| AC-1: Access Control Policy and Procedures | | | X |
| AC-2: Account Management | | X | |
| AC-2 (1): Automated System Account Management | | | X |
| AC-2 (2): Removal of Temporary/Emergency Accounts | | X | |
| AC-2 (3): Disable Inactive Accounts | | X | |
| AC-2 (4): Automated Audit Actions | | | X |
| AC-2 (5): Account Monitoring/Control | | | X |
| AC-2 (7): Role-based Schemes | | | X |
| AC-3: Access Enforcement | | | X |
| AC-3 (3): Mandatory Access Control | | | X |
| AC-3 (4): Discretionary Access Control | | | X |
| AC-4: Information Flow Enforcement | | | X |
| AC-4 (1): Discretionary Flow Control | | | X |
| AC-4 (2): Security Attribute-Based Flow Control | | | X |
| AC-5: Separation of Duties | X | | |
| AC-6: Least Privilege | X | | |
| AC-6 (1): Access to Security Functions | X | | |
| AC-6 (2): Non-Privileged Access for Nonsecurity Functions | | | X |
| AC-6 (3): Auditing Use of Privileged Functions | | | X |
| AC-6 (5): Privileged Accounts | X | | |
| AC-6 (9): Auditing Access Attempts | | | X |
| AC-7: Unsuccessful Login Attempts | | | X |
| AC-8: System Use Notification | X | | |
| AC-8 (3): Role-Based Use Notification | X | | |
| AC-17: Remote Access | X | | |
| AC-17 (1): Protection of Confidentiality/Integrity of Remote Access | X | | |
| AC-17 (2): Monitoring Remote Access | X | | |
| AC-17 (3): Managed Access Control Points | X | | |
| AC-18: Wireless Access | | X | |
| AC-18 (1): Encryption of Wireless Access | | X | |
| AC-19: Access Control for Mobile Devices | | X | |
| AC-19 (5): Managed Mobile Devices | | X | |
| AC-20: Use of External Information Systems | | | X |
| AC-20 (1): Limits on Authorized Use | X | | |
| AC-20 (3): External Information Systems Monitoring | | | X |
| AC-21: Information Sharing | | | X |
| AC-22: Publicly Accessible Content | X | | |
| AT-1: Security Awareness and Training Policy and Procedures | | | X |
| AT-2: Security Awareness Training | | | X |
| AT-3: Role-Based Security Training | | | X |
| AT-4: Security Training Records | | | X |
| AU-1: Audit and Accountability Policy and Procedures | | | X |
| AU-2: Audit Events | | | X |
| AU-2 (3): Centralized Management of Audit Information | | | X |
| AU-3: Content of Audit Records | | | X |
| AU-4: Audit Storage Capacity | X | | |
| AU-5: Response to Audit Processing Failures | | | X |
| AU-6: Audit Review, Analysis, and Reporting | | | X |
| AU-6 (1): Process Integration | X | | |
| AU-7: Audit Reduction and Report Generation | | | X |
| AU-8: Time Stamps | X | | |
| AU-9: Protection of Audit Information | X | | |
| AU-10: Non-repudiation | X | | |
| AU-11: Audit Record Retention | | | X |
| AU-12: Audit Generation | X | | |
| AU-12 (1): Automated Generation of Audit Records | X | | |
| CA-1: Security Assessment and Authorization Policy and Procedures | | X | |
| CA-2: Security Assessments | | | X |
| CA-2 (2): Specialized Security Assessments | | | X |
| CA-3: System Interconnections | X | | |
| CA-5: Plan of Action and Milestones | | X | |
| CA-6: Security Authorization | X | | |
| CA-7: Continuous Monitoring | X | | |
| CA-9: Internal System Connections | X | | |
| CM-1: Configuration Management Policy and Procedures | | X | |
| CM-2: Baseline Configuration | | | X |
| CM-2 (1): Automated Baseline Configuration Management | | | X |
| CM-3: Configuration Change Control | | | X |
| CM-4: Security Impact Analysis | X | | |
| CM-5: Access Restrictions for Change | | | X |
| CM-6: Configuration Settings | | | X |
| CM-7: Least Functionality | | | X |
| CM-8: System Component Inventory | | | X |
| CM-9: Configuration Management Plan | | | X |
| CP-1: Contingency Planning Policy and Procedures | | | X |
| CP-2: Contingency Plan | | | X |
| CP-2 (1): Coordination with Related Plans | | X | |
| CP-3: Contingency Training | | X | |
| CP-4: Contingency Plan Testing | | | X |
| CP-4 (2): Alternate Processing Site Test | X | | |
| CP-6: Alternate Storage Site | X | | |
| CP-7: Alternate Processing Site | X | | |
| CP-8: Telecommunications Services | X | | |
| CP-9: System Backup | | | X |
| IA-2: Identification and Authentication (Organizational Users) | | | X |
| IA-2 (1): Multi-factor Authentication | X | | |
| IA-2 (2): Network Access to Privileged Accounts | X | | |
| IA-2 (3): Remote Access | X | | |
| IA-3: Device Identification and Authentication | | X | |
| IA-4: Identifier Management | | X | |
| IA-5: Authenticator Management | X | | |
| IA-5 (1): Password-based Authentication | X | | |
| IA-6: Authenticator Feedback | | | X |
| IA-7: Cryptographic Module Authentication | X | | |
| IR-1: Incident Response Policy and Procedures | | X | |
| IR-2: Incident Response Training | | X | |
| IR-3: Incident Response Testing | | | X |
| IR-4: Incident Handling | | | X |
| IR-4 (1): Automated Incident Handling | | | X |
| IR-5: Incident Monitoring | | | X |
| IR-6: Incident Reporting | | | X |
| IR-7: Incident Response Assistance | | | X |
| IR-8: Incident Response Plan | | X | |
| MA-1: System Maintenance Policy and Procedures | | X | |
| MA-2: Controlled Maintenance | | | X |
| MA-3: Maintenance Tools | | | X |
| MA-4: Nonlocal Maintenance | | X | |
| MA-5: Maintenance Personnel | X | | |
| MA-6: Timely Maintenance | X | | |
| MP-1: Media Protection Policy and Procedures | | X | |
| MP-2: Media Access | | | X |
| MP-3: Media Marking | | X | |
| MP-4: Media Storage | X | | |
| MP-5: Media Transport | | | X |
| MP-6: Media Sanitization | X | | |
| PE-1: Physical and Environmental Protection Policy and Procedures | | X | |
| PE-2: Physical Access Authorizations | | X | |
| PE-3: Physical Access Control | | X | |
| PE-4: Access Control for Output Devices | | | X |
| PL-1: Security Planning Policy and Procedures | | X | |
| PL-2: System Security Plan | | X | |
| PL-4: Rules of Behavior | | X | |
| PL-8: Security and Privacy Architectures | | X | |
| PS-1: Personnel Security Policy and Procedures | | X | |
| PS-2: Position Risk Designation | | X | |
| PS-3: Personnel Screening | | X | |
| PS-6: Access Agreements | | X | |
| RA-1: Risk Assessment Policy and Procedures | | X | |
| RA-2: Security Categorization | | | X |
| RA-3: Risk Assessment | | | X |
| RA-5: Vulnerability Scanning | X | | X |
| SC-1: System and Communications Protection Policy and Procedures | | X | |
| SC-7: Boundary Protection | X | | |
| SC-7 (1): Limiting Access Points | X | | |
| SC-8: Transmission Confidentiality and Integrity | X | | |
| SI-1: System and Information Integrity Policy and Procedures | | X | |
| SI-2: Flaw Remediation | X | | X |
| SI-3: Malicious Code Protection | X | | X |
| SI-4: Information System Monitoring | X | | X |
| SR-1: Supply Chain Risk Management Policy and Procedures | | X | |
| SR-2: Supply Chain Risk Management Plan | | X | |
| SR-3: Supply Chain Risk Assessment | X | | X |
| SR-4: Provenance | | | X |
| SR-5: Acquisition Strategies | | X | |
| SR-6: Supplier Assessments | | | X |
| SR-7: Supply Chain Risk Monitoring | | | X |
| SR-8: Notifications of Supply Chain Compromise | X | | X |
| SR-9: Tamper Resistance and Detection | X | | |
| SR-10: Insider Threats | X | | |
| SR-11: Component Authenticity | | X | |
| SR-12: Supply Chain Documentation | | X | |
