News

Legacy Re-Mapping NIST 800-53 R4 Changes

December 3, 2020 | News/Articles

Here is the list of the mapping changes that resulted from the re-mapping of legacy document NIST 800-53 R4.

  • Legacy Document: AD 1374, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4, Deprecated
  • Re-mapped Document: AD 3212, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4

There are two types of changes:

  1. The mandate of the citation maps to a different control.
    This occurs when a better control match is created after the original mapping. This is typically a result of newer control having been written since the initial mapping.
  2. The mandates of the citation map to additional controls.
    Prior mappings typically mapped one citation to one control. We now identify all the mandates in each citation and map each mandate to a control. You can see the color-coded mandates at research.unifiedcompliance.com.

Please note if there were no changes to the mapping, it is not in this table.

Legacy and New Control Mappings
CitationLegacy CC IDLegacy CC NameNew CC IDNew CC Name
CM-7(4)(b)868Establish and maintain a software accountability policy.11780Establish, implement, and maintain whitelists and blacklists of software.
CM-8(6) ¶ 18710Establish and maintain a configuration change log.862Establish and maintain a current configuration baseline based on the least functionality principle.
8711Document approved configuration deviations.
AC-3(9)(a)544Establish and maintain a Boundary Defense program.6310Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control.
AC-3(9)(b)544Establish and maintain a Boundary Defense program.6310Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control.
AC-3(10) ¶ 1512Establish, implement, and maintain access control policies.645Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system.
AC-4(15) ¶ 16763Constrain the information flow of restricted data or restricted information.6763Constrain the information flow of restricted data or restricted information.
6761Perform content filtering scans on network traffic.
AC-4(18) ¶ 14542Establish and maintain information flow procedures.6764Associate records with their security attributes.
AC-16b.6764Associate records with their security attributes.6764Associate records with their security attributes.
968Retain records in accordance with applicable requirements.
AC-16c.6764Associate records with their security attributes.3Interpret and apply security requirements based upon the information classification of the system.
AC-16d.6764Associate records with their security attributes.1903Apply security controls to each level of the information classification standard.
AC-16(6) ¶ 16764Associate records with their security attributes.12304Document the roles and responsibilities for all activities that protect restricted data in the information security procedures.
AC-16(7) ¶ 16764Associate records with their security attributes.7184Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy.
AC-16(9) ¶ 16764Associate records with their security attributes.13036Establish and maintain records management systems, as necessary.
AC-16(10) ¶ 16765Reconfigure the security attributes of records as the information changes.11885Assign information security responsibilities to interested personnel and affected parties in the information security program.
AC-16(1) ¶ 16765Reconfigure the security attributes of records as the information changes.6765Reconfigure the security attributes of records as the information changes.
6764Associate records with their security attributes.
AC-21(2) ¶ 16310Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control.10010Provide structures for searching for items stored in the Electronic Document and Records Management system.
AC-24(1) ¶ 14553Enable access control for objects and users on each system.1410Establish, implement, and maintain information flow control policies inside the system and between interconnected systems.
AC-24(2) ¶ 14553Enable access control for objects and users on each system.11836Include the objects and users subject to access control in the security policy.
AU-5b.6290Protect the event logs from failure.10679Shut down systems when an integrity violation is detected, as necessary.
14308Overwrite the oldest records when audit logging fails.
1712Configure the security parameters for all logs.
AU-5(3) ¶ 11619Establish and maintain system capacity monitoring procedures.1619Establish and maintain system capacity monitoring procedures.
6883Establish, implement, and maintain rate limiting filters.
AU-10(1)(a)6764Associate records with their security attributes.12729Assign an information owner to organizational assets, as necessary.
AU-10(1)(b)6764Associate records with their security attributes.920Establish and maintain data input and data access authorization tracking.
AU-10(2)(a)6764Associate records with their security attributes.920Establish and maintain data input and data access authorization tracking.
AU-10(3) ¶ 1567Implement non-repudiation for transactions.13203Validate transactions using identifiers and credentials.
AU-13 Control10419Search the Internet for evidence of data leakage.10419Search the Internet for evidence of data leakage.
10593Review monitored websites for data leakage.
CA-8(2) ¶ 11277Perform network-layer penetration testing on all systems, as necessary.12131Conduct Red Team exercises, as necessary.
PE-18(1) ¶ 16351Define selection criteria for facility locations.6351Define selection criteria for facility locations.
6479Employ risk assessment procedures that take into account the target environment.
PE-20a.10626Attach asset location technologies to distributed Information Technology assets.10626Attach asset location technologies to distributed Information Technology assets.
11684Monitor the location of distributed Information Technology assets.
CM-3(3) ¶ 12130Create a Configuration Baseline Documentation Record before promoting the system to a production environment.12103Review and update Configuration Baseline Documentation Records, as necessary.
12503Apply configuration standards to all systems, as necessary.
CM-5(4) ¶ 111776Implement changes according to the change control program.11776Implement changes according to the change control program.
887Manage change requests.
CM-6a.2132Establish and maintain an accurate Configuration Management Database with accessible reporting capabilities.11953Establish and maintain configuration standards for all systems based upon industry best practices.
CM-7(3) ¶ 1537Include a protocols, ports, applications, and services list in the firewall and router configuration standard.12547Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard.
CP-2(6) ¶ 1742Designate an alternate facility in the continuity plan.744Prepare the alternate facility for an emergency offsite relocation.
1169Include restoration procedures in the continuity plan.
CP-2(7) ¶ 11386Coordinate continuity planning with other business units responsible for related continuity plans.13242Coordinate and incorporate supply chain members' continuity plans, as necessary.
CP-4(3) ¶ 11389Automate the off-site testing to more thoroughly test the continuity plan.755Test the continuity plan, as necessary.
CP-11 Control1294Include Wide Area Network continuity procedures in the continuity plan.750Include emergency communications procedures in the continuity plan.
CP-8(5) ¶ 1755Test the continuity plan, as necessary.12777Validate the emergency communications procedures during continuity plan tests.
IA-2(6) ¶ 1561Implement two-factor authentication techniques.561Implement two-factor authentication techniques.
6836Establish and maintain a register of approved third parties, technologies and tools.
IA-2(7) ¶ 1561Implement two-factor authentication techniques.561Implement two-factor authentication techniques.
6836Establish and maintain a register of approved third parties, technologies and tools.
IA-2(10) ¶ 111841Include digital identification procedures in the access control program.553Enable logon authentication management techniques.
 IA-4 Control0UCF CE List515Control the addition and modification of user identifiers, user credentials, or other object identifiers.
IA-4(2) ¶ 1515Control the addition and modification of user identifiers, user credentials, or other object identifiers.515Control the addition and modification of user identifiers, user credentials, or other object identifiers.
6641Review and approve logical access to all assets based upon organizational policies.
IA-4(6) ¶ 1515Control the addition and modification of user identifiers, user credentials, or other object identifiers.12201Provide identification mechanisms for the organization's supply chain members.
IA-4(7) ¶ 18712Require multiple forms of personal identification prior to issuing user IDs.13750Support the identity proofing process through in-person proofing or remote proofing.
IA-9 Control513Establish and maintain an access rights management plan.14053Establish, implement, and maintain identification and authentication procedures.
IA-9(1) ¶ 11429Require the system to identify and authenticate approved devices before establishing a connection to restricted data.14227Include coordination amongst entities in the identification and authentication policy.
IA-9(2) ¶ 11429Require the system to identify and authenticate approved devices before establishing a connection to restricted data.14053Establish, implement, and maintain identification and authentication procedures.
IR-3(1) ¶ 16752Use automated mechanisms in the training environment, where appropriate.1216Test the incident response procedures.
IR-4(10) ¶ 11212Share incident information with interested personnel and affected parties.13196Coordinate incident response activities with interested personnel and affected parties.
MA-4(4) ¶ 10UCF CE List1433Control remote maintenance according to the system's asset classification.
MA-4(7) ¶ 14262Activate third party maintenance accounts and user identifiers, as necessary.12083Terminate remote maintenance sessions when the remote maintenance is complete.
MA-5(4)(b)1434Conduct maintenance with authorized personnel.11873Control granting access to third parties performing maintenance on organizational assets.
6509Include a description of the product or service to be provided in third party contracts.
MP-4a.11664Physically secure all electronic storage media that store restricted data or restricted information.11664Physically secure all electronic storage media that store restricted data or restricted information.
965Control the storage of restricted storage media.
MP-4(2) ¶ 1371Establish and maintain access controls for all records.12462Authorize physical access to sensitive areas based on job functions.
6797Monitor for unauthorized physical access at physical entry points.
12080Establish and maintain a physical access log.
PE-2(2) ¶ 1713Establish and maintain physical identification procedures.6701Check the visitor's stated identity against a provided government issued identification.
PE-3(2) ¶ 11441Control the delivery of assets through physical entry points and physical exit points.11681Control the removal of assets through physical entry points and physical exit points.
PE-3(3) ¶ 16653Employ security guards to provide physical security, as necessary.6653Employ security guards to provide physical security, as necessary.
11669Maintain all security alarm systems.
PE-5(1)(b)926Establish, implement, and maintain document handling procedures for paper documents.11656Establish and maintain document security requirements for the output of records.
PE-5(2)(a)926Establish, implement, and maintain document handling procedures for paper documents.371Establish and maintain access controls for all records.
PE-5(2)(b)926Establish, implement, and maintain document handling procedures for paper documents.372Provide audit trails for all pertinent records.
PL-9 Control6328Adhere to operating procedures as defined in the Standard Operating Procedures Manual.12415Establish and maintain a baseline of internal controls.
RA-3b.6481Include the results of the risk assessment in the risk assessment report.6481Include the results of the risk assessment in the risk assessment report.
6481Include the results of the risk assessment in the risk assessment report.11978Include risk assessment results in the risk treatment plan.
6481Include the results of the risk assessment in the risk assessment report.
SA-4(3) ¶ 11447Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired Information Technology assets.1447Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired Information Technology assets.
1124Include security requirements in system acquisition contracts.
14256Include a description of the development environment and operational environment in system acquisition contracts.
1100Perform Quality Management on all newly developed or modified systems.
SA-4(5)(b)1446Provide a Configuration Management plan by the Information System developer for all newly acquired information technology assets.12503Apply configuration standards to all systems, as necessary.
SA-4(6)(a)1133Establish, implement, and maintain a product and services acquisition strategy.6836Establish and maintain a register of approved third parties, technologies and tools.
SA-11(3)(b)11638Assign vulnerability scanning to qualified personnel or external third parties.11638Assign vulnerability scanning to qualified personnel or external third parties.
12186Grant access to authorized personnel.
SA-11(7) ¶ 11100Perform Quality Management on all newly developed or modified systems.1447Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired Information Technology assets.
SA-12(5) ¶ 18808Establish, implement, and maintain a supply chain management policy.8811Include risk management procedures in the supply chain management policy.
SA-12(7) ¶ 11135Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study.1129Conduct an acquisition feasibility study prior to acquiring Information Technology assets.
1144 Establish, implement, and maintain facilities, assets, and services acceptance procedures.
12218Establish and maintain product update procedures.
SA-12(11) ¶ 18811Include risk management procedures in the supply chain management policy.8854Conduct all parts of the supply chain due diligence process.
8861Assign the appropriate individuals or groups to oversee and support supply chain due diligence.
655Perform penetration tests, as necessary.
SA-12(8) ¶ 18811Include risk management procedures in the supply chain management policy.8854Conduct all parts of the supply chain due diligence process.
SA-12(9) ¶ 18818Use third parties that are compliant with the applicable requirements.13109Establish and maintain information security controls for the supply chain.
SA-12(13) ¶ 11435Perform periodic maintenance according to organizational standards.6388Maintain contact with the device manufacturer or component manufacturer for maintenance requests.
SA-12(14) ¶ 18958Include a unique reference identifier on products for sale.8958Include a unique reference identifier on products for sale.
968Retain records in accordance with applicable requirements.
SA-12(15) ¶ 18810Include a clear management process in the supply chain management policy.8815Implement measurable improvement plans with all third parties.
SA-13b.1124Include security requirements in system acquisition contracts.1125Include security controls in system acquisition contracts.
SA-15(1)(b)8667Include measurable system performance requirements in the system design specification.1100Perform Quality Management on all newly developed or modified systems.
SA-15(2) ¶ 11096Supervise and monitor outsourced development projects.14307Require the information system developer to create a continuous monitoring plan.
SA-15(4) ¶ 10UCF CE List6829Include threat models in the system design specification.
11828Perform vulnerability assessments, as necessary.
SA-15(7)(a)11637Perform vulnerability scans, as necessary.11637Perform vulnerability scans, as necessary.
SA-15(7)(b)11744Establish and maintain system testing procedures.11940Rank discovered vulnerabilities.
SA-15(7)(c)6910Change the scope, definition, and work breakdown of the system development project after corrective actions are taken.6909Initiate preventive actions to achieve the system development project's goals and outputs.
SA-15(7)(d)4881Recommend mitigation techniques based on penetration test results.11639Recommend mitigation techniques based on vulnerability scan reports.
SA-15(8) ¶ 111637Perform vulnerability scans, as necessary.6829Include threat models in the system design specification.
1000Perform a risk assessment for each system development project.
SA-15(9) ¶ 11103Restrict production data from being used in the test environment.11744Establish and maintain system testing procedures.
6609Document the procedures and environment used to create the system or software.
1103Restrict production data from being used in the test environment.
SA-15(10) ¶ 1588Include intrusion detection procedures in the Incident Management program.12056Establish and maintain an incident response plan.
SA-17(2)(a)4558Establish, implement, and maintain a system implementation representation document.8666Include hardware requirements in the system design specification.
8664Include supporting software requirements in the system design specification.
SA-17(3)(c)4556Include all confidentiality, integrity, and availability functions in the system design specification.4559Include the relationships and dependencies between modules in the system design specification.
SA-17(3)(e)4556Include all confidentiality, integrity, and availability functions in the system design specification.11734Include a description of each module and asset in the system design specification.
SA-17(4)(c)4556Include all confidentiality, integrity, and availability functions in the system design specification.4559Include the relationships and dependencies between modules in the system design specification.
SA-17(4)(d)4556Include all confidentiality, integrity, and availability functions in the system design specification.4559Include the relationships and dependencies between modules in the system design specification.
SA-17(4)(e)4556Include all confidentiality, integrity, and availability functions in the system design specification.11734Include a description of each module and asset in the system design specification.
SA-17(6)11744Establish and maintain system testing procedures.1101Establish and maintain a system testing program for all system development projects.
SA-19a.10641Establish and maintain an anti-counterfeit program for acquiring new systems.10641Establish and maintain an anti-counterfeit program for acquiring new systems.
10643Scan for potential counterfeit parts and potential counterfeit components.
11510Seize counterfeit products.
SA-19b.10642Create and distribute a counterfeit product report.11494Disseminate and communicate the counterfeit product report to the supplier.
10642Create and distribute a counterfeit product report.11490Disseminate and communicate the counterfeit product report to appropriate law enforcement authorities.
10642Create and distribute a counterfeit product report.10642Create and distribute a counterfeit product report.
SA-19(2) ¶ 1863Establish and maintain configuration control and Configuration Status Accounting for each system.863Establish and maintain configuration control and Configuration Status Accounting for each system.
863Establish and maintain configuration control and Configuration Status Accounting for each system.
SA-21a.6507Include compliance with the organization's access policy as a requirement in third party contracts.12186Grant access to authorized personnel.
SA-21b.790Include third party requirements for personnel security in third party contracts.11700Establish and maintain personnel screening procedures.
SA-21(1) ¶ 1790Include third party requirements for personnel security in third party contracts.11663Establish, implement, and maintain access control procedures.
11700Establish and maintain personnel screening procedures.
SA-22b.10645Obtain justification for the continued use of system components when third party support is no longer available.10645Obtain justification for the continued use of system components when third party support is no longer available.
912Capture the records required by organizational compliance requirements.
SA-22(1) ¶ 16389Plan and conduct maintenance so that it does not interfere with scheduled operations.1435Perform periodic maintenance according to organizational standards.
SA-15(4)(b)11637Perform vulnerability scans, as necessary.14282Implement scanning tools, as necessary.
11828Perform vulnerability assessments, as necessary.
SC-3(1) ¶ 111858Separate user functionality from system management functionality.12254Design the hardware security module to enforce the separation between applications.
SC-3(3) ¶ 16767Separate processing domains to segregate user privileges and enhance information flow control.11858Separate user functionality from system management functionality.
SC-3(5) ¶ 16767Separate processing domains to segregate user privileges and enhance information flow control.6767Separate processing domains to segregate user privileges and enhance information flow control.
6767Separate processing domains to segregate user privileges and enhance information flow control.
11843Implement segregation of duties.
SC-5(3)(b)11752Establish and maintain system performance monitoring procedures.1619Establish and maintain system capacity monitoring procedures.
SC-7(9)(a)1295Restrict outbound network traffic from systems that contain restricted data or restricted information.1295Restrict outbound network traffic from systems that contain restricted data or restricted information.
6761Perform content filtering scans on network traffic.
SC-7(14) ¶ 111852Deny network access to rogue devices until network access approval has been received.718Establish and maintain physical security controls for distributed Information Technology assets.
SC-7(15) ¶ 111842Manage all external network connections.1421Control remote access through a network access control.
SC-7(17) ¶ 1544Establish and maintain a Boundary Defense program.11845Include configuration management and rulesets in the network access control standard.
SC-16(1) ¶ 16764Associate records with their security attributes.923Establish and maintain data processing integrity controls.
SC-18(1) ¶ 1574Establish, implement, and maintain a malicious code protection program.10034Monitor systems for unauthorized mobile code.
13691Remove malware when malicious code is discovered.
SC-18(2) ¶ 11136Establish, implement, and maintain a product and services acquisition program.1138Establish, implement, and maintain a software product acquisition methodology.
1094Develop systems in accordance with the system design specifications and system design standards.
1355Include asset use policies in the Acceptable Use Policy.
SC-18(3) ¶ 14576Restrict downloading to reduce malicious code attacks.4576Restrict downloading to reduce malicious code attacks.
11081Configure the "Prevent launch an application" setting to organizational standards.
SC-18(4) ¶ 110034Monitor systems for unauthorized mobile code.11081Configure the "Prevent launch an application" setting to organizational standards.
10034Monitor systems for unauthorized mobile code.
SC-23(3) ¶ 17074Use randomly generated session identifiers.7074Use randomly generated session identifiers.
4553Enable access control for objects and users on each system.
SC-25 Control882Remove all unnecessary functionality.882Remove all unnecessary functionality.
7599Configure Least Functionality and Least Privilege settings to organizational standards.
SC-27 Control0UCF CE List895Establish and maintain software asset management procedures.
SC-28(2) ¶ 1951Establish and maintain a records lifecycle management program.968Retain records in accordance with applicable requirements.
SC-29 Control1046Identify system design strategies.1115Manage the system implementation process.
SC-30(3) ¶ 110651Change the locations of processing facilities at random intervals.10651Change the locations of processing facilities at random intervals.
10661Change the locations of storage facilities at random intervals.
SC-30(5) ¶ 1582Determine if honeypots should be installed, and if so, where the honeypots should be placed.7110Establish, implement, and maintain virtualization configuration settings.
SC-31(3) ¶ 110655Reduce the maximum bandwidth of covert channels.10653Estimate the maximum bandwidth of any covert channels.
SC-34(2) ¶ 1946Implement electronic storage media integrity controls.946Implement electronic storage media integrity controls.
969Maintain continued integrity for all stored data and stored records.
SC-37 Control10665Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary.10665Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary.
1441Control the delivery of assets through physical entry points and physical exit points.
SC-38 Control6491Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan.13479Protect confidential information during the system development life cycle program.
SC-40(3) ¶ 16078Configure wireless communication to be encrypted using strong cryptography.11623Scan wireless networks for rogue devices.
11852Deny network access to rogue devices until network access approval has been received.
SC-42a.10666Prohibit the remote activation of environmental sensors on mobile devices.10666Prohibit the remote activation of environmental sensors on mobile devices.
10667Configure environmental sensors on mobile devices.
SC-43a.1350Establish and maintain an Acceptable Use Policy.1350Establish and maintain an Acceptable Use Policy.
1111Establish and maintain a system implementation standard.
SC-43b.1351Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy.1351Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy.
585Monitor systems for inappropriate usage and other security violations.
11665Control user privileges.
SC-8 Control564Use strong data encryption to transmit restricted data or restricted information over public networks.11859Protect data from unauthorized disclosure while transmitting between separate parts of the system.
4554Protect data from modification or loss while transmitting between separate parts of the system.
SC-13 Control4546Establish, implement, and maintain an encryption management and cryptographic controls policy.570Manage the use of encryption controls and cryptographic controls.
12491Employ only secure versions of cryptographic controls.
SI-3(6)(b)661Create specific test plans to test each system component.11901Test security systems and associated security procedures, as necessary.
11901Test security systems and associated security procedures, as necessary.
SI-3(8) ¶ 1585Monitor systems for inappropriate usage and other security violations.585Monitor systems for inappropriate usage and other security violations.
12045Alert interested personnel and affected parties when an unauthorized modification to critical files is detected.
645Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system.
558Enforce privileged accounts and non-privileged accounts for system access.
SI-3(9) ¶ 1562Protect remote access accounts with encryption.559Control all methods of remote access and teleworking.
SI-3(10)(b)10673Incorporate the malicious code analysis into the patch management program.10673Incorporate the malicious code analysis into the patch management program.
14016Communicate threat intelligence to interested personnel and affected parties.
SI-4(7) ¶ 16430Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System.6430Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System.
6942Respond to and triage when a security incident is detected.
SI-4(9) ¶ 11216Test the incident response procedures.11901Test security systems and associated security procedures, as necessary.
SI-4(13)(b)596Review and update event logs and audit logs, as necessary.643Include a standard to collect and interpret event logs in the event logging procedures.
SI-4(17) ¶ 1596Review and update event logs and audit logs, as necessary.1424Compile the event logs of multiple components into a system-wide time-correlated audit trail.
SI-7(8) ¶ 16332Configure all logs to capture auditable events or actionable events.640Enable logging for all systems that meet a traceability criteria.
1337Configure the log to send alerts for each auditable events success or failure.6332Configure all logs to capture auditable events or actionable events.
1337Configure the log to send alerts for each auditable events success or failure.1337Configure the log to send alerts for each auditable events success or failure.
1552Enable and configure auditing operations and logging operations, as necessary.1337Configure the log to send alerts for each auditable events success or failure.
10678Automatically respond when an integrity violation is detected.
SI-7(9) ¶ 11905Establish and maintain the systems' availability level.1906Establish and maintain the systems' integrity level.
SI-7(10) ¶ 11905Establish and maintain the systems' availability level.1909Define integrity controls.
SI-7(11) ¶ 1868Establish and maintain a software accountability policy.6749Include a software installation policy in the Acceptable Use Policy.
SI-7(12) ¶ 1868Establish and maintain a software accountability policy.6749Include a software installation policy in the Acceptable Use Policy.
SI-7(13) ¶ 16551Establish and maintain a virtual environment and shared resources security program.10648Execute permitted mobile code in confined virtual machine environments.
6749Include a software installation policy in the Acceptable Use Policy.
SI-10(1)(b)924Establish and maintain Automated Data Processing validation checks and editing checks.558Enforce privileged accounts and non-privileged accounts for system access.
SI-10(1)(c)6332Configure all logs to capture auditable events or actionable events.645Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system.
SI-13(1) ¶ 11256Reconfigure restored systems to meet the Recovery Point Objectives.6276Establish, implement, and maintain a system redeployment program.
SI-13(3) ¶ 11256Reconfigure restored systems to meet the Recovery Point Objectives.13476Restore systems and environments to be operational.
SI-13(4)(a)1256Reconfigure restored systems to meet the Recovery Point Objectives.11693Reconfigure restored systems to meet the Recovery Time Objectives.
SI-13(4)(b)4544Monitor systems for errors and faults.10678Automatically respond when an integrity violation is detected.
10679Shut down systems when an integrity violation is detected, as necessary.
SI-14(1) ¶ 14890Establish and maintain a core supply inventory required to support critical business functions.6836Establish and maintain a register of approved third parties, technologies and tools.
SI-4a.0UCF CE List585Monitor systems for inappropriate usage and other security violations.
SI-6d.1206Establish and maintain incident response procedures.10679Shut down systems when an integrity violation is detected, as necessary.
10680Restart systems when an integrity violation is detected, as necessary.
SI-13b.1256Reconfigure restored systems to meet the Recovery Point Objectives.11693Reconfigure restored systems to meet the Recovery Time Objectives.
13476Restore systems and environments to be operational.
SI-15 Control930Establish and maintain paper document integrity requirements for the output of records.6627Perform regularly scheduled quality and integrity control reviews of output of records.
PM-1a.0UCF CE List812Establish and maintain an information security program.
815Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties.
PM-1a.1.820Establish and maintain an internal control framework.11740Establish and maintain an information security policy.
820Establish and maintain an internal control framework.
PM-1a.2.820Establish and maintain an internal control framework.11885Assign information security responsibilities to interested personnel and affected parties in the information security program.
11999Provide management direction and support for the information security program.
12294Describe the group activities that protect restricted data in the information security procedures.
6384Comply with all implemented policies in the organization's compliance framework.
PM-1a.3.815Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties.812Establish and maintain an information security program.
PM-1a.4.815Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties.11737Approve the information security policy at the organization's management level or higher.
PM-3a.6279Establish, implement, and maintain a Capital Planning and Investment Control policy.6279Establish, implement, and maintain a Capital Planning and Investment Control policy.
1630Document compliance exceptions, as necessary.
PM-3b.6279Establish, implement, and maintain a Capital Planning and Investment Control policy.6846Document the business case and return on investment in each Information Technology project plan.
PM-4a.2.6777Implement a corrective action plan in response to the audit report.705Document and communicate a corrective action plan based on the risk assessment findings.
PM-4a.3.6777Implement a corrective action plan in response to the audit report.705Document and communicate a corrective action plan based on the risk assessment findings.
PM-4b.675Create a corrective action plan to correct control deficiencies identified in an audit.11645Include monitoring in the corrective action plan.
PM-6671Establish and maintain a compliance monitoring policy.671Establish and maintain a compliance monitoring policy.
12857Monitor the performance of the governance, risk, and compliance capability.
676Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary.
PM-8710Establish and maintain facility maintenance procedures.6486Take into account the need for protecting information confidentiality during infrastructure planning.
PM-9a.685Establish and maintain the risk assessment framework.13209Establish and maintain risk management strategies, as necessary.
PM-9b.6446Establish, implement, and maintain risk assessment procedures.13661Integrate the risk management program with the organization's business activities.
PM-9c.6460Review the risk assessment procedures, as necessary.13049Review and update the risk management program, as necessary.
PM-10a.7109Approve the results of the risk assessment as documented in the risk assessment report.12004Review systems for compliance with organizational information security policies.
711Establish and maintain a facility physical security program.
PM-10c.6446Establish, implement, and maintain risk assessment procedures.14228Review and update the security assessment and authorization procedures, as necessary.
PM-11a.6495Address Information Security during the business planning processes.6495Address Information Security during the business planning processes.
698Include the risks to the organization's critical personnel and assets in the threat and risk classification scheme.
PM-11b.704Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary.12155Observe processes to determine the effectiveness of in scope controls.
675Create a corrective action plan to correct control deficiencies identified in an audit.
PM-13 Control785Train all personnel and third parties, as necessary.828Establish and implement training plans.
PM-14a.1.1406Establish, implement, and maintain a Governance, Risk, and Compliance framework.654Establish, implement, and maintain a testing program.
828Establish and implement training plans.
637Establish, implement, and maintain logging and monitoring operations.
PM-14a.2.1406Establish, implement, and maintain a Governance, Risk, and Compliance framework.818Implement and comply with the Governance, Risk, and Compliance framework.
PM-14b.817Review and update the Governance, Risk, and Compliance framework, as necessary.654Establish, implement, and maintain a testing program.
828Establish and implement training plans.
637Establish, implement, and maintain logging and monitoring operations.
PM-15a.11732Share relevant security information with Special Interest Groups, as necessary.2217Tailor training to meet published guidance on the subject being taught.
PM-15b.11732Share relevant security information with Special Interest Groups, as necessary.6489Include security information sharing procedures in the internal control framework.
PM-166494Monitor the organization's exposure to threats, as necessary.6494Monitor the organization's exposure to threats, as necessary.
6489Include security information sharing procedures in the internal control framework.
PM-1b.1348Review the internal control framework, as necessary.12744Monitor and review the effectiveness of the information security program.
PM-1c.1348Review the internal control framework, as necessary.817Review and update the Governance, Risk, and Compliance framework, as necessary.
13501Correct errors and deficiencies in a timely manner.
AP-1 Control6487Establish and maintain a personal data collection program.103Document the law that requires personal data to be collected.
AP-2 Control6281Establish, implement, and maintain a privacy policy.406Include the processing purpose in the privacy policy.
AR-1b.7113Establish and maintain a list of compliance documents.604Monitor regulatory trends to maintain compliance.
AR-1d.6281Establish, implement, and maintain a privacy policy.11850Establish and maintain a privacy framework that protects restricted data.
AR-1e.6281Establish, implement, and maintain a privacy policy.11850Establish and maintain a privacy framework that protects restricted data.
13346Disseminate and communicate the privacy policy, as necessary.
AR-2b.357Conduct personal data risk assessments.13712Establish, implement, and maintain a privacy impact assessment.
AR-3a.11610Include text about access, use, disclosure, and transfer of data or information in third party contracts.11610Include text about access, use, disclosure, and transfer of data or information in third party contracts.
1364Include third party acknowledgement of their data protection responsibilities in third party contracts.
AR-5a.828Establish and implement training plans.828Establish and implement training plans.
12868Update training plans, as necessary.
AR-5b.6664Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment.785Train all personnel and third parties, as necessary.
6674Tailor training to be taught at each person's level of responsibility.
AR-6 Control383Register with public bodies and notify the Data Commissioner before processing personal data.383Register with public bodies and notify the Data Commissioner before processing personal data.
7029Include the organization's privacy practices in the audit report.
AR-8a.372Provide audit trails for all pertinent records.13022Establish and maintain a disclosure accounting record.
AR-8a.(1)7133Include the disclosure date in the disclosure accounting record.7133Include the disclosure date in the disclosure accounting record.
7135Include the disclosure purpose in the disclosure accounting record.7135Include the disclosure purpose in the disclosure accounting record.
4680Include what information was disclosed and to whom in the disclosure accounting record.
AR-8a.(2)4680Include what information was disclosed and to whom in the disclosure accounting record.7134Include the disclosure recipient in the disclosure accounting record.
AR-8b.167Establish and maintain personal data retention procedures.968Retain records in accordance with applicable requirements.
DI-1a.88Check the accuracy of personal data.88Check the accuracy of personal data.
90Check that personal data is complete.90Check that personal data is complete.
11831Use personal data for specified purposes.
91Keep personal data up-to-date and valid.
DI-1c.88Check the accuracy of personal data.88Check the accuracy of personal data.
462Change or destroy any personal data that is incorrect.
DI-1(1) ¶ 189Record personal data correctly.13187Establish and maintain customer data authentication procedures.
DI-2a.88Check the accuracy of personal data.923Establish and maintain data processing integrity controls.
DI-2b.843Review and approve all Service Level Agreements.806Establish and maintain high level operational roles and responsibilities.
DI-2(1) ¶ 1375Establish, implement, and maintain a personal data transparency program.379Publish a description of activities about processing personal data in an official register.
DM-1a.27Collect and record personal data for specific, explicit, and legitimate purposes.78Collect the minimum amount of personal data necessary.
DM-1b.27Collect and record personal data for specific, explicit, and legitimate purposes.78Collect the minimum amount of personal data necessary.
167Establish and maintain personal data retention procedures.
DM-1c.11756Establish and maintain data handling procedures.507Establish and maintain personal data collection limitation boundaries.
13428Establish and maintain a personal data use limitation program.
DM-1(1) ¶ 17126Establish, implement, and maintain de-identifying and re-identifying procedures.13498Establish, implement, and maintain personal data disposition procedures.
7126Establish, implement, and maintain de-identifying and re-identifying procedures.
DM-2b.125Dispose of media and personal data in a timely manner.125Dispose of media and personal data in a timely manner.
7126Establish, implement, and maintain de-identifying and re-identifying procedures.
DM-2c.125Dispose of media and personal data in a timely manner.13498Establish, implement, and maintain personal data disposition procedures.
DM-2(1) ¶ 1167Establish and maintain personal data retention procedures.11890Configure the log to capture creates, reads, updates, or deletes of records containing personal data.
11890Configure the log to capture creates, reads, updates, or deletes of records containing personal data.
DM-3b.96Refrain from using personal data collected for research and statistics for other purposes.13606Implement security measures to protect personal data.
DM-3(1) ¶ 196Refrain from using personal data collected for research and statistics for other purposes.13606Implement security measures to protect personal data.
IP-2d.103Document the law that requires personal data to be collected.4794Follow legal obligations while processing personal data.
IP-3b.467Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections.467Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections.
463Notify the data subject of changes made to personal data as the result of a dispute.
SE-1b.689Establish and maintain an Information Technology inventory with asset discovery audit trails.6631Establish, implement, and maintain an asset inventory.
SE-2a.588Include intrusion detection procedures in the Incident Management program.12056Establish and maintain an incident response plan.
SE-2b.364Include data loss event notifications in the Incident Response program.6942Respond to and triage when a security incident is detected.
TR-1a.(i)393Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request.379Publish a description of activities about processing personal data in an official register.
101Post the collection purpose.
397Provide the data subject with a description of the type of information held by the organization and a general account of its use.
399Provide the data subject with what personal data is made available to related organizations or subsidiaries.
12585Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data.
393Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request.
12587Provide the data subject with the data retention period for personal data.
TR-1a.(ii)393Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request.103Document the law that requires personal data to be collected.
AC-6(6)2Include business security requirements in the access classification scheme.558Enforce privileged accounts and non-privileged accounts for system access.
AR-8c.399Provide the data subject with what personal data is made available to related organizations or subsidiaries.14433Provide the data subject with a copy of the disclosure accounting record.
TR-1a.(iii)393Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request.406Include the processing purpose in the privacy policy.
13111Include the consequences of refusing to provide required information in the privacy policy.
TR-1a.(iv)396Provide the data subject with the means of gaining access to personal data held by the organization.396Provide the data subject with the means of gaining access to personal data held by the organization.
457Notify individuals of their right to challenge personal data.
TR-1b.(i)6487Establish and maintain a personal data collection program.397Provide the data subject with a description of the type of information held by the organization and a general account of its use.
101Post the collection purpose.
TR-1b.(ii)N/AN/A397Provide the data subject with a description of the type of information held by the organization and a general account of its use.
TR-1b.(iii)409Include other organizations that personal data is being disclosed to in the privacy policy.409Include other organizations that personal data is being disclosed to in the privacy policy.
13459Include the types of third parties to which personal data is disclosed in the privacy notice.
399Provide the data subject with what personal data is made available to related organizations or subsidiaries.
TR-1b.(iv)30Collect personal data when an individual gives consent.13503Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice.
469Give individuals the ability to change the uses of their personal data.
TR-1b.(vi)353Establish, implement, and maintain data handling policies.12585Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data.
TR-1c.6281Establish, implement, and maintain a privacy policy.13474Update and redeliver privacy notices, as necessary.
TR-1(1) ¶ 195Notify the data subject of the collection purpose.132Notify the data subject before personal data is collected, used, or disclosed.
TR-2c.N/AN/A13444Deliver privacy notices to data subjects, as necessary.
TR-2(1) ¶ 1375Establish, implement, and maintain a personal data transparency program.379Publish a description of activities about processing personal data in an official register.
TR-3a.394Provide the data subject with the name, title, and address of the individual accountable for the organizational policies.379Publish a description of activities about processing personal data in an official register.
394Provide the data subject with the name, title, and address of the individual accountable for the organizational policies.
UL-2a.93Establish, implement, and maintain a personal data use purpose specification.133Establish and maintain personal data disclosure procedures.
UL-2b.6518Include compliance with the organization's privacy policy in third party contracts.6510Include a description of the data or information to be covered in third party contracts.
838Establish and maintain Service Level Agreements with the organization's supply chain.11610Include text about access, use, disclosure, and transfer of data or information in third party contracts.
UL-2c.785Train all personnel and third parties, as necessary.12971Monitor systems for unauthorized data transfers.
296Include disciplinary actions in the Acceptable Use Policy.12679Include the stipulation of allowing auditing for compliance in the Data Processing Contract.
13757Conduct personal data processing training.
11747Establish and maintain consequences for non-compliance with the organizational compliance framework.
PM-15c.1358Include continuous security warning monitoring procedures in the internal control framework.11732Share relevant security information with Special Interest Groups, as necessary.
CP-8(4)(c)1365Review all third party's continuity plan test results.1365Review all third party's continuity plan test results.
1423Document all training in a training record.
SC-7(4)(e)1632Review the compliance exceptions in the exceptions document, as necessary.1632Review the compliance exceptions in the exceptions document, as necessary.
882Remove all unnecessary functionality.
CP-9(6) ¶ 11250Include technical preparation considerations for backup operations in the continuity plan.742Designate an alternate facility in the continuity plan.
SC-8(2) ¶ 1812Establish and maintain an information security program.356Limit data leakage.
923Establish and maintain data processing integrity controls.
SI-2(6) ¶ 110671Remove outdated computer firmware after the computer firmware has been updated.10671Remove outdated computer firmware after the computer firmware has been updated.
11792Remove outdated software after software has been updated.
AU-5(4) ¶ 16290Protect the event logs from failure.10679Shut down systems when an integrity violation is detected, as necessary.
10678Automatically respond when an integrity violation is detected.
SC-34(3)(b)10660Implement procedures to manually disable hardware write-protect to change firmware.10660Implement procedures to manually disable hardware write-protect to change firmware.
10659Implement hardware-based, write-protect for system firmware components.
SI-4(13)(c)7047Eliminate false positives in event logs and audit logs.7047Eliminate false positives in event logs and audit logs.
596Review and update event logs and audit logs, as necessary.