IT0121-M-A - Mandatory and Discretionary Controls

Appendix A – Mandatory and Discretionary Controls

NIST SP 800-53 Rev 4 Control		Implemented	Planned
Access Controls
AC-2	Account Management	X
AC-3	Access Enforcement	X
AC-5	Separation of Duties		X
AC-6	Least Privilege		X
AC-7	Unsuccessful Login Attempts	X
AC-8	System Use Notification*	X
AC-11	Session Lock*	In progress
Awareness and Security Training
AT-2	Security Awareness Training	X
AT-2.1	Practical Exercises	X
AT-3	Role-Based Security Training	X
AT-4	Security Training Records	X
Audit and Accountability
AU-2	Audit Events	X
AU-3	Content of Audit Records	X
AU-4	Audit Storage Capacity	X
AU-6	Audit Review, Analysis, and Reporting	X
AU-8	Time Stamps	X
AU-11	Audit Records Retention	X
Security Assessment and Authorization
CA-2	Security Assessments	X
CA-3	System Interconnections	X
CA-5	Plan of Action and Milestones	X
CA-6	Security Authorization	X
CA-7	Continuous Monitoring	X
Configuration Management
CM-2	Baseline Configuration	X
CM-2.1	Reviews and Updates	X
CM-2.3	Retention of Previous Configurations		X
CM-3	Configuration Change Control	X
CM-4	Security Impact Analysis	X
CM-6	Configuration Settings	X
CM-7	Least Functionality	X
CM-7.1a	Periodic Review	X
CM-7.1b	Disable Unnecessary / Nonsecure Functions, Ports, Protocols, etc.	X
CM-9	Configuration Management Plan	X

*not referenced by a program or plan

NIST SP 800-53 Rev 4 Control		Implemented	Planned
Contingency Planning
CP-1	Contingency Planning Policy and Procedures	X
CP-2	Contingency Plan	X
CP-3	Contingency Training	X
CP-4	Contingency Plan Testing	X
CP-6	Alternate Storage Site	X
CP-9	Information System Backup	X
CP-10	Information System Recovery and Reconstitution	X
Identification and Authentication
IA-1	Identification and Authentication Policy and Procedures	X
IA-4	Identifier Management	X
IA-5	Authenticator Management	X
IA-6	Authenticator Feedback	X
Incident Response
IR-3	Incident Response Testing	X
IR-4	Incident Handling	X
IR-5	Incident Monitoring	X
IR-6	Incident Reporting	X
IR-7	Incident Response Assistance	X
IR-8	Incident Response Plan	X
Media Protection
MP-1	Media Protection Policy and Procedures	X
MP-2	Media Access	X
MP-4	Media Storage	X
MP-5	Media Transport	X
MP-6	Media Sanitization	X
MP-7	Media Use	X
Physical and Environmental Protection
PE-2	Physical Access Authorizations	X
PE-3	Physical Access Control	X
PE-6	Monitor Physical Access	X
PE-8	Visitor Access Records	X
PE-10	Emergency Shutoff	X
PE-11	Emergency Power	X
PE-12	Emergency Lighting	X
PE-13	Fire Protection	X
PE-14	Temperature and Humidity Controls	X
Personnel Security
PS-3	Personnel Screening	X
PS-4	Personnel Termination	X
PS-7	Third-Party Personnel Security	X
PS-8	Personnel Sanctions	X

NIST SP 800-53 Rev 4 Control		Implemented	Planned
Risk Assessment
RA-2	Security Categorization	X
RA-3	Risk Assessment	X
RA-3a	Conduct Risk Assessment	X
RA-3b	Documents Risk Assessment Results	X
RA-3c	Reviews Risk Assessment Results	X
RA-5	Vulnerability Scanning	X
System and Communications Protection
SC-1	System and Communications Protection Policy and Procedures	X
SC-5	Denial of Service Protection	X
SC-7	Boundary Protection	X
SC-12	Cryptographic Key Establishment and Management	X
SC-15	Collaborative Computing Devices	X
SC-20	Secure Name /Address Resolution Service (Authoritative Source)	X
SC-21	Secure Name /Address Resolution Service (Recursive or Caching Resolver)	X
SC-22	Architecture and Provisioning for Name/Address Resolution Service	X
System and Information Integrity
SI-1	System and Information Integrity Policy and Procedures	X
SI-2	Flaw Remediation	X
SI-3	Malicious Code Protection	X
SI-4	Information System Monitoring	X
SI-8	Spam Protection	X
SI-12	Information Output Handling and Retention	X