personal data. | ||||
| TR-1b.(vi) | 353 | Establish, implement, and maintain data handling policies. | 12585 | Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. | |
| TR-1c. | 6281 | Establish, implement, and maintain a privacy policy. | 13474 | Update and redeliver privacy notices, as necessary. | |
| TR-1(1) ¶ 1 | 95 | Notify the data subject of the collection purpose. | 132 | Notify the data subject before personal data is collected, used, or disclosed. | |
| TR-2c. | N/A | N/A | 13444 | Deliver privacy notices to data subjects, as necessary. | |
| TR-2(1) ¶ 1 | 375 | Establish, implement, and maintain a personal data transparency program. | 379 | Publish a description of activities about processing personal data in an official register. | |
| TR-3a. | 394 | Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. | 379 | Publish a description of activities about processing personal data in an official register. | |
| 394 | Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. | ||||
| UL-2a. | 93 | Establish, implement, and maintain a personal data use purpose specification. | 133 | Establish and maintain personal data disclosure procedures. | |
| UL-2b. | 6518 | Include compliance with the organization's privacy policy in third party contracts. | 6510 | Include a description of the data or information to be covered in third party contracts. | |
| 838 | Establish and maintain Service Level Agreements with the organization's supply chain. | 11610 | Include text about access, use, disclosure, and transfer of data or information in third party contracts. | ||
| UL-2c. | 785 | Train all personnel and third parties, as necessary. | 12971 | Monitor systems for unauthorized data transfers. | |
| 296 | Include disciplinary actions in the Acceptable Use Policy. | 12679 | Include the stipulation of allowing auditing for compliance in the Data Processing Contract. | ||
| 13757 | Conduct personal data processing training. | ||||
| 11747 | Establish and maintain consequences for non-compliance with the organizational compliance framework. | ||||
| PM-15c. | 1358 | Include continuous security warning monitoring procedures in the internal control framework. | 11732 | Share relevant security information with Special Interest Groups, as necessary. | |
| CP-8(4)(c) | 1365 | Review all third party's continuity plan test results. | 1365 | Review all third party's continuity plan test results. | |
| 1423 | Document all training in a training record. | ||||
| SC-7(4)(e) | 1632 | Review the compliance exceptions in the exceptions document, as necessary. | 1632 | Review the compliance exceptions in the exceptions document, as necessary. | |
| 882 | Remove all unnecessary functionality. | ||||
| CP-9(6) ¶ 1 | 1250 | Include technical preparation considerations for backup operations in the continuity plan. | 742 | Designate an alternate facility in the continuity plan. | |
| SC-8(2) ¶ 1 | 812 | Establish and maintain an information security program. | 356 | Limit data leakage. | |
| 923 | Establish and maintain data processing integrity controls. | ||||
| SI-2(6) ¶ 1 | 10671 | Remove outdated computer firmware after the computer firmware has been updated. | 10671 | Remove outdated computer firmware after the computer firmware has been updated. | |
| 11792 | Remove outdated software after software has been updated. | ||||
| AU-5(4) ¶ 1 | 6290 | Protect the event logs from failure. | 10679 | Shut down systems when an integrity violation is detected, as necessary. | |
| 10678 | Automatically respond when an integrity violation is detected. | ||||
| SC-34(3)(b) | 10660 | Implement procedures to manually disable hardware write-protect to change firmware. | 10660 | Implement procedures to manually disable hardware write-protect to change firmware. | |
| 10659 | Implement hardware-based, write-protect for system firmware components. | ||||
| SI-4(13)(c) | 7047 | Eliminate false positives in event logs and audit logs. | 7047 | Eliminate false positives in event logs and audit logs. | |
| 596 | Review and update event logs and audit logs, as necessary. | ||||