AI & Autonomous Technologies Business Case
Mechanisms exist to benchmark capabilities, targeted usage, goals and expected benefits and costs of Artificial Intelligence (AI) and Autonomous Technologies (AAT).
AI & Autonomous Technologies Context Definition
Mechanisms exist to establish and document the context surrounding Artificial Intelligence (AI) and Autonomous Technologies (AAT), including: ? Intended purposes; ? Potentially beneficial uses; ? Context-specific laws and regulations; ? Norms and expectations; and ? Prospective settings in which the system(s) will be deployed.
AI & Autonomous Technologies Continuous Improvements
Mechanisms exist to continuously improve Artificial Intelligence (AI) and Autonomous Technologies (AAT) capabilities to maximize benefits and minimize negative impacts associated with AAT.
AI & Autonomous Technologies Cost / Benefit Mapping
Mechanisms exist to map risks and benefits for all components of Artificial Intelligence (AI) and Autonomous Technologies (AAT), including third-party software and data.
AI & Autonomous Technologies Domain Expert Reviews
Mechanisms exist to utilize input from domain experts and relevant stakeholders to validate whether the Artificial Intelligence (AI) and Autonomous Technologies (AAT) perform consistently, as intended.
AI & Autonomous Technologies End User Feedback
Mechanisms exist to collect and integrate feedback from end users and impacted communities into Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related system evaluation metrics.
AI & Autonomous Technologies Environmental Impact & Sustainability
Mechanisms exist to assess and document the environmental impacts and sustainability of Artificial Intelligence (AI) and Autonomous Technologies (AAT).
AI & Autonomous Technologies Fairness & Bias
Mechanisms exist to prevent Artificial Intelligence (AI) and Autonomous Technologies (AAT) from unfairly identifying, profiling and/or statistically singling out a segmented population defined by race, religion, gender identity, national origin, religion, disability or any other politically-charged identifier.
AI & Autonomous Technologies Harm Prevention
Mechanisms exist to proactively prevent harm by regularly identifying and tracking existing, unanticipated and emergent Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks.
AI & Autonomous Technologies Human Subject Protections
Mechanisms exist to protect human subjects from harm.
AI & Autonomous Technologies Impact Characterization
Mechanisms exist to characterize the impacts of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT) on individuals, groups, communities, organizations and society.
AI & Autonomous Technologies Implementation Tasks Definition
Mechanisms exist to define the tasks that Artificial Intelligence (AI) and Autonomous Technologies (AAT) will support (e.g., classifiers, generative models, recommenders).
AI & Autonomous Technologies Incident & Error Reporting
Mechanisms exist to communicate Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related incidents and/or errors to relevant stakeholders, including affected communities.
AI & Autonomous Technologies Incidents
Mechanisms exist to handle failures or incidents with Artificial Intelligence (AI) and Autonomous Technologies (AAT) deemed to be high-risk.
AI & Autonomous Technologies Intellectual Property Infringement Protections
Mechanisms exist to prevent third-party Intellectual Property (IP) rights infringement by Artificial Intelligence (AI) and Autonomous Technologies (AAT).
AI & Autonomous Technologies Internal Controls
Mechanisms exist to identify and document internal cybersecurity & data privacy controls for Artificial Intelligence (AI) and Autonomous Technologies (AAT).
AI & Autonomous Technologies Knowledge Limits
Mechanisms exist to identify and document knowledge limits of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to provide sufficient information to assist relevant stakeholder decision making.
AI & Autonomous Technologies Likelihood & Impact Risk Analysis
Mechanisms exist to define the potential likelihood and impact of each identified risk based on expected use and past uses of Artificial Intelligence (AI) and Autonomous Technologies (AAT) in similar contexts.
AI & Autonomous Technologies Measurement Approaches
Mechanisms exist to measure Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks to deployment context(s) through review and consultation with industry experts, domain specialists and end users.
AI & Autonomous Technologies Mission and Goals Definition
Mechanisms exist to define and document the organization's mission and defined goals for Artificial Intelligence (AI) and Autonomous Technologies (AAT).
AI & Autonomous Technologies Model Validation
Mechanisms exist to validate the Artificial Intelligence (AI) and Autonomous Technologies (AAT) model.
AI & Autonomous Technologies Negative Residual Risks
Mechanisms exist to identify and document negative, residual risks (defined as the sum of all unmitigated risks) to both downstream acquirers and end users of Artificial Intelligence (AI) and Autonomous Technologies (AAT).
AI & Autonomous Technologies Ongoing Assessments
Mechanisms exist to conduct regular assessments of Artificial Intelligence (AI) and Autonomous Technologies (AAT) with independent assessors and stakeholders not involved in the development of the AAT.
AI & Autonomous Technologies Performance Changes
Mechanisms exist to evaluate performance improvements or declines with domain experts and relevant stakeholders to define context-relevant risks and trustworthiness issues.
AI & Autonomous Technologies Potential Benefits Analysis
Mechanisms exist to assess the potential benefits of proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT).
AI & Autonomous Technologies Potential Costs Analysis
Mechanisms exist to assess potential costs, including non-monetary costs, resulting from expected or realized Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related errors or system functionality and trustworthiness.
AI & Autonomous Technologies Production Monitoring
Mechanisms exist to monitor the functionality and behavior of the deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT).
AI & Autonomous Technologies Requirements Definitions
Mechanisms exist to take socio-technical implications into account to address risks associated with Artificial Intelligence (AI) and Autonomous Technologies (AAT).
AI & Autonomous Technologies Risk Management Decisions
Mechanisms exist to leverage decision makers from a diversity of demographics, disciplines, experience, expertise and backgrounds for mapping, measuring and managing Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks.
AI & Autonomous Technologies Risk Mapping
Mechanisms exist to identify Artificial Intelligence (AI) and Autonomous Technologies (AAT) in use and map those components to potential legal risks, including statutory and regulatory compliance requirements.
AI & Autonomous Technologies Risk Profiling
Mechanisms exist to document the risks and potential impacts of Artificial Intelligence (AI) and Autonomous Technologies (AAT) designed, developed, deployed, evaluated and used.
AI & Autonomous Technologies Risk Response
Mechanisms exist to prioritize, respond to and remediate Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks based on assessments and other analytical output.
AI & Autonomous Technologies Risk Tracking Approaches
Mechanisms exist to track Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are difficult to assess using currently available measurement techniques or where metrics are not yet available.
AI & Autonomous Technologies Stakeholder Competencies
Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related operator and practitioner proficiency requirements for Artificial Intelligence (AI) and Autonomous Technologies (AAT) are defined, assessed and documented.
AI & Autonomous Technologies Stakeholder Diversity
Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) stakeholder competencies, skills and capacities incorporate demographic diversity, broad domain and user experience expertise.
AI & Autonomous Technologies Stakeholder Feedback Integration
Mechanisms exist to regularly collect, consider, prioritize and integrate risk-related feedback from those external to the team that developed or deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT).
AI & Autonomous Technologies Supply Chain Impacts
Mechanisms exist to address Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks and benefits arising from the organization's supply chain, including third-party software and data.
AI & Autonomous Technologies Targeted Application Scope
Mechanisms exist to specify and document the targeted application scope of the proposed use and operation of Artificial Intelligence (AI) and Autonomous Technologies (AAT).
AI & Autonomous Technologies Training
Mechanisms exist to ensure personnel and external stakeholders are provided with position-specific risk management training for Artificial Intelligence (AI) and Autonomous Technologies (AAT).
AI & Autonomous Technologies Value Sustainment
Mechanisms exist to sustain the value of deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT).
AI & Autonomous Technologies Viability Decisions
Mechanisms exist to define the criteria as to whether Artificial Intelligence (AI) and Autonomous Technologies (AAT) achieved intended purposes and stated objectives to determine whether its development or deployment should proceed.
AI & Autonomous Technologies-Related Legal Requirements Definition
Mechanisms exist to identify, understand, document and manage applicable statutory and regulatory requirements for Artificial Intelligence (AI) and Autonomous Technologies (AAT).
AI TEVV Comparable Deployment Settings
Mechanisms exist to evaluate Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related performance or the assurance criteria demonstrated for conditions similar to deployment settings.
AI TEVV Effectiveness
Mechanisms exist to evaluate the effectiveness of the processes utilized to perform Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV).
AI TEVV Fairness & Bias Assessment
Mechanisms exist to examine fairness and bias of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed.
AI TEVV Post-Deployment Monitoring
Mechanisms exist to proactively and continuously monitor deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT).
AI TEVV Privacy Assessment
Mechanisms exist to examine the data privacy risk of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed.
AI TEVV Resiliency Assessment
Mechanisms exist to evaluate the security and resilience of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed.
AI TEVV Results Evaluation
Mechanisms exist to evaluate the results of Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) to determine the viability of the proposed Artificial Intelligence (AI) and Autonomous Technologies (AAT).
AI TEVV Safety Demonstration
Mechanisms exist to demonstrate the Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed are safe, residual risk does not exceed the organization's risk tolerance and can fail safely, particularly if made to operate beyond its knowledge limits.
AI TEVV Tools
Mechanisms exist to document test sets, metrics and details about the tools used during Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices.
AI TEVV Transparency & Accountability Assessment
Mechanisms exist to examine risks associated with transparency and accountability of Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed.
AI TEVV Trustworthiness Assessment
Mechanisms exist to evaluate Artificial Intelligence (AI) and Autonomous Technologies (AAT) for trustworthy behavior and operation including security, anonymization and disaggregation of captured and stored data for approved purposes.
AI TEVV Trustworthiness Demonstration
Mechanisms exist to demonstrate the Artificial Intelligence (AI) and Autonomous Technologies (AAT) to be deployed is valid, reliable and operate as intended based on approved designs.
Acceptable Discoverable Information
Mechanisms exist to define what information is allowed to be discoverable by adversaries and take corrective actions to remediated non-compliant systems.
Acceptance of External Authenticators
Mechanisms exist to restrict the use of external authenticators to those that are National Institute of Standards and Technology (NIST)-compliant and maintain a list of accepted external authenticators.
Acceptance of PIV Credentials
Mechanisms exist to accept and electronically verify organizational Personal Identity Verification (PIV) credentials.
Acceptance of PIV Credentials from Other Organizations
Mechanisms exist to accept and electronically verify Personal Identity Verification (PIV) credentials from third-parties.
Acceptance of Third-Party Credentials
Automated mechanisms exist to accept Federal Identity, Credential and Access Management (FICAM)-approved third-party credentials.
Access Agreements
Mechanisms exist to require internal and third-party users to sign appropriate access agreements prior to being granted access.
Access Control For Mobile Devices
Mechanisms exist to enforce access control requirements for the connection of mobile devices to organizational systems.
Access Control for Output Devices
Physical security mechanisms exist to restrict access to printers and other system output devices to prevent unauthorized individuals from obtaining the output.
Access Enforcement
Mechanisms exist to enforce Logical Access Control (LAC) permissions that conform to the principle of "least privilege."
Access Restriction For Change
Mechanisms exist to enforce configuration restrictions in an effort to restrict the ability of users to conduct unauthorized changes.
Access To Information Systems
Physical access control mechanisms exist to enforce physical access to critical information systems or sensitive/regulated data, in addition to the physical access controls for the facility.
Access To Sensitive / Regulated Data
Mechanisms exist to limit access to sensitive/regulated data to only those individuals whose job requires such access.
Access by Subset of Privileged Users
Mechanisms exist to restrict access to the management of event logs to privileged users with a specific business need.
Access to Program Source Code
Mechanisms exist to limit privileges to change software resident within software libraries.
Accessibility
Mechanisms exist to identify and mitigate potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.
Accessibility
Mechanisms exist to identify and mitigate potential accessibility problems to the alternate processing site and possible mitigation actions, in the event of an area-wide disruption or disaster.
Account Creation and Modification Logging
Automated mechanisms exist to generate event logs for permissions changes to privileged accounts and/or groups.
Account Disabling for High Risk Individuals
Mechanisms exist to disable accounts immediately upon notification for users posing a significant risk to the organization.
Account Lockout
Mechanisms exist to enforce a limit for consecutive invalid login attempts by a user during an organization-defined time period and automatically locks the account when the maximum number of unsuccessful attempts is exceeded.
Account Management
Mechanisms exist to proactively govern account management of individual, group, system, service, application, guest and temporary accounts.
Accountability Information
Mechanisms exist to include capturing the name, position and/or role of individuals responsible/accountable for administering assets as part of the technology asset inventory process.
Accounting of Disclosures
Mechanisms exist to develop and maintain an accounting of disclosures of Personal Data (PD) held by the organization and make the accounting of disclosures available to the person named in the record, upon request.
Achieving Resilience Requirements
Mechanisms exist to achieve resilience requirements in normal and adverse situations.
Acquired Personal Data
Mechanisms exist to promptly inform data subjects of the utilization purpose when their Personal Data (PD) is acquired and not received directly from the data subject, except where that utilization purpose was disclosed in advance to the data subject.
Acquisition Strategies, Tools & Methods
Mechanisms exist to utilize tailored acquisition strategies, contract tools and procurement methods for the purchase of unique systems, system components or services.
Active Participation By Data Subjects
Mechanisms exist to compel data subjects to select the level of consent deemed appropriate by the data subject for the relevant business purpose (e.g., opt-in, opt-out, accept all cookies, etc.).
Ad-Hoc Transfers
Mechanisms exist to secure ad-hoc exchanges of large digital files with internal or external parties.
Adaptive Email Protections
Mechanisms exist to utilize adaptive email protections that involve employing risk-based analysis in the application and enforcement of email protections.
Adaptive Identification & Authentication
Mechanisms exist to allow individuals to utilize alternative methods of authentication under specific circumstances or situations.
Address Confirmation
Mechanisms exist to require that a notice of proofing be delivered through an out-of-band channel to verify the user's address (physical or digital).
Address Unauthorized Assets
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset.
Address Unauthorized Software
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
Adequate Security for Sensitive / Regulated Data In Support of Contracts
Mechanisms exist to protect sensitive / regulated data that is collected, developed, received, transmitted, used or stored in support of the performance of a contract.
Adequate Supply
Mechanisms exist to develop and implement a spare parts strategy to ensure that an adequate supply of critical components is available to meet operational needs.
Alert Threshold Tuning
Mechanisms exist to "tune" event monitoring technologies through analyzing communications traffic/event patterns and developing profiles representing common traffic patterns and/or events.
Alignment With Enterprise Architecture
Mechanisms exist to develop an enterprise architecture, aligned with industry-recognized leading practices, with consideration for cybersecurity & data privacy principles that addresses risk to organizational operations, assets, individuals, other organizations.
Allocation of Resources
Mechanisms exist to identify and allocate resources for management, operational, technical and data privacy requirements within business process planning for projects / initiatives.
Allowlist Authorized Libraries
Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
Allowlist Authorized Scripts
Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess�bi-annually, or more frequently.
Allowlist Authorized Software
Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess�bi-annually, or more frequently.
Alternate Communications Paths
Mechanisms exist to maintain command and control capabilities via alternate communications channels and designating alternative decision makers if primary decision makers are unavailable.
Alternate Event Logging Capability
Mechanisms exist to provide an alternate event logging capability in the event of a failure in primary audit capability.
Alternate Physical Protection
Cryptographic mechanisms exist to prevent unauthorized disclosure of information as an alternative to physical safeguards.
Alternate Processing Site
Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.
Alternate Site Priority of Service
Mechanisms exist to address priority-of-service provisions in alternate processing and storage sites that support availability requirements, including Recovery Time Objectives (RTOs).
Alternate Sources for Continued Support
Mechanisms exist to provide in-house support or contract external providers for support with unsupported system components.
Alternate Storage & Processing Sites
Mechanisms exist to test contingency plans at alternate storage & processing sites to both familiarize contingency personnel with the facility and evaluate the capabilities of the alternate processing site to support contingency operations.
Alternate Storage Site
Mechanisms exist to establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information.
Alternate Work Site
Physical security mechanisms exist to utilize appropriate management, operational and technical controls at alternate work sites.
Alternative Security Measures
Mechanisms exist to implement alternative or compensating controls to satisfy security functions when the primary means of implementing the security function is unavailable or compromised.
Always On Protection
Mechanisms exist to ensure that anti-malware technologies are continuously running in real-time and cannot be disabled or altered by non-privileged users, unless specifically authorized by management on a case-by-case basis for a limited time period.
Analyze Traffic for Covert Exfiltration
Automated mechanisms exist to analyze network traffic to detect covert data exfiltration.
Analyze and Prioritize Monitoring Requirements
Mechanisms exist to assess the organization's needs for monitoring and prioritize the monitoring of assets, based on asset criticality and the sensitivity of the data it stores, transmits and processes.
Anomalous Behavior
Mechanisms exist to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.
Anti-Counterfeit Training
Mechanisms exist to train personnel to detect counterfeit system components, including hardware, software and firmware.
Appeal Adverse Decision
Mechanisms exist to provide an organization-defined process for data subjects to appeal an adverse decision and have incorrect information amended.
Application & Program Interface (API) Security
Mechanisms exist to ensure support for secure interoperability between components with Application & Program Interfaces (APIs).
Application Container
Mechanisms exist to utilize an application container (virtualization approach) to isolate to a known set of dependencies, access methods and interfaces.
Application Partitioning
Mechanisms exist to separate user functionality from system management functionality.
Application Penetration Testing
Mechanisms exist to perform application-level penetration testing of custom-made applications and services.
Approved Baseline Deviations
Mechanisms exist to document and govern instances of approved deviations from established baseline configurations.
Approved Configuration Deviations
Mechanisms exist to document, assess risk and approve or deny deviations to standardized configurations.
Approved Solutions
Automated mechanisms exist to examine information for the presence of unsanctioned information and prohibits the transfer of such information, when transferring information between different security domains.
Architecture & Provisioning for Name / Address Resolution Service
Mechanisms exist to ensure systems that collectively provide Domain Name Service (DNS) resolution service are fault-tolerant and implement internal/external role separation.
Archived Data Sets
Mechanisms exist to protect archived data in accordance with applicable statutory, regulatory and contractual obligations.
Archiving
Mechanisms exist to refrain from archiving Personal Data (PD) elements if those elements in a dataset will not be needed after the dataset is archived.
Archiving Software Releases
Mechanisms exist to archive software releases and all of their components (e.g., code, package files, third-party libraries, documentation) to maintain integrity verification information.
Artificial Intelligence (AI) & Autonomous Technologies Governance
Mechanisms exist to ensure policies, processes, procedures and practices related to the mapping, measuring and managing of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risks are in place, transparent and implemented effectively.
Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV)
Mechanisms exist to implement Artificial Intelligence Test, Evaluation, Validation & Verification (AI TEVV) practices to enable Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related testing, identification of incidents and information sharing.
Assess Controls
Mechanisms exist to compel data and/or process owners to assess if required cybersecurity & data privacy controls for each system, application and/or service under their control are implemented correctly and are operating as intended.
Assessment Boundaries
Mechanisms exist to establish the scope of assessments by defining the assessment boundary, according to people, processes and technology that directly or indirectly impact the confidentiality, integrity, availability and safety of the data and systems under review.
Assessments
Mechanisms exist to formally assess the cybersecurity & data privacy controls in systems, applications and services through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements.
Assessor Independence
Mechanisms exist to ensure assessors or assessment teams have the appropriate independence to conduct cybersecurity & data privacy control assessments.
Asset Categorization
Mechanisms exist to categorize technology assets.
Asset Collection
Mechanisms exist to retrieve organization-owned assets upon termination of an individual's employment.
Asset Governance
Mechanisms exist to facilitate an IT Asset Management (ITAM) program to implement and manage asset management controls.
Asset Inventories
Mechanisms exist to perform inventories of technology assets that: ? Accurately reflects the current systems, applications and services in use; ? Identifies authorized software products, including business justification details; ? Is at the level of granularity deemed necessary for tracking and reporting; ? Includes organization-defined information deemed necessary to achieve effective property accountability; and ? Is available for review and audit by designated organizational personnel.
Asset Monitoring and Tracking
Physical security mechanisms exist to employ asset location technologies that track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.
Asset Ownership Assignment
Mechanisms exist to ensure asset ownership responsibilities are assigned, tracked and managed at a team, individual, or responsible organization level to establish a common understanding of requirements for asset protection.
Asset Scope Classification
Mechanisms exist to determine cybersecurity & data privacy control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all systems, applications, services and personnel (internal and third-parties).
Asset Storage In Automobiles
Mechanisms exist to educate users on the need to physically secure laptops and other mobile devices out of site when traveling, preferably in the trunk of a vehicle.
Asset-Service Dependencies
Mechanisms exist to identify and assess the security of technology assets that support more than one critical business function.
Assigned Cybersecurity & Data Protection Responsibilities
Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity & data protection program.
Assigned Owners
Mechanisms exist to ensure cryptographic keys are bound to individual identities.
Assigned Responsibilities for AI & Autonomous Technologies
Mechanisms exist to define and differentiate roles and responsibilities for human-AI configurations and oversight of AI systems.
Assignment of Responsibility
Mechanisms exist to implement a segregation of duties for configuration management that prevents developers from performing production configuration management duties.
Association of Attributes By Authorized Individuals
Mechanisms exist to provide the capability to associate cybersecurity & data privacy attributes with individuals and objects by authorized individuals (or processes acting on behalf of individuals).
Asymmetric Keys
Mechanisms exist to facilitate the production and management of asymmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes that protect the user's private key.
Attack Surface Scope
Mechanisms exist to define and manage the scope for its attack surface management activities.
Attribute Configuration By Authorized Individuals
Mechanisms exist to provide authorized individuals the capability to define or change the type and value of cybersecurity & data privacy attributes available for association with subjects and objects.
Attribute Displays for Output Devices
Mechanisms exist to display cybersecurity & data privacy attributes in human-readable form on each object that the system transmits to output devices to identify special dissemination, handling or distribution instructions using human-readable, standard naming conventions.
Attribute Reassignment
Mechanisms exist to reclassify data as required, due to changing business/technical requirements.
Attribute Value Changes By Authorized Individuals
Mechanisms exist to provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated cybersecurity & data privacy attributes.
Attribute-Based Access Control (ABAC)
Mechanisms exist to enforce Attribute-Based Access Control (ABAC) for policy-driven, dynamic authorizations that supports the secure sharing of information.
Audit Activities
Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations.
Audit Changes
Mechanisms exist to audit changes to cybersecurity & data privacy attributes and responds to events in accordance with incident response procedures.
Audit Level Adjustments
Mechanisms exist to adjust the level of audit review, analysis and reporting based on evolving threat information from law enforcement, industry associations or other credible sources of threat intelligence.
Audit Trails
Mechanisms exist to link system access to individual users or service accounts.
Auditing Remote Maintenance
Mechanisms exist to audit remote, non-local maintenance and diagnostic sessions, as well as review the maintenance action performed during remote maintenance sessions.
Auditing Use of Privileged Functions
Mechanisms exist to audit the execution of privileged functions.
Authenticate, Authorize and Audit (AAA)
Mechanisms exist to strictly govern the use of Authenticate, Authorize and Audit (AAA) solutions, both on-premises and those hosted by an External Service Provider (ESP).
Authenticated Proxy
Mechanisms exist to force systems and processes to authenticate Internet-bound traffic with a proxy to enable user, group and/or location-aware security controls.
Authenticated Received Chain (ARC)
Mechanisms exist to utilize an authenticated received chain that allows for an intermediary to sign its own authentication of the original email, allowing downstream entities to accept the intermediary's authentication even if the email was changed.
Authentication & Encryption
Mechanisms exist to protect wireless access through authentication and strong encryption.
Authenticator Feedback
Mechanisms exist to obscure the feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
Authenticator Management
Mechanisms exist to securely manage authenticators for users and devices.
Authoritative Chain of Command
Mechanisms exist to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing data and technology-related risks.
Authority To Collect, Use, Maintain & Share Personal Data
Mechanisms exist to determine and document the legal authority that permits the collection, use, maintenance and sharing of Personal Data (PD), either generally or in support of a specific program or system need.
Authorize Access to Security Functions
Mechanisms exist to limit access to security functions to explicitly-authorized privileged users.
Authorize Systems, Applications & Services
Mechanisms exist to compel data and/or process owners to obtain authorization for the production use of each system, application and/or service under their control.
Authorized Agent
Mechanisms exist to allow data subjects to authorize another person or entity, acting on the data subject's behalf, to make Personal Data (PD) processing decisions.
Authorized Communications
Mechanisms exist to restrict embedded technologies to communicate only with authorized peers and service endpoints.
Authorized Individuals For Hosted Systems, Applications & Services
Mechanisms exist to authorize specified individuals to access External Service Providers (ESP) owned, operated and/or maintained external systems, applications and/or services.
Authorized Maintenance Personnel
Mechanisms exist to maintain a current list of authorized maintenance organizations or personnel.
Authorized System Accounts
Mechanisms exist to define and document the types of accounts allowed and prohibited on systems, applications and services.
Authorized Use
Mechanisms exist to utilize organization-defined measures so that data or information collected by sensors is only used for authorized purposes.
Automated Access Enforcement / Auditing
Mechanisms exist to perform after-the-fact reviews of configuration change logs to discover any unauthorized changes.
Automated Alerts
Mechanisms exist to automatically alert incident response personnel to inappropriate or anomalous activities that have potential security incident implications.
Automated Audit Actions
Automated mechanisms exist to audit account creation, modification, enabling, disabling and removal actions and notify organization-defined personnel or roles.
Automated Central Management & Verification
Automated mechanisms exist to govern and report on baseline configurations of systems through Continuous Diagnostics and Mitigation (CDM), or similar technologies.
Automated Data Management Processes
Automated mechanisms exist to adjust data that is able to be collected, created, used, disseminated, maintained, retained and/or disclosed, based on updated data subject authorization(s).
Automated De-Identification of Sensitive Data
Mechanisms exist to perform de-identification of sensitive/regulated data, using validated algorithms and software to implement the algorithms.
Automated Employment Status Notifications
Automated mechanisms exist to notify Identity and Access Management (IAM) personnel or roles upon termination of an individual employment or contract.
Automated Incident Handling Processes
Automated mechanisms exist to support the incident handling process.
Automated Incident Response Training Environments
Automated mechanisms exist to provide a more thorough and realistic incident response training environment.
Automated Location Tracking
Mechanisms exist to track the geographic location of system components.
Automated Maintenance Activities
Automated mechanisms exist to schedule, conduct and document maintenance and repairs.
Automated Marking
Automated mechanisms exist to mark physical media and digital files to indicate the distribution limitations, handling requirements and applicable security markings (if any) of the information to aid Data Loss Prevention (DLP) technologies.
Automated Monitoring & Control
Automated mechanisms exist to monitor and control remote access sessions.
Automated Notifications of Integrity Violations
Automated mechanisms exist to alert incident response personnel upon discovering discrepancies during integrity verification.
Automated Records Management & Review
Automated mechanisms exist to facilitate the maintenance and review of visitor access records.
Automated Remediation Status
Automated mechanisms exist to determine the state of system components with regard to flaw remediation.
Automated Reporting
Automated mechanisms exist to assist in the reporting of cybersecurity & data privacy incidents.
Automated Response to Integrity Violations
Automated mechanisms exist to implement remediation actions when integrity violations are discovered.
Automated Response to Suspicious Events
Mechanisms exist to automatically implement pre-determined corrective actions in response to detected events that have security incident implications.
Automated Security Response
Automated mechanisms exist to implement remediation actions upon the detection of unauthorized baseline configurations change(s).
Automated Software & Firmware Updates
Automated mechanisms exist to install the latest stable versions of security-relevant software and firmware updates.
Automated Support For Password Strength
Automated mechanisms exist to determine if password authenticators are sufficiently strong enough to satisfy organization-defined password length and complexity requirements.
Automated Support For Predictive Maintenance
Automated mechanisms exist to transfer predictive maintenance data to a computerized maintenance management system.
Automated System Account Management (Directory Services)
Automated mechanisms exist to support the management of system accounts (e.g., directory services).
Automated Tools for Real-Time Analysis
Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support near real-time analysis and incident escalation.
Automated Tools to Support Information Location
Automated mechanisms exist to identify by data classification type to ensure adequate cybersecurity & data privacy controls are in place to protect organizational information and individual data privacy.
Automated Tracking, Data Collection & Analysis
Automated mechanisms exist to assist in the tracking, collection and analysis of information from actual and potential cybersecurity & data privacy incidents.
Automated Training Environments
Automated mechanisms exist to provide a more thorough and realistic contingency training environment.
Automated Unauthorized Component Detection
Automated mechanisms exist to detect and alert upon the detection of unauthorized hardware, software and firmware components.
Automatic Antimalware Signature Updates
Mechanisms exist to automatically update antimalware technologies, including signature definitions.
Automatic Disabling of System
Mechanisms exist to automatically disable systems, upon detection of a possible incident that meets organizational criteria, which allows for forensic analysis to be performed.
Automatic Fire Suppression
Facility security mechanisms exist to employ an automatic fire suppression capability for critical information systems when the facility is not staffed on a continuous basis.
Automatic Spam and Phishing Protection Updates
Mechanisms exist to automatically update anti-phishing and spam protection technologies when new releases are available in accordance with configuration and change management practices.
Automatic Voltage Controls
Facility security mechanisms exist to utilize automatic voltage controls for critical system components.
Automation
Automated mechanisms exist to support the evaluation of data quality across the information lifecycle.
Automation Support for Water Damage Protection
Facility security mechanisms exist to detect the presence of water in the vicinity of critical information systems and alert facility maintenance and IT personnel.
Automation Support of Availability of Information / Support
Automated mechanisms exist to increase the availability of incident response-related information and support.
Availability
Resiliency mechanisms exist to ensure the availability of data in the event of the loss of cryptographic keys.
Backup & Restoration Hardware Protection
Mechanisms exist to protect backup and restoration hardware and software.
Backup Access
Mechanisms exist to restrict access to backups to privileged users with assigned roles for data backup and recovery operations.
Backup Modification and/or Destruction
Mechanisms exist to restrict access to modify and/or delete backups to privileged users with assigned data backup and recovery operations roles.
Bandwidth Control
Mechanisms exist to implement bandwidth control technologies to limit the amount of bandwidth used by categories of domains that are bandwidth-intensive.
Baseline Tailoring
Mechanisms exist to allow baseline controls to be specialized or customized by applying a defined set of tailoring actions that are specific to: ? Mission / business functions; ? Operational environment; ? Specific threats or vulnerabilities; or ? Other conditions or situations that could affect mission / business success.
Behavioral Baselining
Automated mechanisms exist to establish behavioral baselines that capture information about user and entity behavior to enable dynamic threat discovery.
Binary or Machine-Executable Code
Mechanisms exist to prohibit the use of binary or machine-executable code from sources with limited or no warranty and without access to source code.
Binding Corporate Rules (BCR)
Mechanisms exist to implement and manage Binding Corporate Rules (BCR) (e.g., data sharing agreement) to legally-bind all parties engaged in a joint economic activity that contractually states enforceable rights on data subjects with regard to the processing of their personal data.
Biometric Authentication
Mechanisms exist to ensure biometric-based authentication satisfies organization-defined biometric quality requirements for false positives and false negatives.
Bluetooth & Wireless Devices
Mechanisms exist to prevent the usage of Bluetooth and wireless devices (e.g., Near Field Communications (NFC)) in sensitive areas or unless used in a Radio Frequency (RF)-screened building.
Boot Process Integrity
Automated mechanisms exist to verify the integrity of the boot process of information systems.
Boundary Protection
Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.
Brand new control
Breadth / Depth of Coverage
Mechanisms exist to identify the breadth and depth of coverage for vulnerability scanning that define the system components scanned and types of vulnerabilities that are checked for.
Break Clauses
Mechanisms exist to include "break clauses" within contracts for failure to meet contract criteria for cybersecurity and/or data privacy controls.
Bring Your Own Device (BYOD) Usage
Mechanisms exist to implement and govern a Bring Your Own Device (BYOD) program to reduce risk associated with personally-owned devices in the workplace.
Business As Usual (BAU) Secure Practices
Mechanisms exist to incorporate cybersecurity & data privacy principles into Business As Usual (BAU) practices through executive leadership involvement.
Business Continuity Management System (BCMS)
Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient assets and services (e.g., Continuity of Operations Plan (COOP) or Business Continuity & Disaster Recovery (BC/DR) playbooks).
Business Impact Analysis (BIA)
Mechanisms exist to conduct a Business Impact Analysis (BIA) to identify and assess cybersecurity and data protection risks.
Business Process Definition
Mechanisms exist to define business processes with consideration for cybersecurity & data privacy that determines: ? The resulting risk to organizational operations, assets, individuals and other organizations; and ? Information protection needs arising from the defined business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.
Capacity & Performance Management
Mechanisms exist to facilitate the implementation of capacity management controls to ensure optimal system performance to meet expected and anticipated future capacity requirements.
Capacity Planning
Mechanisms exist to conduct capacity planning so that necessary capacity for information processing, telecommunications and environmental support will exist during contingency operations.
Categorize Artificial Intelligence (AI)-Related Technologies
Mechanisms exist to categorize Artificial Intelligence (AI) and Autonomous Technologies (AAT).
Central Management
Mechanisms exist to centrally-manage anti-phishing and spam protection technologies.
Central Review & Analysis
Automated mechanisms exist to centrally collect, review and analyze audit records from multiple sources.
Centralized Collection of Security Event Logs
Mechanisms exist to utilize a Security Incident Event Manager (SIEM) or similar automated tool, to support the centralized collection of security-related event logs.
Centralized Management Of Mobile Devices
Mechanisms exist to develop, govern & update procedures to facilitate the implementation of mobile device management controls.
Centralized Management of Antimalware Technologies
Mechanisms exist to centrally-manage antimalware technologies.
Centralized Management of Cybersecurity & Data Privacy Controls
Mechanisms exist to centrally-manage the organization-wide management and implementation of cybersecurity & data privacy controls and related processes.
Centralized Management of Flaw Remediation Processes
Mechanisms exist to centrally-manage the flaw remediation process.
Centralized Management of Planned Audit Record Content
Mechanisms exist to centrally manage and configure the content required to be captured in audit records generated by organization-defined information system components.
Certificate Authorities
Automated mechanisms exist to enable the use of organization-defined Certificate Authorities (CAs) to facilitate the establishment of protected sessions.
Certificate Denylisting
Mechanisms exist to prevent communication with systems and/or services that use a set of known bad certificates.
Certificate Monitoring
Automated mechanisms exist to discover when new certificates are issued for organization-controlled domains.
Certificate-Based Authentication
Mechanisms exist to enforce certificate-based authentication for embedded technologies (e.g., IoT, OT, etc.) and their supporting services.
Chain of Custody & Forensics
Mechanisms exist to perform digital forensics and maintain the integrity of the chain of custody, in accordance with applicable laws, regulations and industry-recognized secure practices.
Change Management Program
Mechanisms exist to facilitate the implementation of a change management program.
Change Processing & Storage Locations
Automated mechanisms exist to change the location of processing and/or storage at random time intervals.
Change of Roles & Duties
Mechanisms exist to revoke user access rights following changes in personnel roles and duties, if no longer necessary or permitted.
Changes by Authorized Individuals
Mechanisms exist to provide privileged users or roles the capability to change the auditing to be performed on specified information system components, based on specific event criteria within specified time thresholds.
Chief Privacy Officer (CPO)
Mechanisms exist to appoints a Chief Privacy Officer (CPO) or similar role, with the authority, mission, accountability and resources to coordinate, develop and implement, applicable data privacy requirements and manage data privacy risks through the organization-wide data privacy program.
Chip-To-Cloud Security
Mechanisms exist to implement embedded technologies that utilize pre-provisioned cloud trust anchors to support secure bootstrap and Zero Touch Provisioning (ZTP).
Choice & Consent
Mechanisms exist to authorize the processing of their Personal Data (PD) prior to its collection that: ? Uses plain language and provide examples to illustrate the potential data privacy risks of the authorization; and ? Provides a means for users to decline the authorization.
Citizenship Identification
Mechanisms exist to identify foreign nationals, including by their specific citizenship.
Citizenship Requirements
Mechanisms exist to verify that individuals accessing a system processing, storing, or transmitting sensitive information meet applicable statutory, regulatory and/or contractual requirements for citizenship.
Client-Facing Web Services
Mechanisms exist to deploy reasonably-expected security controls to protect the confidentiality and availability of client data that is stored, transmitted or processed by the Internet-based service.
Clock Synchronization
Mechanisms exist to utilize time-synchronization technology to synchronize all critical system clocks.
Cloud Access Point (CAP)
Mechanisms exist to utilize Cloud Access Points (CAPs) to provide boundary protection and monitoring functions that both provide access to the cloud and protect the organization from the cloud.
Cloud Infrastructure Offboarding
Mechanisms exist to ensure cloud services are decommissioned so that data is securely transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.
Cloud Infrastructure Onboarding
Mechanisms exist to ensure cloud services are designed and configured so systems, applications and processes are secured in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.
Cloud Infrastructure Security Subnet
Mechanisms exist to host security-specific technologies in a dedicated subnet.
Cloud Security Architecture
Mechanisms exist to ensure the cloud security architecture supports the organization's technology strategy to securely design, configure and maintain cloud employments.
Cloud Services
Mechanisms exist to facilitate the implementation of cloud management controls to ensure cloud instances are secure and in-line with industry practices.
Code Names
Mechanisms exist to use aliases to name assets, which are mission-critical and/or contain highly-sensitive/regulated data, are unique and not readily associated with a product, project or type of data.
Collaborative Computing Devices
Mechanisms exist to unplug or prohibit the remote activation of collaborative computing devices with the following exceptions: ? Networked whiteboards; ? Video teleconference cameras; and ? Teleconference microphones.
Collection Minimization
Mechanisms exist to utilize sensors that are configured to minimize the collection of information about individuals.
Commercial Off-The-Shelf (COTS) Security Solutions
Mechanisms exist to utilize only Commercial Off-the-Shelf (COTS) security products.
Compensating Countermeasures
Mechanisms exist to identify and implement compensating countermeasures to reduce risk and exposure to threats.
Competency Requirements for Security-Related Positions
Mechanisms exist to ensure that all security-related positions are staffed by qualified individuals who have the necessary skill set.
Compliance Scope
Mechanisms exist to document and validate the scope of cybersecurity & data privacy controls that are determined to meet statutory, regulatory and/or contractual compliance obligations.
Compliance-Specific Asset Identification
Mechanisms exist to create and maintain a current inventory of systems, applications and services that are in scope for statutory, regulatory and/or contractual compliance obligations that provides sufficient detail to determine control applicability, based on asset scope categorization.
Component Assignment
Mechanisms exist to bind components to a specific system.
Component Disposal
[deprecated - incorporated into AST-09] Mechanisms exist to dispose of system components using organization-defined techniques and methods to prevent such components from entering the gray market.
Component Duplication Avoidance
Mechanisms exist to establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components that prevents assets from being duplicated in other asset inventories.
Component Marking
Physical security mechanisms exist to mark system hardware components indicating the impact or classification level of the information permitted to be processed, stored or transmitted by the hardware component.
Computer Matching Agreements (CMA)
Mechanisms exist to publish Computer Matching Agreements (CMA) on the public website of the organization.
Conceal / Randomize Communications
Cryptographic mechanisms exist to conceal or randomize communication patterns.
Concealment & Misdirection
Mechanisms exist to utilize concealment and misdirection techniques for systems to confuse and mislead adversaries.
Concurrent Session Control
Mechanisms exist to limit the number of concurrent sessions for each system account.
Confidentiality Agreements
Mechanisms exist to require Non-Disclosure Agreements (NDAs) or similar confidentiality agreements that reflect the needs to protect data and operational details, or both employees and third-parties.
Configuration Change Control
Mechanisms exist to govern the technical configuration change control processes.
Configuration Enforcement
Automated mechanisms exist to monitor, enforce and report on configurations for endpoint devices.
Configuration Management Database (CMDB)
Mechanisms exist to implement and manage a Configuration Management Database (CMDB), or similar technology, to monitor and govern technology asset-specific information.
Configuration Management Program
Mechanisms exist to facilitate the implementation of configuration management controls.
Configure Data Access Control Lists
Configure data access control lists based on a user�s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
Configure Systems, Components or Services for High-Risk Areas
Mechanisms exist to configure systems utilized in high-risk areas with more restrictive baseline configurations.
Conflict of Interests
Mechanisms exist to ensure that the interests of external service providers are consistent with and reflect organizational interests.
Consistent Attribute Interpretation
Mechanisms exist to provide a consistent, organizationally agreed upon interpretation of cybersecurity & data privacy attributes employed in access enforcement and flow enforcement decisions between distributed system components.
Conspicuous Link To Data Privacy Notice
Mechanisms exist to include a conspicuous link to the organization's data privacy notice on all consumer-facing websites and mobile applications.
Contactless Access Control Systems
Mechanisms exist to securely configure contactless access control systems incorporating contactless RFID or smart cards to protect the confidentiality and integrity of data and prevent the compromise of secure spaces.
Contacts With Authorities
Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.
Contacts With Groups & Associations
Mechanisms exist to establish contact with selected groups and associations within the cybersecurity & data privacy communities to: ? Facilitate ongoing cybersecurity & data privacy education and training for organizational personnel; ? Maintain currency with recommended cybersecurity & data privacy practices, techniques and technologies; and ? Share current cybersecurity and/or data privacy-related information including threats, vulnerabilities and incidents.
Content Check for Encrypted Data
Mechanisms exist to prevent encrypted data from bypassing content-checking mechanisms.
Content Disarm and Reconstruction (CDR)
Automated Content Disarm and Reconstruction (CDR) mechanisms exist to detect the presence of unapproved active content and facilitate its removal, resulting in content with only known safe elements.
Content of Event Logs
Mechanisms exist to configure systems to produce event logs that contain sufficient information to, at a minimum: ? Establish what type of event occurred; ? When (date and time) the event occurred; ? Where the event occurred; ? The source of the event; ? The outcome (success or failure) of the event; and ? The identity of any user/subject associated with the event.
Contingency Plan Root Cause Analysis (RCA) & Lessons Learned
Mechanisms exist to conduct a Root Cause Analysis (RCA) and "lessons learned" activity every time the contingency plan is activated.
Contingency Plan Testing & Exercises
Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization's readiness to execute the plan.
Contingency Planning & Updates
Mechanisms exist to keep contingency plans current with business needs, technology changes and feedback from contingency plan testing activities.
Contingency Training
Mechanisms exist to adequately train contingency personnel and applicable stakeholders in their contingency roles and responsibilities.
Continue Essential Mission & Business Functions
Mechanisms exist to continue essential missions and business functions with little or no loss of operational continuity and sustain that continuity until full system restoration at primary processing and/or storage sites.
Continuing Professional Education (CPE) - Cybersecurity & Data Privacy Personnel
Mechanisms exist to ensure cybersecurity & data privacy personnel receive Continuing Professional Education (CPE) training to maintain currency and proficiency with industry-recognized secure practices that are pertinent to their assigned roles and responsibilities.
Continuing Professional Education (CPE) - DevOps Personnel
Mechanisms exist to ensure application development and operations (DevOps) personnel receive Continuing Professional Education (CPE) training on Secure Software Development Practices (SSDP) to appropriately address evolving threats.
Continuous Authentication
Automated mechanisms exist to enable continuous re-authentication through the lifecycle of entity interactions.
Continuous Incident Response Improvements
Mechanisms exist to use qualitative and quantitative data from incident response testing to: ?Determine the effectiveness of incident response processes; ?Continuously improve incident response processes; and ?Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format.
Continuous Monitoring
Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.
Continuous Monitoring Plan
Mechanisms exist to require the developers of systems, system components or services to produce a plan for the continuous monitoring of cybersecurity & data privacy control effectiveness.
Continuous Vulnerability Remediation Activities
Mechanisms exist to address new threats and vulnerabilities on an ongoing basis and ensure assets are protected against known attacks.
Contract Flow-Down Requirements
Mechanisms exist to ensure cybersecurity & data privacy requirements are included in contracts that flow-down to applicable sub-contractors and suppliers.
Control & Distribution of Cryptographic Keys
Mechanisms exist to facilitate the secure distribution of symmetric and asymmetric cryptographic keys using industry recognized key management technology and processes.
Control Applicability Boundary Graphical Representation
Mechanisms exist to ensure control applicability is appropriately-determined for systems, applications, services and third parties by graphically representing applicable boundaries.
Control for testing SS
Controlled Ingress & Egress Points
Physical access control mechanisms exist to limit and monitor physical access through controlled ingress and egress points.
Controlled Maintenance
Mechanisms exist to conduct controlled maintenance activities throughout the lifecycle of the system, application or service.
Controlled Release
Automated mechanisms exist to validate cybersecurity & data privacy attributes prior to releasing information to external systems.
Cookie Management
Mechanisms exist to provide individuals with clear and precise information about cookies, in accordance with applicable legal requirements for cookie management.
Coordinate With External Service Providers
Mechanisms exist to coordinate internal contingency plans with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.
Coordinate with Related Plans
Mechanisms exist to coordinate contingency plan development with internal and external elements responsible for related plans.
Coordinated Testing with Related Plans
Mechanisms exist to coordinate contingency plan testing with internal and external elements responsible for related plans.
Coordination With External Providers
Mechanisms exist to establish a direct, cooperative relationship between the organization's incident response capability and external service providers.
Coordination with Related Plans
Mechanisms exist to coordinate incident response testing with organizational elements responsible for related plans.
Correcting Inaccurate Personal Data
Mechanisms exist to establish and implement a process for: ? Data subjects to have inaccurate Personal Data (PD) maintained by the organization corrected or amended; and ? Disseminating corrections or amendments of PD to other authorized users of the PD.
Correlate Monitoring Information
Automated mechanisms exist to correlate both technical and non-technical information from across the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance organization-wide situational awareness.
Correlate Scanning Information
Automated mechanisms exist to correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.
Correlation with External Organizations
Mechanisms exist to coordinate with approved third-parties to achieve a cross-organization perspective on incident awareness and more effective incident responses.
Correlation with Physical Monitoring
Automated mechanisms exist to correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual or malevolent activity.
Covert Channel Analysis
Mechanisms exist to conduct covert channel analysis to identify aspects of communications that are potential avenues for covert channels.
Credential Sharing
Mechanisms exist to prevent the sharing of generic IDs, passwords or other generic authentication methods.
Criticality Analysis
Mechanisms exist to require the developer of the system, system component or service to perform a criticality analysis at organization-defined decision points in the Secure Development Life Cycle (SDLC).
Cross Domain Authentication
Automated mechanisms exist to uniquely identify and authenticate source and destination points for information transfer.
Cross Domain Solution (CDS)
Mechanisms exist to implement a Cross Domain Solution (CDS) to mitigate the specific security risks of accessing or transferring information between security domains.
Cross-Organization Management
Mechanisms exist to coordinate username identifiers with external organizations for cross-organization management of identifiers.
Cross-Organizational Monitoring
Mechanisms exist to coordinate sanitized event logs among external organizations to identify anomalous events when event logs are shared across organizational boundaries, without giving away sensitive or critical business data.
Cryptographic Cipher Suites and Protocols Inventory
Mechanisms exist to identify, document and review deployed cryptographic cipher suites and protocols to proactively respond to industry trends regarding the continued viability of utilized cryptographic cipher suites and protocols.
Cryptographic Key Loss or Change
Mechanisms exist to ensure the availability of information in the event of the loss of cryptographic keys by individual users.
Cryptographic Key Management
Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.
Cryptographic Management
Mechanisms exist to govern assets involved in providing cryptographic protections according to the organization's configuration management processes.
Cryptographic Module Authentication
Automated mechanisms exist to enable systems to authenticate to a cryptographic module.
Cryptographic Module Authentication
Mechanisms exist to ensure cryptographic modules adhere to applicable statutory, regulatory and contractual requirements for security strength.
Cryptographic Protection
Cryptographic mechanisms exist to prevent the unauthorized disclosure and/or modification of backup information.
Cryptographic Protection of Event Log Information
Cryptographic mechanisms exist to protect the integrity of event logs and audit tools.
Custodians
Mechanisms exist to identify custodians throughout the transport of digital or non-digital media.
Custom control in prod - Edited by a LAU
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Customer Responsibility Matrix (CRM)
Mechanisms exist to formally document a Customer Responsibility Matrix (CRM), delineating assigned responsibilities for controls between the Cloud Service Provider (CSP) and its customers.
Customized Development of Critical Components
Mechanisms exist to custom-develop critical system components, when Commercial Off The Shelf (COTS) solutions are unavailable.
Cyber Incident Reporting for Sensitive Data
Mechanisms exist to report sensitive/regulated data incidents in a timely manner.
Cyber Threat Environment
Mechanisms exist to provide role-based cybersecurity & data privacy awareness training that is specific to the cyber threats that the user might encounter the user's specific day-to-day business operations.
Cybersecurity & Data Privacy Attributes
Mechanisms exist to bind cybersecurity & data privacy attributes to information as it is stored, transmitted and processed.
Cybersecurity & Data Privacy Awareness Training
Mechanisms exist to provide all employees and contractors appropriate awareness education and training that is relevant for their job function.
Cybersecurity & Data Privacy In Project Management
Mechanisms exist to assess cybersecurity & data privacy controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements.
Cybersecurity & Data Privacy Portfolio Management
Mechanisms exist to facilitate the implementation of cybersecurity & data privacy-related resource planning controls that define a viable plan for achieving cybersecurity & data privacy objectives.
Cybersecurity & Data Privacy Representative for Asset Lifecycle Changes
Mechanisms exist to include a cybersecurity and/or data privacy representative in the configuration change control review process.
Cybersecurity & Data Privacy Representatives For Product Changes
Mechanisms exist to include appropriate cybersecurity & data privacy representatives in the product feature and/or functionality change control review process.
Cybersecurity & Data Privacy Requirements Definition
Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical systems, system components or services at pre-defined decision points in the Secure Development Life Cycle (SDLC).
Cybersecurity & Data Privacy Resource Management
Mechanisms exist to address all capital planning and investment requests, including the resources needed to implement the cybersecurity & data privacy programs and document all exceptions to this requirement.
Cybersecurity & Data Privacy Status Reporting
Mechanisms exist to submit status reporting of the organization's cybersecurity and/or data privacy program to applicable statutory and/or regulatory authorities, as required.
Cybersecurity & Data Privacy Testing Throughout Development
Mechanisms exist to require system developers/integrators consult with cybersecurity & data privacy personnel to: ? Create and implement a Security Test and Evaluation (ST&E) plan; ? Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process; and ? Document the results of the security testing/evaluation and flaw remediation processes.
Cybersecurity & Data Privacy Training Records
Mechanisms exist to document, retain and monitor individual training activities, including basic cybersecurity & data privacy awareness training, ongoing awareness training and specific-system training.
Cybersecurity & Data Privacy-Minded Workforce
Mechanisms exist to facilitate the implementation of security workforce development and awareness controls.
Cybersecurity & Data Protection Assessments
Mechanisms exist to ensure managers regularly review the processes and documented procedures within their area of responsibility to adhere to appropriate cybersecurity & data protection policies, standards and other applicable requirements.
Cybersecurity & Data Protection Controls Oversight
Mechanisms exist to provide a cybersecurity & data protection controls oversight function that reports to the organization's executive leadership.
Cybersecurity & Data Protection Governance Program
Mechanisms exist to facilitate the implementation of cybersecurity & data protection governance controls.
Cybersecurity Functionality Verification
Mechanisms exist to verify the functionality of cybersecurity controls when anomalies are discovered.
DMZ Networks
Mechanisms exist to monitor De-Militarized Zone (DMZ) network segments to separate untrusted networks from trusted networks.
DNS & Content Filtering
Mechanisms exist to force Internet-bound network traffic through a proxy device (e.g., Policy Enforcement Point (PEP)) for URL content filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet sites.
Data & Asset Classification
Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.
Data Access Mapping
Mechanisms exist to develop a data-specific Access Control List (ACL) or Data Information Sharing Agreement (DISA) to determine the parties with whom sensitive/regulated data is shared.
Data Action Mapping
Mechanisms exist to create and maintain a map of technology assets where sensitive/regulated data is stored, transmitted or processed.
Data Analytics Bias
Mechanisms exist to evaluate its analytical processes for potential bias.
Data Backups
Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfying Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Data Breach
Mechanisms exist to address data breaches, or other incidents involving the unauthorized disclosure of sensitive or regulated data, according to applicable laws, regulations and contractual obligations.
Data Controller Communications
Mechanisms exist to receive and process data controller communications pertaining to: ? Receiving and responding to data subject requests; ? Updating/correcting Personal Data (PD); ? Accounting for disclosures of PD; and ? Accounting for PD that is stored, processed and/or transmitted on behalf of the data controller.
Data Flow Enforcement � Access Control Lists (ACLs)
Mechanisms exist to design, implement and review firewall and router configurations to restrict connections between untrusted networks and internal systems.
Data Governance
Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.
Data Handling & Portability
Mechanisms exist to ensure cloud providers use secure protocols for the import, export and management of data in cloud-based services.
Data Localization
Mechanisms exist to constrain the impact of "digital sovereignty laws," that require localized data within the host country, where data and processes may be subjected to arbitrary enforcement actions that potentially violate other applicable statutory, regulatory and/or contractual obligations.
Data Loss Prevention (DLP)
Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.
Data Management Board
Mechanisms exist to establish a written charter for a Data Management Board (DMB) and assigned organization-defined roles to the DMB.
Data Masking
Mechanisms exist to mask sensitive information through data anonymization, pseudonymization, redaction or de-identification.
Data Mining Protection
Mechanisms exist to protect data storage objects against unauthorized data mining and data harvesting techniques.
Data Portability
Mechanisms exist to export Personal Data (PD) in a structured, commonly used and machine-readable format that allows the data subject to transmit the data to another controller without hindrance.
Data Privacy Notice
Mechanisms exist to: ? Make data privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary; ? Ensure that data privacy notices are clear and easy-to-understand, expressing information about Personal Data (PD) processing in plain language that meets all legal obligations; ? Define the scope of PD processing activities, including the geographic locations and third-party recipients that process the PD within the scope of the data privacy notice; ? Content of the privacy notice is periodically reviewed and updates made as necessary; and ? Retain prior versions of the privacy notice, in accordance with data retention requirements.
Data Privacy Program
Mechanisms exist to facilitate the implementation and operation of data privacy controls.
Data Privacy Records & Reporting
Mechanisms exist to maintain data privacy-related records and develop, disseminate and update reports to internal senior management, as well as external oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory data privacy program mandates.
Data Privacy Requirements for Contractors & Service Providers
Mechanisms exist to include data privacy requirements in contracts and other acquisition-related documents that establish data privacy roles and responsibilities for contractors and service providers.
Data Protection
Mechanisms exist to facilitate the implementation of data protection controls.
Data Protection Impact Assessment (DPIA)
Mechanisms exist to conduct a Data Protection Impact Assessment (DPIA) on systems, applications and services that store, process and/or transmit Personal Data (PD) to identify and remediate reasonably-expected risks.
Data Protection Officer (DPO)
Mechanisms exist to appoint a Data Protection Officer (DPO): ? Based on the basis of professional qualities; and ? To be involved in all issues related to the protection of personal data.
Data Quality Management
Mechanisms exist to issue guidelines ensuring and maximizing the quality, utility, objectivity, integrity, impact determination and de-identification of Personal Data (PD) across the information lifecycle.
Data Quality Operations
Mechanisms exist to check for Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, completeness and de-identification of information throughout the information lifecycle.
Data Reclassification
Mechanisms exist to reclassify data, including associated systems, applications and services, commensurate with the security category and/or classification level of the information.
Data Rights Management (DRM)
Mechanisms exist to utilize Data Rights Management (DRM), or similar technologies, to protect Intellectual Property (IP) rights by preventing the unauthorized distribution and/or modification of sensitive IP.
Data Source Identification
Mechanisms exist to identify and document data sources utilized in the training and/or operation of Artificial Intelligence and Autonomous Technologies (AAT).
Data Source Integrity
Mechanisms exist to protect the integrity of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of Artificial Intelligence and Autonomous Technologies (AAT).
Data Stewardship
Mechanisms exist to ensure data stewardship is assigned, documented and communicated.
Data Storage Location Reviews
Mechanisms exist to perform periodic security reviews of storage locations that contain sensitive / regulated data.
Data Subject Access
Mechanisms exist to provide data subjects the ability to access their Personal Data (PD) maintained in organizational systems of records.
Data Subject Attribute Associations
Mechanisms exist to require personnel to associate and maintain the association of cybersecurity & data privacy attributes with individuals and objects in accordance with cybersecurity and data privacy policies.
Data Subject Communications
Mechanisms exist to craft disclosures and communications to data subjects such that the material is readily accessible and written in a manner that is concise, unambiguous and understandable by a reasonable person.
Data Tagging
Mechanisms exist to issue data modeling guidelines to support tagging of sensitive/regulated data.
Data Tags
Mechanisms exist to utilize data tags to automate tracking of sensitive/regulated data across the information lifecycle.
Data Type Identifiers
Automated mechanisms exist to utilize data type identifiers to validate data essential for information flow decisions when transferring information between different security domains.
Database Access
Mechanisms exist to restrict access to databases containing sensitive/regulated data to only necessary services or those individuals whose job requires such access.
Database Administrative Processes
Mechanisms exist to develop, implement and govern database management processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining databases.
Database Encryption
Mechanisms exist to ensure that database servers utilize encryption to protect the confidentiality of the data within the databases.
Database Logging
Mechanisms exist to ensure databases produce audit records that contain sufficient information to monitor database activities.
Database Management System (DBMS)
Mechanisms exist to implement and maintain Database Management Systems (DBMSs), where applicable.
De-Identification (Anonymization)
Mechanisms exist to anonymize data by removing Personal Data (PD) from datasets.
De-Identify Dataset Upon Collection
Mechanisms exist to de-identify the dataset upon collection by not collecting Personal Data (PD).
Deactivated Account Activity
Mechanisms exist to monitor deactivated accounts for attempted usage.
Decommissioning
Mechanisms exist to ensure systems, applications and services are properly decommissioned so that data is properly transitioned to new systems or archived in accordance with applicable organizational standards, as well as statutory, regulatory and contractual obligations.
Decomposition Into Policy-Related Subcomponents
Automated mechanisms exist to decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms, when transferring information between different security domains.
Dedicated Administrative Machines
Mechanisms exist to restrict executing administrative tasks or tasks requiring elevated access to a dedicated machine.
Defense-In-Depth (DiD) Architecture
Mechanisms exist to implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
Define Control Objectives
Mechanisms exist to establish control objectives as the basis for the selection, implementation and management of the organization's internal control system.
Defining Access Authorizations for Sensitive/Regulated Data
Mechanisms exist to explicitly define authorizations for specific individuals and/or roles for logical and /or physical access to sensitive/regulated data.
Defining Business Context & Mission
Mechanisms exist to define the context of its business model and document the mission of the organization.
Delivery & Removal
Physical security mechanisms exist to isolate information processing facilities from points such as delivery and loading areas and other points to avoid unauthorized access.
Denial of Service (DoS) Protection
Automated mechanisms exist to protect against or limit the effects of denial of service attacks.
Deny Traffic by Default & Allow Traffic by Exception
Mechanisms exist to configure firewall and router configurations to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception).
Detection of Unsanctioned Information
Automated mechanisms exist to implement security policy filters requiring fully enumerated formats that restrict data structure and content, when transferring information between different security domains.
Detonation Chambers (Sandboxes)
Mechanisms exist to utilize a detonation chamber capability to detect and/or block potentially-malicious files and email attachments.
Developer Architecture & Design
Mechanisms exist to require the developers of systems, system components or services to produce a design specification and security architecture that: ? Is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization�s enterprise architecture; ? Accurately and completely describes the required security functionality and the allocation of security controls among physical and logical components; and ? Expresses how individual security functions, mechanisms and services work together to provide required security capabilities and a unified approach to protection.
Developer Configuration Management
Mechanisms exist to require system developers and integrators to perform configuration management during system design, development, implementation and operation.
Developer Screening
Mechanisms exist to ensure that the developers of systems, applications and/or services have the requisite skillset and appropriate access authorizations.
Developer Threat Analysis & Flaw Remediation
Mechanisms exist to require system developers and integrators to create a Security Test and Evaluation (ST&E) plan and implement the plan under the witness of an independent party.
Developer-Provided Training
Mechanisms exist to require the developers of systems, system components or services to provide training on the correct use and operation of the system, system component or service.
Development & Test Environment Configurations
Mechanisms exist to manage baseline configurations for development and test environments separately from operational baseline configurations to minimize the risk of unintentional changes.
Development Methods, Techniques & Processes
Mechanisms exist to require software vendors / manufacturers to demonstrate that their software development processes employ industry-recognized secure practices for secure programming, engineering methods, quality control processes and validation techniques to minimize flawed or malformed software.
Device Attestation
Mechanisms exist to ensure device identification and authentication is accurate by centrally-managing the joining of systems to the domain as part of the initial asset configuration management process.
Device Authorization Enforcement
Mechanisms exist to enforce cryptographic communications keys to prevent one key from being used to access multiple devices.
Diagnostic & Test Interface Monitoring
Mechanisms exist to enable endpoint devices to log events and generate alerts for attempts to access diagnostic and test interfaces.
Differential Data Privacy
Mechanisms exist to prevent disclosure of Personal Data (PD) by adding non-deterministic noise to the results of mathematical operations before the results are reported.
Direct Internet Access Restrictions
Mechanisms exist to prohibit, or strictly-control, Internet access from sensitive / regulated data enclaves (secure zones).
Disable Inactive Accounts
Automated mechanisms exist to disable inactive accounts after an organization-defined time period.
Disable Wireless Networking
Mechanisms exist to disable unnecessary wireless networking capabilities that are internally embedded within system components prior to issuance to end users.
Disabling / Removal In Secure Work Areas
Mechanisms exist to disable or remove collaborative computing devices from critical information systems and secure work areas.
Disassociability
Mechanisms exist to disassociate user attributes or credential assertion relationships among individuals, credential service providers and relying parties.
Disclosure of Information
Mechanisms exist to restrict the disclosure of sensitive / regulated data to authorized parties with a need to know.
Dissemination of Data Privacy Program Information
Mechanisms exist to: ? Ensure that the public has access to information about organizational data privacy activities and can communicate with its Chief Privacy Officer (CPO) or similar role; ? Ensure that organizational data privacy practices are publicly available through organizational websites or document repositories; ? Utilize publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to data privacy office(s) regarding data privacy practices; and ? Inform data subjects when changes are made to the privacy notice and the nature of such changes.
Distinguish Visitors from On-Site Personnel
Physical access control mechanisms exist to easily distinguish between onsite personnel and visitors, especially in areas where sensitive/regulated data is accessible.
Distributed Processing & Storage
Mechanisms exist to distribute processing and storage across multiple physical locations.
Documentation Requirements
Mechanisms exist to obtain, protect and distribute administrator documentation for systems that describe: ? Secure configuration, installation and operation of the system; ? Effective use and maintenance of security features/functions; and ? Known vulnerabilities regarding configuration and use of administrative (e.g., privileged) functions.
Documented Protection Measures
Mechanisms exist to document antimalware technologies.
Domain Name Service (DNS) Resolution
Mechanisms exist to ensure Domain Name Service (DNS) resolution is designed, implemented and managed to protect the security of name / address resolution.
Domain Name Verification
Mechanisms exist to ensure that domain name lookups, whether for internal or external domains, are validated according to Domain Name System Security Extensions (DNSSEC).
Domain Registrar Security
Mechanisms exist to lock the domain name registrar to prevent a denial of service caused by unauthorized deletion, transfer or other unauthorized modification of a domain's registration details.
Domain-Based Message Authentication Reporting and Conformance (DMARC)
Mechanisms exist to implement domain signature verification protections that authenticate incoming email according to the Domain-based Message Authentication Reporting and Conformance (DMARC).
Dual Authorization For Backup Media Destruction
Mechanisms exist to implement and enforce dual authorization for the deletion or destruction of sensitive backup media and data.
Dual Authorization for Change
Mechanisms exist to enforce a two-person rule for implementing changes to critical assets.
Dual Authorization for Event Log Movement
Automated mechanisms exist to enforce dual authorization for the movement or deletion of event logs.
Dual Authorization for Physical Access
Mechanisms exist to enforce a "two-person rule" for physical access by requiring two authorized individuals with separate access cards, keys or PINs, to access highly-sensitive areas (e.g., safe, high-security cage, etc.).
Dual Authorization for Privileged Commands
Automated mechanisms exist to enforce dual authorization for privileged commands.
Dual Authorization for Sensitive Data Destruction
Mechanisms exist to enforce dual authorization for the destruction, disposal or sanitization of digital media that contains sensitive / regulated data.
Dynamic Attribute Association
Mechanisms exist to dynamically associate cybersecurity & data privacy attributes with individuals and objects as information is created, combined, or transformed, in accordance with organization-defined cybersecurity and data privacy policies.
Dynamic Code Analysis
Mechanisms exist to require the developers of systems, system components or services to employ dynamic code analysis tools to identify and remediate common flaws and document the results of the analysis.
Dynamic Host Configuration Protocol (DHCP) Server Logging
Mechanisms exist to enable Dynamic Host Configuration Protocol (DHCP) server logging to improve asset inventories and assist in detecting unknown systems.
Dynamic Isolation & Segregation (Sandboxing)
Automated mechanisms exist to dynamically isolate (e.g., sandbox) untrusted components during runtime, where the component is isolated in a fault-contained environment but it can still collaborate with the application.
Dynamic Management
Mechanisms exist to dynamically manage usernames and system identifiers.
Dynamic Reconfiguration
Automated mechanisms exist to dynamically reconfigure information system components as part of the incident response capability.
Efficacy of AI & Autonomous Technologies Measurement
Mechanisms exist to gather and assess feedback about the efficacy of Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related measurements.
Elastic Expansion
Mechanisms exist to automatically scale the resources available for services, as demand conditions change.
Electromagnetic Pulse (EMP) Protection
Physical security mechanisms exist to employ safeguards against Electromagnetic Pulse (EMP) damage for systems and system components.
Electronic Discovery (eDiscovery)
Mechanisms exist to utilize electronic discovery (eDiscovery) that covers current and archived communication transactions.
Electronic Messaging
Mechanisms exist to protect the confidentiality, integrity and availability of electronic messaging communications.
Email Content Protections
Mechanisms exist to implement an email filtering security service to detect malicious attachments in emails and prevent users from accessing them.
Email Domain Reputation Protections
Mechanisms exist to monitor the organization's email domain's reputation and protect the email domain�s reputation.
Email Labeling
Automated mechanisms exist to implement email labeling that apply organization-defined tags to incoming or outgoing email.
Embedded Data Types
Mechanisms exist to enforce limitations on embedding data within other data types.
Embedded Technology Configuration Monitoring
Mechanisms exist to generate log entries on embedded devices when configuration changes or attempts to access interfaces are detected.
Embedded Technology Maintenance
Mechanisms exist to securely update software and upgrade functionality on embedded devices.
Embedded Technology Reviews
Mechanisms exist to perform evaluations of deployed embedded technologies as needed, or at least on an annual basis, to ensure that necessary updates to mitigate the risks associated with legacy embedded technologies are identified and implemented.
Embedded Technology Security Program
Mechanisms exist to facilitate the implementation of embedded technology controls.
Emergency Accounts
Mechanisms exist to establish and control "emergency access only" accounts.
Emergency Lighting
Facility security mechanisms exist to utilize and maintain automatic emergency lighting that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
Emergency Power
Facility security mechanisms exist to supply alternate power, capable of maintaining minimally-required operational capability, in the event of an extended loss of the primary power source.
Emergency Shutoff
Facility security mechanisms exist to shut off power in emergency situations by: ? Placing emergency shutoff switches or devices in close proximity to systems or system components to facilitate safe and easy access for personnel; and ? Protecting emergency power shutoff capability from unauthorized activation.
Encrypt Data on End-User Devices
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker�, Apple FileVault�, Linux� dm-crypt.
Encrypting Data At Rest
Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.
Encrypting Data In Storage Media
Cryptographic mechanisms exist to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
Encryption for Outgoing Email
Mechanisms exist to enable the encryption of outgoing emails using organization-approved cryptographic means.
End-User Messaging Technologies
Mechanisms exist to prohibit the transmission of unprotected sensitive/regulated data by end-user messaging technologies.
Endpoint File Integrity Monitoring (FIM)
Mechanisms exist to utilize File Integrity Monitor (FIM) technology to detect and report unauthorized changes to system files and configurations.
Endpoint Protection Measures
Mechanisms exist to protect the confidentiality, integrity, availability and safety of endpoint devices.
Endpoint Security
Mechanisms exist to facilitate the implementation of endpoint security controls.
Endpoint Security Validation
Mechanisms exist to validate software versions/patch levels and control remote devices connecting to corporate networks or storing and accessing organization information.
Enforce Data Retention
Retain data according to the enterprise�s data management process. Data retention must include both minimum and maximum timelines.
Ensure Authorized Software is Currently Supported
Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise�s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently.
Equipment Siting & Protection
Physical security mechanisms exist to locate system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.
Equipment Testing
Mechanisms exist to test sanitization equipment and procedures to verify that the intended result is achieved.
Error Handling
Mechanisms exist to handle error conditions by: ? Identifying potentially security-relevant error conditions; ? Generating error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages that could be exploited; and ? Revealing error messages only to authorized personnel.
Establish Redundancy for Vital Cybersecurity & Data Privacy Staff
Mechanisms exist to establish redundancy for vital cybersecurity & data privacy staff.
Establish and Maintain Detailed Enterprise Asset Inventory
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices,�MDM type tools can support this process, where appropriate. This inventory includes assets�connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise�s network infrastructure, even if they are�not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.
Establish and Maintain a Data Classification Scheme
Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as �Sensitive,� �Confidential,� and �Public,� and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and Maintain a Data Inventory
Establish and maintain a data inventory, based on the enterprise�s data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.
Establish and Maintain a Data Management Process
Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and Maintain a Data Recovery Process
Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and Maintain a Software Inventory
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently.
Event Log Backup on Separate Physical Systems / Components
Mechanisms exist to back up event logs onto a physically different system or system component than the Security Incident Event Manager (SIEM) or similar automated tool.
Event Log Retention
Mechanisms exist to retain event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements.
Event Log Storage Capacity
Mechanisms exist to allocate and proactively manage sufficient event log storage capacity to reduce the likelihood of such capacity being exceeded.
Event Log Storage Capacity Alerting
Automated mechanisms exist to alert appropriate personnel when the allocated volume reaches an organization-defined percentage of maximum event log storage capacity.
Evolving Malware Threats
Mechanisms exist to perform periodic evaluations evolving malware threats to assess systems that are generally not considered to be commonly affected by malicious software.
Exception Management
Mechanisms exist to prohibit exceptions to standards, except when the exception has been formally assessed for risk impact, approved and recorded.
Expeditious Disconnect / Disable Capability
Mechanisms exist to provide the capability to expeditiously disconnect or disable a user's remote access session.
Expiration of Cached Authenticators
Automated mechanisms exist to prohibit the use of cached authenticators after organization-defined time period.
Explicitly Indicate Current Participants
Automated mechanisms exist to provide an explicit indication of current participants in online meetings and teleconferences.
Export-Controlled Technology
Mechanisms exist to address the exporting of cryptographic technologies in compliance with relevant statutory and regulatory requirements.
Exposure to Unauthorized Personnel
Mechanisms exist to address security safeguards for personnel exposed to sensitive information that is not within their assigned access authorizations.
External Connectivity Requirements - Identification of Ports, Protocols & Services
Mechanisms exist to require External Service Providers (ESPs) to identify and document the business need for ports, protocols and other services it requires to operate its processes and technologies.
External System Connections
Mechanisms exist to prohibit the direct connection of a sensitive system to an external network without the use of an organization-defined boundary protection device.
External System Cryptographic Key Control
Mechanisms exist to maintain control of cryptographic keys for encrypted material stored or transmitted through an external system.
External Telecommunications Services
Mechanisms exist to maintain a managed interface for each external telecommunication service that protects the confidentiality and integrity of the information being transmitted across each interface.
External Vulnerability Assessment Scans
Mechanisms exist to perform quarterly external vulnerability scans (outside the organization's network looking inward) via a reputable vulnerability service provider, which include rescans until passing results are obtained or all 'high� vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS).
Fail Safe
Mechanisms exist to implement fail-safe procedures when failure conditions occur.
Fail Secure
Mechanisms exist to enable systems to fail to an organization-defined known-state for types of failures, preserving system state information in failure.
Failover Capability
Mechanisms exist to implement real-time or near-real-time failover capability to maintain availability of critical systems, applications and/or services.
Federated Credential Management
Mechanisms exist to federate credentials to allow cross-organization authentication of individuals and devices.
Field Maintenance
Mechanisms exist to securely conduct field maintenance on geographically deployed assets.
File Integrity Monitoring (FIM)
Mechanisms exist to utilize a File Integrity Monitor (FIM), or similar change-detection technology, on critical assets to generate alerts for unauthorized modifications.
Fire Detection Devices
Facility security mechanisms exist to utilize and maintain fire detection devices/systems that activate automatically and notify organizational personnel and emergency responders in the event of a fire.
Fire Protection
Facility security mechanisms exist to utilize and maintain fire suppression and detection devices/systems for the system that are supported by an independent energy source.
Fire Suppression Devices
Facility security mechanisms exist to utilize fire suppression devices/systems that provide automatic notification of any activation to organizational personnel and emergency responders.
First Time Use Sanitization
Mechanisms exist to apply nondestructive sanitization techniques to portable storage devices prior to first use.
First-Party Declaration (1PD)
Mechanisms exist to obtain a First-Party Declaration (1PD) from applicable External Service Providers (ESPs) that provides assurance of compliance with specified statutory, regulatory and contractual obligations for cybersecurity & data privacy controls, including any flow-down requirements to subcontractors.
Flaw Remediation with Personal Data (PD)
Mechanisms exist to identify and correct flaws related to the collection, usage, processing or dissemination of Personal Data (PD).
Forced Technology Transfer (FTT)
Mechanisms exist to avoid and/or constrain the forced exfiltration of sensitive / regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices.
Formal Indoctrination
Mechanisms exist to verify that individuals accessing a system processing, storing, or transmitting sensitive information are formally indoctrinated for all the relevant types of information to which they have access on the system.
Full Device & Container-Based Encryption
Cryptographic mechanisms exist to protect the confidentiality and integrity of information on mobile devices through full-device or container encryption.
Functional Properties
Mechanisms exist to require vendors/contractors to provide information describing the functional properties of the security controls to be utilized within systems, system components or services in sufficient detail to permit analysis and testing of the controls.
Functional Review Of Cybersecurity & Data Protection Controls
Mechanisms exist to regularly review technology assets for adherence to the organization's cybersecurity & data protection policies and standards.
Geographic Location of Data
Mechanisms exist to inventory, document and maintain data flows for data that is resident (permanently or temporarily) within a service's geographically distributed applications (physical and virtual), infrastructure, systems components and/or shared with other third-parties.
Geolocation Requirements for Processing, Storage and Service Locations
Mechanisms exist to control the location of cloud processing/storage based on business requirements that includes statutory, regulatory and contractual obligations.
Global Privacy Control (GPC)
Automated mechanisms exist to provide data subjects with functionality to exercise pre-selected opt-out preferences (e.g., opt-out signal).
Governing Access Restriction for Change
Mechanisms exist to define, document, approve and enforce access restrictions associated with changes to systems.
Government Surveillance
Mechanisms exist to constrain the host government from having unrestricted and non-monitored access to the organization's systems, applications and services that could potentially violate other applicable statutory, regulatory and/or contractual obligations.
Group Authentication
Mechanisms exist to require individuals to be authenticated with an individual authenticator when a group authenticator is utilized.
Guest Networks
Mechanisms exist to implement and manage a secure guest network.
Hardware Integrity Verification
Mechanisms exist to require developer of systems, system components or services to enable integrity verification of hardware components.
Hardware Security Modules (HSM)
Automated mechanisms exist to utilize Hardware Security Modules (HSM) to protect authenticators on which the component relies.
Hardware Separation
Mechanisms exist to implement underlying hardware separation mechanisms to facilitate process separation.
Hardware Token-Based Authentication
Automated mechanisms exist to ensure organization-defined token quality requirements are satisfied for hardware token-based authentication.
Heterogeneity
Mechanisms exist to utilize a diverse set of technologies for system components to reduce the impact of technical vulnerabilities from the same Original Equipment Manufacturer (OEM).
Heuristic / Nonsignature-Based Detection
Mechanisms exist to utilize heuristic / nonsignature-based antimalware detection capabilities.
High-Risk Terminations
Mechanisms exist to expedite the process of removing "high risk" individual's access to systems and applications upon termination, as determined by management.
Highest Classification Level
Mechanisms exist to ensure that systems, applications and services are classified according to the highest level of data sensitivity that is stored, transmitted and/or processed.
Honeyclients
Mechanisms exist to utilize honeyclients that proactively seek to identify malicious websites and/or web-based malicious code.
Honeypots
Mechanisms exist to utilize honeypots that are specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting and analyzing such attacks.
Host Containment
Automated mechanisms exist to enforce host containment protections that revoke or quarantine a host's access to the network.
Host Intrusion Detection and Prevention Systems (HIDS / HIPS)
Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) on sensitive systems.
Host-Based Devices
Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) to actively alert on or block unwanted activities and send logs to a Security Incident Event Manager (SIEM), or similar automated tool, to maintain situational awareness.
Host-Based Security Function Isolation
Mechanisms exist to implement underlying software separation mechanisms to facilitate security function isolation.
Hosted Systems, Applications & Services
Mechanisms exist to specify applicable cybersecurity & data protection controls that must be implemented on external systems, consistent with the contractual obligations established with the External Service Providers (ESP) owning, operating and/or maintaining external systems, applications and/or services.
Human Resources Security Management
Mechanisms exist to facilitate the implementation of personnel security controls.
Human Reviews
Mechanisms exist to enforce the use of human reviews for Access Control Lists (ACLs) and similar rulesets on a routine basis.
Hypervisor Access
Mechanisms exist to restrict access to hypervisor management functions or administrative consoles for systems hosting virtualized systems.
IRP Update
Mechanisms exist to regularly review and modify incident response practices to incorporate lessons learned, business process changes and industry developments, as necessary.
Identifiable Image Collection
Mechanisms exist to restrict the collection, processing, storage and sharing of photographic and/or video surveillance image collection that can identify individuals to legitimate business needs.
Identification & Authentication for Devices
Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) devices before establishing a connection using bidirectional authentication that is cryptographically- based and replay resistant.
Identification & Authentication for Non-Organizational Users
Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) third-party users and processes that provide services to the organization.
Identification & Authentication for Organizational Users
Mechanisms exist to uniquely identify and centrally Authenticate, Authorize and Audit (AAA) organizational users and processes acting on behalf of organizational users.
Identification & Authentication for Third Party Systems & Services
Mechanisms exist to identify and authenticate third-party systems and services.
Identification & Justification of Ports, Protocols & Services
Mechanisms exist to require process owners to identify, document and justify the business need for the ports, protocols and other services necessary to operate their technology solutions.
Identification Requirement
Physical access control mechanisms exist to requires at least one (1) form of government-issued or organization-issued photo identification to authenticate individuals before they can gain access to the facility.
Identifier Management (User Names)
Mechanisms exist to govern naming standards for usernames and systems.
Identify Critical Assets
Mechanisms exist to identify and document the critical systems, applications and services that support essential missions and business functions.
Identify Critical Skills & Gaps
Mechanisms exist to evaluate the critical cybersecurity & data privacy skills needed to support the organization's mission and identify gaps that exist.
Identify Vital Cybersecurity & Data Privacy Staff
Mechanisms exist to identify vital cybersecurity & data privacy staff.
Identity & Access Management (IAM)
Mechanisms exist to facilitate the implementation of identification and access management controls.
Identity Association Techniques & Technologies
Mechanisms exist to associate cybersecurity & data privacy attributes to information.
Identity Binding
Mechanisms exist to bind the identity of the information producer to the information generated.
Identity Evidence
Mechanisms exist to require evidence of individual identification to be presented to the registration authority.
Identity Evidence Validation & Verification
Mechanisms exist to require that the presented identity evidence be validated and verified through organizational-defined methods of validation and verification.
Identity Proofing (Identity Verification)
Mechanisms exist to verify the identity of a user before modifying any permissions or authentication factor.
Identity User Status
Mechanisms exist to identify contractors and other third-party users through unique username characteristics.
Impact-Level Prioritization
Mechanisms exist to prioritize the impact level for systems, applications and/or services to prevent potential disruptions.
Implement Controls
Mechanisms exist to compel data and/or process owners to implement required cybersecurity & data privacy controls for each system, application and/or service under their control.
In-Person Validation & Verification
Mechanisms exist to require that the validation and verification of identity evidence be conducted in person before a designated registration authority.
In-Person or Trusted Third-Party Registration
Mechanisms exist to conduct in-person or trusted third-party identify verification before user accounts for third-parties are created.
Inability to Return to Primary Site
Mechanisms exist to plan and prepare for both natural and manmade circumstances that preclude returning to the primary processing site.
Inbound & Outbound Communications Traffic
Mechanisms exist to continuously monitor inbound and outbound communications traffic for unusual or unauthorized activities or conditions.
Incident Classification & Prioritization
Mechanisms exist to identify classes of incidents and actions to take to ensure the continuation of organizational missions and business functions.
Incident Handling
Mechanisms exist to cover the preparation, automated detection or intake of incident reporting, analysis, containment, eradication and recovery.
Incident Reporting Assistance
Mechanisms exist to provide incident response advice and assistance to users of systems for the handling and reporting of actual and potential cybersecurity & data privacy incidents.
Incident Response Operations
Mechanisms exist to implement and govern processes and documentation to facilitate an organization-wide response capability for cybersecurity & data privacy-related incidents.
Incident Response Plan (IRP)
Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.
Incident Response Testing
Mechanisms exist to formally test incident response capabilities through realistic exercises to determine the operational effectiveness of those capabilities.
Incident Response Training
Mechanisms exist to train personnel in their incident response roles and responsibilities.
Incident Stakeholder Reporting
Mechanisms exist to timely-report incidents to applicable: ? Internal stakeholders; ? Affected clients & third-parties; and ? Regulatory authorities.
Incompatible Roles
Mechanisms exist to avoid incompatible development-specific roles through limiting and reviewing developer privileges to change hardware, software and firmware components within a production/operational environment.
Independent Assessors
Mechanisms exist to utilize independent assessors to evaluate cybersecurity & data protection controls at planned intervals or when the system, service or project undergoes significant changes.
Independent Penetration Agent or Team
Mechanisms exist to utilize an independent assessor or penetration team to perform penetration testing.
Indicators of Compromise (IOC)
Mechanisms exist to define specific Indicators of Compromise (IOC) to identify the signs of potential cybersecurity events.
Indicators of Exposure (IOE)
Mechanisms exist to develop Indicators of Exposure (IOE) to understand the potential attack vectors that attackers could use to attack the organization.
Individuals Posing Greater Risk
Mechanisms exist to implement enhanced activity monitoring for individuals who have been identified as posing an increased level of risk.
Information Assurance (IA) Operations
Mechanisms exist to facilitate the implementation of cybersecurity & data privacy assessment and authorization controls.
Information Assurance Enabled Products
Mechanisms exist to limit the use of commercially-provided Information Assurance (IA) and IA-enabled IT products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile or the cryptographic module is FIPS-validated or NSA-approved.
Information Disposal
Mechanisms exist to securely dispose of, destroy or erase information.
Information In Shared Resources
Mechanisms exist to prevent unauthorized and unintended information transfer via shared system resources.
Information Leakage Due To Electromagnetic Signals Emanations
Facility security mechanisms exist to protect the system from information leakage due to electromagnetic signals emanations.
Information Location
Mechanisms exist to identify and document the location of information and the specific system components on which the information resides.
Information Output Filtering
Mechanisms exist to validate information output from software programs and/or applications to ensure that the information is consistent with the expected content.
Information Search & Retrieval
Mechanisms exist to ensure information systems implement data search and retrieval functions that properly enforce data protection / sharing restrictions.
Information Sharing
Mechanisms exist to utilize a process to assist users in making information sharing decisions to ensure data is appropriately protected.
Information Sharing With Third Parties
Mechanisms exist to disclose Personal Data (PD) to third-parties only for the purposes identified in the data privacy notice and with the implicit or explicit consent of the data subject.
Information Spillage Response
Mechanisms exist to respond to sensitive information spills.
Information System Imaging
Mechanisms exist to reimage assets from configuration-controlled and integrity-protected images that represent a secure, operational state.
Information System Recovery & Reconstitution
Mechanisms exist to ensure the secure recovery and reconstitution of systems to a known state after a disruption, compromise or failure.
Infrared Communications
Mechanisms exist to prevent line of sight and reflected infrared (IR) communications use in an unsecured space.
Input Data Validation
Mechanisms exist to check the validity of information inputs.
Insecure Ports, Protocols & Services
Mechanisms exist to mitigate the risk associated with the use of insecure ports, protocols and services necessary to operate technology solutions.
Insider Threat Awareness
Mechanisms exist to utilize security awareness training on recognizing and reporting potential indicators of insider threat.
Insider Threat Program
Mechanisms exist to implement an insider threat program that includes a cross-discipline insider threat incident handling team.
Insider Threat Response Capability
Mechanisms exist to implement and govern an insider threat program.
Insider Threats
Mechanisms exist to monitor internal personnel activity for potential security incidents.
Inspect Media
Mechanisms exist to check media containing diagnostic and test programs for malicious code before the media are used.
Inspect Tools
Mechanisms exist to inspect maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.
Inspection of Systems, Components & Devices
Mechanisms exist to physically and logically inspect critical technology assets to detect evidence of tampering.
Integrated Security Incident Response Team (ISIRT)
Mechanisms exist to establish an integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity & data privacy incident response operations.
Integration of Detection & Response
Mechanisms exist to detect and respond to unauthorized configuration changes as cybersecurity incidents.
Integration of Scanning & Other Monitoring Information
Automated mechanisms exist to integrate the analysis of audit records with analysis of vulnerability scanners, network performance, system monitoring and other sources to further enhance the ability to identify inappropriate or unusual activity.
Integrity Checks
Mechanisms exist to validate configurations through integrity checking of software and firmware.
Integrity Mechanisms for Software / Firmware Updates
Mechanisms exist to utilize integrity validation mechanisms for security updates.
Interface Security
Mechanisms exist to protect embedded devices against unauthorized use of the physical factory diagnostic and test interface(s).
Internal Audit Function
Mechanisms exist to implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of the organization's technology and information governance processes.
Internal System Connections
Mechanisms exist to control internal system connections through authorizing internal connections of systems and documenting, for each internal connection, the interface characteristics, security requirements and the nature of the information communicated.
Internal Use of Personal Data For Testing, Training and Research
Mechanisms exist to address the use of Personal Data (PD) for internal testing, training and research that: ? Takes measures to limit or minimize the amount of PD used for internal testing, training and research purposes; and ? Authorizes the use of PD when such information is required for internal testing, training and research.
Internal Vulnerability Assessment Scans
Mechanisms exist to perform quarterly internal vulnerability scans, which includes all segments of the organization's internal network, as well as rescans until passing results are obtained or all 'high� vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS).
Internet Address Denylisting
Mechanisms exist to implement Internet address denylisting protections that blocks traffic received from or destined to a denylisted Internet address.
Internet of Things (IOT)
Mechanisms exist to proactively manage the cybersecurity & data privacy risks associated with Internet of Things (IoT).
Intranets
Mechanisms exist to establish trust relationships with other organizations owning, operating, and/or maintaining intranet systems, allowing authorized individuals to: ? Access the intranet from external systems; and ? Process, store, and/or transmit organization-controlled information using the external systems.
Intrusion Alarms / Surveillance Equipment
Physical access control mechanisms exist to monitor physical intrusion alarms and surveillance equipment.
Intrusion Detection & Prevention Systems (IDS & IPS)
Mechanisms exist to implement Intrusion Detection / Prevention Systems (IDS / IPS) technologies on critical systems, key network segments and network choke points.
Invalidate Session Identifiers at Logout
Automated mechanisms exist to invalidate session identifiers upon user logout or other session termination.
Inventory of Personal Data
Mechanisms exist to establish, maintain and update an inventory that contains a listing of all programs and systems identified as collecting, using, maintaining, or sharing Personal Data (PD).
Investigation Access Restrictions
Mechanisms exist to support official investigations by provisioning government investigators with "least privileges" and "least functionality" to ensure that government investigators only have access to the data and systems needed to perform the investigation.
Investigation Request Notifications
Mechanisms exist to notify customers about investigation request notifications, unless the applicable legal basis for a government agency's action prohibits notification (e.g., potential criminal prosecution).
Isolated Recovery Environment
Mechanisms exist to utilize an isolated, non-production environment to perform data backup and recovery operations through offline, cloud or off-site capabilities.
Isolation of Information System Components
Mechanisms exist to employ boundary protections to isolate systems, services and processes that support critical missions and/or business functions.
Joint Processing of Personal Data
Mechanisms exist to clearly define and communicate the organization's role in processing Personal Data (PD) in the data processing ecosystem.
Jump Server
Mechanisms exist to conduct remote system administrative functions via a "jump box" or "jump server" that is located in a separate network zone to user workstations.
Just-In-Time Notice & Updated Consent
Mechanisms exist to present authorizations to process Personal Data (PD) in conjunction with the data action, when: ? The original circumstances under which an individual gave consent have changed; or ? A significant amount of time has passed since an individual gave consent.
Key Performance Indicators (KPIs)
Mechanisms exist to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the cybersecurity & data privacy program.
Key Risk Indicators (KRIs)
Mechanisms exist to develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the cybersecurity & data privacy program.
Kiosks & Point of Interaction (PoI) Devices
Mechanisms exist to appropriately protect devices that capture sensitive/regulated data via direct physical interaction from tampering and substitution.
Layered Network Defenses
Mechanisms exist to implement security functions as a layered structure that minimizes interactions between layers of the design and avoids any dependence by lower layers on the functionality or correctness of higher layers.
Least Functionality
Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.
Least Privilege
Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.
Legal Assessment of Investigative Inquires
Mechanisms exist to determine whether a government agency has an applicable and valid legal basis to request data from the organization and what further steps need to be taken, if necessary.
Library Privileges
Mechanisms exist to restrict software library privileges to those individuals with a pertinent business need for access.
Limit Network Connections
Mechanisms exist to limit the number of concurrent external network connections to its systems.
Limit Personal Data (PD) Dissemination
Mechanisms exist to limit the dissemination of Personal Data (PD) to organization-defined elements identified in the Data Protection Impact Assessment (DPIA) and consistent with authorized purposes.
Limit Personal Data (PD) Elements In Testing, Training & Research
Mechanisms exist to minimize the use of Personal Data (PD) for research, testing, or training, in accordance with the Data Protection Impact Assessment (DPIA).
Limit Personal Data (PD) In Audit Records
Mechanisms exist to limit Personal Data (PD) contained in audit records to the elements identified in the data privacy risk assessment.
Limit Potential Harm
Mechanisms exist to utilize security safeguards to limit harm from potential adversaries who identify and target the organization's supply chain.
Limit Production / Operational Privileges (Incompatible Roles)
Mechanisms exist to limit operational privileges for implementing changes.
Limitations on Use
Mechanisms exist to restrict the use and distribution of sensitive / regulated data.
Limiting Personal Data Disclosures
Mechanisms exist to limit the disclosure of Personal Data (PD) to authorized parties for the sole purpose for which the PD was obtained.
Limits of Authorized Use
Mechanisms exist to prohibit external parties, systems and services from storing, processing and transmitting data unless authorized individuals first: ? Verifying the implementation of required security controls; or ? Retaining a processing agreement with the entity hosting the external systems or service.
Local Access to Privileged Accounts
Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate local access for privileged accounts.
Lockable Physical Casings
Physical access control mechanisms exist to protect system components from unauthorized physical access (e.g., lockable physical casings).
Maintain Configuration Control During Maintenance
Mechanisms exist to maintain proper physical security and configuration control over technology assets awaiting service or repair.
Maintenance Monitoring
Mechanisms exist to maintain situational awareness of the quality and reliability of systems and components through tracking maintenance activities and component failure rates.
Maintenance Operations
Mechanisms exist to develop, disseminate, review & update procedures to facilitate the implementation of maintenance controls across the enterprise.
Maintenance Personnel Without Appropriate Access
Mechanisms exist to ensure the risks associated with maintenance personnel who do not have appropriate access authorizations, clearances or formal access approvals are appropriately mitigated.
Maintenance Tools
Mechanisms exist to control and monitor the use of system maintenance tools.
Maintenance Validation
Mechanisms exist to validate maintenance activities were appropriately performed according to the work order and that security controls are operational.
Maintenance of Attribute Associations By System
Mechanisms exist to maintain the association and integrity of cybersecurity & data privacy attributes to individuals and objects.
Making Sensitive Data Unreadable In Storage
Mechanisms exist to ensure sensitive/regulated data is rendered human unreadable anywhere sensitive/regulated data is stored.
Malformed Input Testing
Mechanisms exist to utilize testing methods to ensure systems, services and products continue to operate as intended when subject to invalid or unexpected inputs on its interfaces.
Malicious Code Protection (Anti-Malware)
Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.
Malicious Link & File Protections
Automated mechanisms exist to detect malicious links and/or files in communications and prevent users from accessing those malicious links and/or files.
Malware Protection Mechanism Testing
Mechanisms exist to test antimalware technologies by introducing a known benign, non-spreading test case into the system and subsequently verifying that both detection of the test case and associated incident reporting occurs.
Malware Testing Prior to Release
Mechanisms exist to utilize at least one (1) malware detection tool to identify if any known malware exists in the final binaries of the product or security update.
Manage Organizational Knowledge
Mechanisms exist to manage the organizational knowledge of the cybersecurity & data privacy staff.
Managed Access Control Points
Mechanisms exist to route all remote accesses through managed network access control points (e.g., VPN concentrator).
Management Approval For External Media Transfer
Mechanisms exist to obtain management approval for any sensitive / regulated media that is transferred outside of the organization's facilities.
Management Approval For New or Changed Accounts
Mechanisms exist to ensure management approvals are required for new accounts or changes in permissions to existing accounts.
Managing Changes To Third-Party Services
Mechanisms exist to control changes to services by suppliers, taking into account the criticality of business information, systems and processes that are in scope by the third-party.
Manual Code Review
Mechanisms exist to require the developers of systems, system components or services to employ a manual code review process to identify and remediate unique flaws that require knowledge of the application's requirements and design.
Masking Displayed Data
Mechanisms exist to apply data masking to sensitive/regulated information that is displayed or printed.
Material Risks
Mechanisms exist to define criteria necessary to designate a risk as a material risk.
Material Threats
Mechanisms exist to define criteria necessary to designate a threat as a material threat.
Materiality Determination
Mechanisms exist to define materiality threshold criteria capable of designating an incident as material to the organization.
Measures of Performance
Mechanisms exist to develop, report and monitor cybersecurity & data privacy program measures of performance.
Measuring AI & Autonomous Technologies Effectiveness
Mechanisms exist to regularly assess the effectiveness of existing controls, including reports of errors and potential impacts on affected communities.
Media & Data Retention
Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations.
Media Access
Mechanisms exist to control and restrict access to digital and non-digital media to authorized individuals.
Media Marking
Mechanisms exist to mark media in accordance with data protection requirements so that personnel are alerted to distribution limitations, handling caveats and applicable security requirements.
Media Storage
Mechanisms exist to: ? Physically control and securely store digital and non-digital media within controlled areas using organization-defined security measures; and ? Protect system media until the media are destroyed or sanitized using approved equipment, techniques and procedures.
Media Transportation
Mechanisms exist to protect and control digital and non-digital media during transport outside of controlled areas using appropriate security measures.
Media Use
Mechanisms exist to restrict the use of types of digital media on systems or system components.
Memory Protection
Mechanisms exist to implement security safeguards to protect system memory from unauthorized code execution.
Message Queuing Telemetry Transport (MQTT) Security
Mechanisms exist to enforce the security of Message Queuing Telemetry Transport (MQTT) traffic.
Metadata
Mechanisms exist to enforce information flow controls based on metadata.
Metadata Validation
Automated mechanisms exist to apply cybersecurity and/or data privacy filters on metadata.
Microphones & Web Cameras
Mechanisms exist to configure assets to prohibit the use of endpoint-based microphones and web cameras in secure areas or where sensitive/regulated information is discussed.
Microsegmentation
Automated mechanisms exist to enable microsegmentation, either physically or virtually, to divide the network according to application and data workflows communications needs.
Minimize Personal Data (PD)
Mechanisms exist to limit Personal Data (PD) being processed in the information lifecycle to elements identified in the Data Protection Impact Assessment (DPIA).
Minimize Visitor Personal Data (PD)
Mechanisms exist to minimize the collection of Personal Data (PD) contained in visitor access records.
Minimum Viable Product (MVP) Security Requirements
Mechanisms exist to ensure risk-based technical and functional specifications are established to define a Minimum Viable Product (MVP).
Mobile Code
Mechanisms exist to address mobile code / operating system-independent applications.
Mobile Device Data Retention Limitations
Mechanisms exist to limit data retention on mobile devices to the smallest usable dataset and timeframe.
Mobile Device Geofencing
Mechanisms exist to restrict the functionality of mobile devices based on geographic location.
Mobile Device Tampering
Mechanisms exist to protect mobile devices from tampering through inspecting devices returning from locations that the organization deems to be of significant risk, prior to the device being connected to the organization's network.
Monitor Controls
Mechanisms exist to compel data and/or process owners to monitor systems, applications and/or services under their control on an ongoing basis for applicable threats and risks, as well as to ensure cybersecurity & data privacy controls are operating as intended.
Monitoring For Information Disclosure
Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of non-public information.
Monitoring Physical Access
Physical access control mechanisms exist to monitor for, detect and respond to physical security incidents.
Monitoring Physical Access To Information Systems
Facility security mechanisms exist to monitor physical access to critical information systems or sensitive/regulated data, in addition to the physical access monitoring of the facility.
Monitoring Reporting
Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities.
Monitoring for Indicators of Compromise (IOC)
Automated mechanisms exist to identify and alert on Indicators of Compromise (IoC).
Monitoring for Third-Party Information Disclosure
Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of organizational information.
Monitoring with Alarms / Notifications
Facility security mechanisms exist to trigger an alarm or notification of temperature and humidity changes that be potentially harmful to personnel or equipment.
Motivated Intruder
Mechanisms exist to perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.
Multi-Factor Authentication (MFA)
Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for: ? Remote network access; ? Third-party systems, applications and/or services; and/ or ? Non-console access to critical systems or systems that store, transmit and/or process sensitive/regulated data.
Multi-Function Devices (MFD)
Mechanisms exist to securely configure Multi-Function Devices (MFD) according to industry-recognized secure practices for the type of device.
Multi-Tenant Environments
Mechanisms exist to ensure multi-tenant owned or managed assets (physical and virtual) are designed and governed such that provider and customer (tenant) user access is appropriately segmented from other tenant users.
Multi-Tenant Event Logging Capabilities
Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate security event logging capabilities for its customers that are consistent with applicable statutory, regulatory and/or contractual obligations.
Multi-Tenant Forensics Capabilities
Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt forensic investigations in the event of a suspected or confirmed security incident.
Multi-Tenant Incident Response Capabilities
Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate prompt response to suspected or confirmed security incidents and vulnerabilities, including timely notification to affected customers.
Multiple Information System Accounts
Mechanisms exist to implement security safeguards to manage the risk of compromise due to individuals having accounts on multiple information systems.
Network Access Control (NAC)
Automated mechanisms exist to employ Network Access Control (NAC), or a similar technology, which is capable of detecting unauthorized devices and disable network access to those unauthorized devices.
Network Access to Non-Privileged Accounts
Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate network access for non-privileged accounts.
Network Access to Privileged Accounts
Mechanisms exist to utilize Multi-Factor Authentication (MFA) to authenticate network access for privileged accounts.
Network Access to Privileged Commands
Mechanisms exist to authorize remote access to perform privileged commands on critical systems or where sensitive/regulated data is stored, transmitted and/or processed only for compelling operational needs.
Network Device Configuration File Synchronization
Mechanisms exist to configure network devices to synchronize startup and running configuration files.
Network Diagrams & Data Flow Diagrams (DFDs)
Mechanisms exist to maintain network architecture diagrams that: ? Contain sufficient detail to assess the security of the network's architecture; ? Reflect the current architecture of the network environment; and ? Document all sensitive/regulated data flows.
Network Intrusion Detection / Prevention Systems (NIDS / NIPS)
Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network.
Network Security Controls (NSC)
Mechanisms exist to develop, govern & update procedures to facilitate the implementation of Network Security Controls (NSC).
Network Segmentation
Mechanisms exist to ensure network architecture utilizes network segmentation to isolate systems, applications and services that protections from other network resources.
No Embedded Unencrypted Static Authenticators
Mechanisms exist to ensure that unencrypted, static authenticators are not embedded in applications, scripts or stored on function keys.
Non-Compliance Oversight
Mechanisms exist to document and review instances of non-compliance with statutory, regulatory and/or contractual obligations to develop appropriate risk mitigation actions.
Non-Console Administrative Access
Cryptographic mechanisms exist to protect the confidentiality and integrity of non-console administrative access.
Non-Modifiable Executable Programs
Mechanisms exist to utilize non-modifiable executable programs that load and execute the operating environment and applications from hardware-enforced, read-only media.
Non-Organizationally Owned Systems / Components / Devices
Mechanisms exist to restrict the use of non-organizationally owned information systems, system components or devices to process, store or transmit organizational information.
Non-Persistence
Mechanisms exist to implement non-persistent system components and services that are initiated in a known state and terminated upon the end of the session of use or periodically at an organization-defined frequency.
Non-Privileged Access for Non-Security Functions
Mechanisms exist to prohibit privileged users from using privileged accounts, while performing non-security functions.
Non-Repudiation
Mechanisms exist to utilize a non-repudiation capability to protect against an individual falsely denying having performed a particular action.
Non-System Related Maintenance
Mechanisms exist to ensure that non-escorted personnel performing non-IT maintenance activities in the physical proximity of IT systems have required access authorizations.
Notice of Collection
Mechanisms exist to notify individuals that Personal Data (PD) is collected by sensors.
Notice of Correction or Processing Change
Mechanisms exist to notify affected data subjects if their Personal Data (PD) has been corrected or amended.
Notice of Financial Incentive
Mechanisms exist to provide data subjects with a Notice of Financial Incentive that explains the material terms of a financial incentive, price or service difference so the data subject can make an informed decision about whether to participate.
Notification of Disclosure Request To Data Subject
Mechanisms exist to notify data subjects of applicable legal requests to disclose Personal Data (PD).
Object Security Attributes
Mechanisms exist to associate security attributes with information, source and destination objects to enforce defined information flow control configurations as a basis for flow control decisions.
Obligation To Inform Third-Parties
Mechanisms exist to inform applicable third-parties of any modification, deletion or other change that affects shared Personal Data (PD).
Off-Site Maintenance
Mechanisms exist to ensure off-site maintenance activities are conducted securely and the asset(s) undergoing maintenance actions are secured during physical transfer and storage while off-site.
Offline Storage
Mechanisms exist to remove unused data from online storage and archive it off-line in a secure location until it can be disposed of according to data retention requirements.
On-Site Client Segregation
Mechanisms exist to ensure client-specific Intellectual Property (IP) is isolated from other data when client-specific IP is processed or stored within multi-client workspaces.
Open Source Software
Mechanisms exist to establish parameters for the secure use of open source software.
Operating Environment Certification
Mechanisms exist to determine if embedded technologies are certified for secure use in the proposed operating environment.
Operational Technology (OT)
Mechanisms exist to proactively manage the cybersecurity & data privacy risks associated with Operational Technology (OT).
Operationalizing Cybersecurity & Data Protection Practices
Mechanisms exist to compel data and/or process owners to operationalize cybersecurity & data privacy practices for each system, application and/or service under their control.
Operations Security
Mechanisms exist to facilitate the implementation of operational security controls.
Organization-Owned Mobile Devices
Mechanisms exist to prohibit the installation of non-approved applications or approved applications not obtained through the organization-approved application store.
Out-of-Band Authentication (OOBA)
Mechanisms exist to implement Out-of-Band Authentication (OOBA) under specific conditions.
Out-of-Band Channels
Mechanisms exist to utilize out-of-band channels for the electronic transmission of information and/or the physical shipment of system components or devices to authorized individuals.
Out-of-Band Multi-Factor Authentication
Mechanisms exist to implement Multi-Factor Authentication (MFA) for remote access to privileged and non-privileged accounts such that one of the factors is securely provided by a device separate from the system gaining access.
Output Encoding
Mechanisms exist to ensure output encoding is performed on all content produced by a web application to reduce the likelihood of cross-site scripting and other injection attacks.
Outsourcing Non-Essential Functions or Services
Mechanisms exist to identify non-essential functions or services that are capable of being outsourced to external service providers and align with the organization's enterprise architecture and security standards.
PKI-Based Authentication
Automated mechanisms exist to validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information for PKI-based authentication.
Pairwise Pseudonymous Identifiers (PPID)
Mechanisms exist to generate pairwise pseudonymous identifiers with no identifying information about a data subject to discourage activity tracking and profiling of the data subject.
Participant Connection Management
Mechanisms exist to ensure the meeting host can positively control an individual's participation in virtual meetings.
Participant Identity Verification
Mechanisms exist to verify individual identities to ensure that access to virtual meetings is limited to appropriate individuals.
Password Managers
Mechanisms exist to protect and store passwords via a password manager tool.
Password-Based Authentication
Mechanisms exist to enforce complexity, length and lifespan considerations to ensure strong criteria for password-based authentication.
Pattern-Hiding Displays
Mechanisms exist to implement pattern-hiding displays to conceal information previously visible on the display during the session lock.
Penetration Testing
Mechanisms exist to conduct penetration testing on systems and web applications.
Perform Succession Planning
Mechanisms exist to perform succession planning for vital cybersecurity & data privacy roles.
Performance Monitoring
Automated mechanisms exist to centrally-monitor and alert on the operating state and health status of critical systems, applications and services.
Periodic Review
Mechanisms exist to periodically review system configurations to identify and disable unnecessary and/or non-secure functions, ports, protocols and services.
Periodic Review & Update of Cybersecurity & Data Protection Program
Mechanisms exist to review the cybersecurity & data privacy program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.
Periodic Review of Account Privileges
Mechanisms exist to periodically-review the privileges assigned to individuals and service accounts to validate the need for such privileges and reassign or remove unnecessary privileges, as necessary.
Periodic Scans for Sensitive Data
Mechanisms exist to periodically scan unstructured data sources for sensitive/regulated data or data requiring special protection measures by statutory, regulatory or contractual obligations.
Permitted Actions
Mechanisms exist to specify the permitted actions for both users and systems associated with the review, analysis and reporting of audit information.
Permitted Actions Without Identification or Authorization
Mechanisms exist to identify and document the supporting rationale for specific user actions that can be performed on a system without identification or authentication.
Personal Data (PD)
Mechanisms exist to apply network-based processing rules to data elements of Personal Data (PD).
Personal Data Accuracy & Integrity
Mechanisms exist to confirm the accuracy and relevance of Personal Data (PD) throughout the information lifecycle.
Personal Data Categories
Mechanisms exist to define and implement data handling and protection requirements for specific categories of sensitive Personal Data (PD).
Personal Data Exportability
Mechanisms exist to digitally export Personal Data (PD) in a secure manner upon request by the data subject.
Personal Data Inventory Automation Support
Automated mechanisms exist to determine if Personal Data (PD) is maintained in electronic form.
Personal Data Lineage
Mechanisms exist to utilize a record of processing activities to maintain a record of Personal Data (PD) that is stored, transmitted and/or processed under the organization's responsibility.
Personal Data Retention & Disposal
Mechanisms exist to: ? Retain Personal Data (PD), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law; ? Dispose of, destroys, erases, and/or anonymizes the PD, regardless of the method of storage; and ? Use organization-defined techniques or methods to ensure secure deletion or destruction of PD (including originals, copies and archived records).
Personally-Owned Mobile Devices
Mechanisms exist to restrict the connection of personally-owned, mobile devices to organizational systems and networks.
Personnel Sanctions
Mechanisms exist to sanction personnel failing to comply with established security policies, standards and procedures.
Personnel Screening
Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.
Personnel Termination
Mechanisms exist to govern the termination of individual employment.
Personnel Transfer
Mechanisms exist to adjust logical and physical access authorizations to systems and facilities upon personnel reassignment or transfer, in a timely manner.
Phishing & Spam Protection
Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.
Physical & Environmental Protections
Mechanisms exist to facilitate the operation of physical and environmental protection controls.
Physical Access Authorizations
Physical access control mechanisms exist to maintain a current list of personnel with authorized access to organizational facilities (except for those areas within the facility officially designated as publicly accessible).
Physical Access Control
Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).
Physical Access Logs
Physical access control mechanisms exist to generate a log entry for each access through controlled ingress and egress points.
Physical Diagnostic & Test Interfaces
Mechanisms exist to secure physical diagnostic and test interfaces to prevent misuse.
Physical Media Disposal
Mechanisms exist to securely dispose of media when it is no longer required, using formal procedures.
Physical Security of Offices, Rooms & Facilities
Mechanisms exist to identify systems, equipment and respective operating environments that require limited physical access so that appropriate physical access controls are designed and implemented for offices, rooms and facilities.
Physically Secure All Media
Mechanisms exist to physically secure all media that contains sensitive information.
Plan / Coordinate with Other Organizational Entities
Mechanisms exist to plan and coordinate Information Assurance Program (IAP) activities with affected stakeholders before conducting such activities in order to reduce the potential impact on operations.
Plan of Action & Milestones (POA&M)
Mechanisms exist to generate a Plan of Action and Milestones (POA&M), or similar risk register, to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities.
Plan of Action & Milestones (POA&M) Automation
Automated mechanisms exist to help ensure the Plan of Action and Milestones (POA&M), or similar risk register, is accurate, up-to-date and readily-available.
Policy Familiarization & Acknowledgement
Mechanisms exist to ensure personnel receive recurring familiarization with the organization's cybersecurity & data privacy policies and provide acknowledgement.
Port & Input / Output (I/O) Device Access
Mechanisms exist to physically disable or remove unnecessary connection ports or input/output devices from sensitive systems.
Portable Storage Devices
Mechanisms exist to restrict or prohibit the use of portable storage devices by users on external systems.
Ports, Protocols & Services In Use
Mechanisms exist to require the developers of systems, system components or services to identify early in the Secure Development Life Cycle (SDLC), the functions, ports, protocols and services intended for use.
Position Categorization
Mechanisms exist to manage personnel security risk by assigning a risk designation to all positions and establishing screening criteria for individuals filling those positions.
Post-Employment Obligations
Mechanisms exist to notify terminated individuals of applicable, legally-binding post-employment requirements for the protection of sensitive organizational information.
Post-Employment Requirements
Mechanisms exist to govern former employee behavior by notifying terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information.
Post-Spill Operations
Mechanisms exist to ensure that organizational personnel impacted by sensitive information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.
Potential Human Rights Abuses
Mechanisms exist to constrain the supply of physical and/or digital activity logs to the host government that can directly lead to contravention of the Universal Declaration of Human Rights (UDHR), as well as other applicable statutory, regulatory and/or contractual obligations.
Power Level Monitoring
Automated mechanisms exist to monitor the power levels of embedded technologies for decreased or excessive power usage, including battery drainage, to investigate for device tampering.
Practical Exercises
Mechanisms exist to include practical exercises in cybersecurity & data privacy training that reinforce training objectives.
Pre-Established Secure Configurations
Mechanisms exist to ensure vendors / manufacturers: ? Deliver the system, component, or service with a pre-established, secure configuration implemented; and ? Use the pre-established, secure configuration as the default for any subsequent system, component, or service reinstallation or upgrade.
Pre-Trained AI & Autonomous Technologies Models
Mechanisms exist to validate the information sources and quality of pre-trained models used in Artificial Intelligence (AI) and Autonomous Technologies (AAT training, maintenance and improvement-related activities.
Pre/Post Transmission Handling
Cryptographic mechanisms exist to ensure the confidentiality and integrity of information during preparation for transmission and during reception.
Predictable Failure Analysis
Mechanisms exist to determine the Mean Time to Failure (MTTF) for system components in specific environments of operation.
Predictive Maintenance
Mechanisms exist to perform predictive maintenance on critical systems, applications and services.
Preparation for Use
Mechanisms exist to prepare the alternate processing alternate to support essential missions and business functions so that the alternate site is capable of being used as the primary site.
Prevent Alterations
Mechanisms exist to protect embedded devices by preventing the unauthorized installation and execution of software.
Prevent Discovery of Internal Information
Mechanisms exist to prevent the public disclosure of internal network information.
Prevent Program Execution
Automated mechanisms exist to prevent the execution of unauthorized software programs.
Prevent Unauthorized Exfiltration
Automated mechanisms exist to prevent the unauthorized exfiltration of sensitive/regulated data across managed interfaces.
Prevent Unauthorized Removal
Mechanisms exist to prevent or control the removal of equipment undergoing maintenance that containing organizational information.
Prevent Unauthorized Software Execution
Mechanisms exist to configure systems to prevent the execution of unauthorized software programs.
Preventative Maintenance
Mechanisms exist to perform preventive maintenance on critical systems, applications and services.
Previous Logon Notification
Mechanisms exist to configure systems that process, store or transmit sensitive/regulated data to notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.
Previously Unknown AI & Autonomous Technologies Threats & Risks
Mechanisms exist to respond to and recover from a previously unknown Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risk when it is identified.
Primary Source Personal Data (PD) Collection
Mechanisms exist to collect Personal Data (PD) directly from the individual.
Primary Sources
Mechanisms exist to ensure information is directly collected from the data subject, whenever possible.
Privacy Act Exemptions
Mechanisms exist to review all Privacy Act exemptions claimed for the System of Records Notices (SORN) to ensure they remain appropriate and accurate.
Privacy Act Statements
Mechanisms exist to provide additional formal notice to individuals from whom the information is being collected that includes: ? Notice of the authority of organizations to collect Personal Data (PD); ? Whether providing Personal Data (PD) is mandatory or optional; ? The principal purpose or purposes for which the Personal Data (PD) is to be used; ? The intended disclosures or routine uses of the information; and ? The consequences of not providing all or some portion of the information requested.
Privilege Levels for Code Execution
Automated mechanisms exist to prevent applications from executing at higher privilege levels than the user's privileges.
Privileged Access
Mechanisms exist to implement privileged access authorization for selected vulnerability scanning activities.
Privileged Access by Non-Organizational Users
Mechanisms exist to prohibit privileged access by non-organizational users.
Privileged Account Identifiers
Mechanisms exist to uniquely manage privileged accounts to identify the account as a privileged user or service.
Privileged Account Inventories
Mechanisms exist to inventory all privileged accounts and validate that each person with elevated privileges is authorized by the appropriate level of organizational management.
Privileged Account Management (PAM)
Mechanisms exist to restrict and control privileged access rights for users and services.
Privileged Account Separation
Mechanisms exist to separate privileged accounts between infrastructure environments to reduce the risk of a compromise in one infrastructure environment from laterally affecting other infrastructure environments.
Privileged Accounts
Mechanisms exist to restrict the assignment of privileged accounts to organization-defined personnel or roles without management approval.
Privileged Functions Logging
Mechanisms exist to log and review the actions of users and/or services with elevated privileges.
Privileged User Oversight
Mechanisms exist to implement enhanced activity monitoring for privileged users.
Privileged Users
Mechanisms exist to provide specific training for privileged users to ensure privileged users understand their unique roles and responsibilities
Probationary Periods
Mechanisms exist to identify newly onboarded personnel for enhanced monitoring during their probationary period.
Process Isolation
Mechanisms exist to implement a separate execution domain for each executing process.
Processes To Address Weaknesses or Deficiencies
Mechanisms exist to address identified weaknesses or deficiencies in the security of the supply chain
Product Management
Mechanisms exist to design and implement product management processes to update products, including systems, software and services, to improve functionality and correct security deficiencies.
Product Tampering and Counterfeiting (PTC)
Mechanisms exist to maintain awareness of component authenticity by developing and implementing Product Tampering and Counterfeiting (PTC) practices that include the means to detect and prevent counterfeit components.
Product or Service Delivery Restrictions
Mechanisms exist to prohibit the refusal of products and/or services on the grounds that a data subject does not agree to the processing of Personal Data (PD) or withdraws consent.
Prohibit Installation Without Privileged Status
Automated mechanisms exist to prohibit software installations without explicitly assigned privileged status.
Prohibit Non-Privileged Users from Executing Privileged Functions
Mechanisms exist to prevent non-privileged users from executing privileged functions to include disabling, circumventing or altering implemented security safeguards / countermeasures.
Prohibit Use Without Owner
Mechanisms exist to prohibit the use of portable storage devices in organizational information systems when such devices have no identifiable owner.
Prohibited Equipment & Services
Mechanisms exist to govern Supply Chain Risk Management (SCRM) sanctions that require the removal and prohibition of certain technology services and/or equipment that are designated as supply chain threats by a statutory or regulatory body.
Prohibition Of Changes
Mechanisms exist to prohibit unauthorized changes, unless organization-approved change requests are received.
Prohibition Of Selling or Sharing Personal Data
Mechanisms exist to prevent the sale or sharing of Personal Data (PD) when instructed by the data subject.
Prohibition On Unverified Hosted Systems, Applications & Services
Mechanisms exist to prohibit access to, or usage of, hosted systems, applications and/or services until applicable cybersecurity & data protection control implementation is verified.
Protecting Sensitive Data on External Systems
Mechanisms exist to ensure that the requirements for the protection of sensitive information processed, stored or transmitted on external systems, are implemented in accordance with applicable statutory, regulatory and contractual obligations.
Protection of Authenticators
Mechanisms exist to protect authenticators commensurate with the sensitivity of the information to which use of the authenticator permits access.
Protection of Boot Firmware
Automated mechanisms exist to protect the integrity of boot firmware in information systems.
Protection of Confidentiality / Integrity Using Encryption
Cryptographic mechanisms exist to protect the confidentiality and integrity of remote access sessions (e.g., VPN).
Protection of Event Logs
Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.
Protocol Compliance Enforcement
Automated mechanisms exist to ensure network traffic complies with Internet Engineering Task Force (IETF) protocol specifications.
Provenance
Mechanisms exist to track the origin, development, ownership, location and changes to systems, system components and associated data.
Provider Contingency Plan
Mechanisms exist to contractually-require external service providers to have contingency plans that meet organizational contingency requirements.
Proximity Sensor
Automated mechanisms exist to monitor physical proximity to robotic or autonomous platforms to reduce applied force or stop the operation when sensors indicate a potentially dangerous scenario.
Proxy Logging
Mechanisms exist to log all Internet-bound requests, in order to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.
Public Key Infrastructure (PKI)
Mechanisms exist to securely implement an internal Public Key Infrastructure (PKI) infrastructure or obtain PKI services from a reputable PKI service provider.
Public Relations & Reputation Repair
Mechanisms exist to proactively manage public relations associated with incidents and employ appropriate measures to prevent further reputational damage and develop plans to repair any damage to the organization's reputation.
Publicly Accessible Content
Mechanisms exist to control publicly-accessible content.
Publicly Accessible Content Reviews
Mechanisms exist to routinely review the content on publicly accessible systems for sensitive/regulated data and remove such information, if discovered.
Publishing Cybersecurity & Data Protection Documentation
Mechanisms exist to establish, maintain and disseminate cybersecurity & data protection policies, standards and procedures.
Purpose Specification
Mechanisms exist to identify and document the purpose(s) for which Personal Data (PD) is collected, used, maintained and shared in its data privacy notices.
Purpose Validation
Mechanisms exist to monitor mission/business-critical services or functions to ensure those resources are being used consistent with their intended purpose.
Query Parameter Audits of Personal Data (PD)
Mechanisms exist to provide and implement the capability for auditing the parameters of user query events for data sets containing Personal Data (PD).
Radio Frequency Identification (RFID) Security
Mechanisms exist to securely govern Radio Frequency Identification (RFID) deployments to ensure RFID is used safely and securely to protect the confidentiality and integrity of data and prevent the compromise of secure spaces.
Randomness
Automated mechanisms exist to introduce randomness into organizational operations and assets.
Re-Authentication
Mechanisms exist to force users and devices to re-authenticate according to organization-defined circumstances that necessitate re-authentication.
Re-Imaging Devices After Travel
Mechanisms exist to re-image end user technology (e.g., laptops and mobile devices) when returning from overseas travel to an authoritarian country with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies.
Re-Validate Collected Personal Data
Mechanisms exist to ensure that the data subject, or authorized representative, re-validate that Personal Data (PD) acquired during the collection process is still accurate.
Real-Time Alerts of Event Logging Failure
Mechanisms exist to provide 24x7x365 near real-time alerting capability when an event log processing failure occurs.
Real-Time Operating System (RTOS) Security
Mechanisms exist to ensure embedded technologies utilize a securely configured Real-Time Operating System (RTOS).
Real-Time Session Monitoring
Mechanisms exist to enable authorized personnel the ability to remotely view and hear content related to an established user session in real time, in accordance with organizational standards, as well as statutory, regulatory and contractual obligations.
Real-Time or Layered Notice
Mechanisms exist to provide real-time and/or layered notice when Personal Data (PD) is collected that provides data subjects with a summary of key points or more detailed information that is specific to the organization's data privacy notice.
Recovery Operations Communications
Mechanisms exist to communicate the status of recovery activities and progress in restoring operational capabilities to designated internal and external stakeholders.
Recovery Operations Criteria
Mechanisms exist to define specific criteria that must be met to initiate Business Continuity / Disaster Recover (BC/DR) plans that facilitate business continuity operations capable of meeting applicable Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Recovery Time / Point Objectives (RTO / RPO)
Mechanisms exist to facilitate recovery operations in accordance with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Red Team Exercises
Mechanisms exist to utilize "red team" exercises to simulate attempts by adversaries to compromise systems and applications in accordance with organization-defined rules of engagement.
Redundant Cabling
Mechanisms exist to employ redundant power cabling paths that are physically separated to ensure that power continues to flow in the event one of the cables is cut or otherwise damaged.
Redundant Secondary System
Mechanisms exist to maintain a failover system, which is not collocated with the primary system, application and/or service, which can be activated with little-to-no loss of information or disruption to operations.
Reference Monitor
Mechanisms exist to implement a reference monitor that is tamperproof, always-invoked, small enough to be subject to analysis / testing and the completeness of which can be assured.
Refresh from Trusted Sources
Mechanisms exist to ensure that software and data needed for information system component and service refreshes are obtained from trusted sources.
Regional Delivery
Mechanisms exist to support operations that are geographically dispersed via regional delivery of technological services.
Register As A Data Controller and/or Data Processor
Mechanisms exist to register as a data controller and/or data processor, including registering databases containing Personal Data (PD) with the appropriate Data Authority, when necessary.
Regulatory & Law Enforcement Contacts
Mechanisms exist to maintain incident response contacts with applicable regulatory and law enforcement agencies.
Reject Unauthorized Disclosure Requests
Mechanisms exist to reject unauthorized disclosure requests.
Release
Mechanisms exist to remove Personal Data (PD) elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.
Remediate Identified Skills Deficiencies
Mechanisms exist to remediate critical skills deficiencies necessary to support the organization's mission and business functions.
Remote Access
Mechanisms exist to define, control and review organization-approved, secure remote access methods.
Remote Maintenance
Mechanisms exist to authorize, monitor and control remote, non-local maintenance and diagnostic activities.
Remote Maintenance Comparable Security & Sanitization
Mechanisms exist to require systems performing remote, non-local maintenance and / or diagnostic services implement a security capability comparable to the capability implemented on the system being serviced.
Remote Maintenance Cryptographic Protection
Cryptographic mechanisms exist to protect the integrity and confidentiality of remote, non-local maintenance and diagnostic communications.
Remote Maintenance Disconnect Verification
Mechanisms exist to provide remote disconnect verification to ensure remote, non-local maintenance and diagnostic sessions are properly terminated.
Remote Maintenance Notifications
Mechanisms exist to require maintenance personnel to notify affected stakeholders when remote, non-local maintenance is planned (e.g., date/time).
Remote Maintenance Pre-Approval
Mechanisms exist to require maintenance personnel to obtain pre-approval and scheduling for remote, non-local maintenance sessions.
Remote Privileged Commands & Sensitive Data Access
Mechanisms exist to restrict the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs.
Remote Purging
Mechanisms exist to remotely purge selected information from mobile devices.
Remote Session Termination
Mechanisms exist to terminate remote sessions at the end of the session or after an organization-defined time period of inactivity.
Removable Media Security
Mechanisms exist to restrict removable media in accordance with data handling and acceptable usage parameters.
Removal of Assets
Mechanisms exist to authorize, control and track technology assets entering and exiting organizational facilities.
Removal of Previous Versions
Mechanisms exist to remove old versions of software and firmware components after updated versions have been installed.
Removal of Temporary / Emergency Accounts
Automated mechanisms exist to disable or remove temporary and emergency accounts after an organization-defined time period for each type of account.
Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers
Mechanisms exist to remove, mask, encrypt, hash or replace direct identifiers in a dataset.
Replay-Resistant Authentication
Automated mechanisms exist to employ replay-resistant authentication.
Report Verification Results
Mechanisms exist to report the results of cybersecurity & data privacy function verification to appropriate organizational management.
Reserve Hardware
Mechanisms exist to purchase and maintain a sufficient reserve of spare hardware to ensure essential missions and business functions can be maintained in the event of a supply chain disruption.
Resilience To Outages
Mechanisms exist to configure embedded technology to be resilient to data network and power outages.
Resource Containment
Automated mechanisms exist to enforce resource containment protections that remove or quarantine a resource's access to other resources.
Resource Priority
Mechanisms exist to control resource utilization of systems that are susceptible to Denial of Service (DoS) attacks to limit and prioritize the use of resources.
Respond To Unauthorized Changes
Mechanisms exist to respond to unauthorized changes to configuration settings as security incidents.
Response To Event Log Processing Failures
Mechanisms exist to alert appropriate personnel in the event of a log processing failure and take actions to remedy the disruption.
Responsibility To Supersede, Deactivate and/or Disengage AI & Autonomous Technologies
Mechanisms exist to define the criteria and responsible party(ies) for superseding, disengaging or deactivating Artificial Intelligence (AI) and Autonomous Technologies (AAT) that demonstrate performance or outcomes inconsistent with intended use.
Responsible Personnel
Mechanisms exist to formally assign personnel or roles with responsibility for responding to sensitive information spills.
Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix
Mechanisms exist to document and maintain a Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, to delineate assignment for cybersecurity & data privacy controls between internal stakeholders and External Service Providers (ESPs).
Restoration Integrity Verification
Mechanisms exist to verify the integrity of backups and other restoration assets prior to using them for restoration.
Restore Within Time Period
Mechanisms exist to restore systems, applications and/or services within organization-defined restoration time-periods from configuration-controlled and integrity-protected information; representing a known, operational state for the asset.
Restrict Access To Security Functions
Mechanisms exist to ensure security functions are restricted to authorized individuals and enforce least privilege control requirements for necessary job functions.
Restrict Collection To Identified Purpose
Mechanisms exist to collect Personal Data (PD) only for the purposes identified in the data privacy notice and includes protections against collecting PD from minors without appropriate parental, or legal guardian, consent.
Restrict Communications
Mechanisms exist to require embedded technologies to initiate all communications and drop new, incoming communications.
Restrict Configuration By Users
Mechanisms exist to identify and explicitly authorize users who are allowed to independently configure wireless networking capabilities.
Restrict Roles Permitted To Install Software
Mechanisms exist to configure systems to prevent the installation of software, unless the action is performed by a privileged user or service.
Restrict Tool Usage
Automated mechanisms exist to restrict the use of maintenance tools to authorized maintenance personnel and/or roles.
Restrict Unescorted Access
Physical access control mechanisms exist to restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validate the need for access.
Restricting Access To Authorized Devices
Mechanisms exist to restrict the connectivity of unauthorized mobile devices from communicating with systems, applications and services.
Restrictions on Shared Groups / Accounts
Mechanisms exist to authorize the use of shared/group accounts only under certain organization-defined conditions.
Resume All Missions & Business Functions
Mechanisms exist to resume all missions and business functions within Recovery Time Objectives (RTOs) of the contingency plan's activation.
Resume Essential Missions & Business Functions
Mechanisms exist to resume essential missions and business functions within an organization-defined time period of contingency plan activation.
Retain Access Records
Mechanisms exist to retain a record of personnel accountability to ensure there is a record of all access granted to an individual (system and application-wise), who provided the authorization, when the authorization was granted and when the access was last reviewed.
Retention Of Previous Configurations
Mechanisms exist to retain previous versions of baseline configuration to support roll back.
Return of Assets
Mechanisms exist to ensure that employees and third-party users return all organizational assets in their possession upon termination of employment, contract or agreement.
Review Historical event logs
Mechanisms exist to review historical event logs to determine if identified vulnerabilities have been previously exploited.
Review of Third-Party Services
Mechanisms exist to monitor, regularly review and audit External Service Providers (ESPs) for compliance with established contractual requirements for cybersecurity & data privacy controls.
Reviewing Vulnerability Scanner Usage
Mechanisms exist to monitor logs associated with scanning activities and associated administrator accounts to ensure that those activities are limited to the timeframes of legitimate scans.
Reviews & Updates
Mechanisms exist to review and update baseline configurations: ? At least annually; ? When required due to so; or ? As part of system component installations and upgrades.
Reviews & Updates
Mechanisms exist to review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures.
Revocation of Access Authorizations
Mechanisms exist to revoke logical and physical access authorizations.
Revoke Consent
Mechanisms exist to allow data subjects to revoke consent to the processing of their Personal Data (PD).
Right to Erasure
Mechanisms exist to erase Personal Data (PD) of a data subject without delay.
Risk Appetite
Mechanisms exist to define organizational risk appetite, the degree of uncertainty the organization is willing to accept in anticipation of a reward.
Risk Assessment
Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's systems and data.
Risk Assessment Update
Mechanisms exist to routinely update risk assessments and react accordingly upon identifying new security vulnerabilities, including using outside sources for security vulnerability information.
Risk Catalog
Mechanisms exist to develop and keep current a catalog of applicable risks associated with the organization's business operations and technologies in use.
Risk Culture
Mechanisms exist to ensure teams are committed to a culture that considers and communicates technology-related risk.
Risk Framing
Mechanisms exist to identify: ? Assumptions affecting risk assessments, risk response and risk monitoring; ? Constraints affecting risk assessments, risk response and risk monitoring; ? The organizational risk tolerance; and ? Priorities, benefits and trade-offs considered by the organization for managing risk.
Risk Identification
Mechanisms exist to identify and document risks, both internal and external.
Risk Management Program
Mechanisms exist to facilitate the implementation of strategic, operational and tactical risk management controls.
Risk Management Resourcing
Mechanisms exist to reduce the magnitude or likelihood of potential impacts by resourcing the capability required to manage technology-related risks.
Risk Monitoring
Mechanisms exist to ensure risk monitoring as an integral part of the continuous monitoring strategy that includes monitoring the effectiveness of cybersecurity & data privacy controls, compliance and change management.
Risk Ranking
Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices.
Risk Register
Mechanisms exist to maintain a risk register that facilitates monitoring and reporting of risks.
Risk Remediation
Mechanisms exist to remediate risks to an acceptable level.
Risk Response
Mechanisms exist to respond to findings from cybersecurity & data privacy assessments, incidents and audits to ensure proper remediation has been performed.
Risk Threshold
Mechanisms exist to define organizational risk threshold, the level of risk exposure above which risks are addressed and below which risks may be accepted.
Risk Tolerance
Mechanisms exist to define organizational risk tolerance, the specified range of acceptable results.
Risk-Based Security Categorization
Mechanisms exist to categorize systems and data in accordance with applicable local, state and Federal laws that: ? Document the security categorization results (including supporting rationale) in the security plan for systems; and ? Ensure the security categorization decision is reviewed and approved by the asset owner.
Robust Stakeholder Engagement for AI & Autonomous Technologies
Mechanisms exist to compel ongoing engagement with relevant Artificial Intelligence (AI) and Autonomous Technologies (AAT) stakeholders to encourage feedback about positive, negative and unanticipated impacts.
Rogue Wireless Detection
Mechanisms exist to test for the presence of Wireless Access Points (WAPs) and identify all authorized and unauthorized WAPs within the facility(ies).
Role-Based Access Control (RBAC)
Mechanisms exist to enforce a Role-Based Access Control (RBAC) policy over users and resources that applies need-to-know and fine-grained access control for sensitive/regulated data access.
Role-Based Cybersecurity & Data Privacy Training
Mechanisms exist to provide role-based cybersecurity & data privacy-related training: ? Before authorizing access to the system or performing assigned duties; ? When required by system changes; and ? Annually thereafter.
Role-Based Physical Access
Physical access control mechanisms exist to authorize physical access to facilities based on the position or role of the individual.
Roles & Responsibilities
Mechanisms exist to define cybersecurity responsibilities for all personnel.
Roles With Special Protection Measures
Mechanisms exist to ensure that individuals accessing a system that stores, transmits or processes information requiring special protection satisfy organization-defined personnel screening criteria.
Root Cause Analysis (RCA) & Lessons Learned
Mechanisms exist to incorporate lessons learned from analyzing and resolving cybersecurity & data privacy incidents to reduce the likelihood or impact of future incidents.
Roots of Trust Protection
Mechanisms exist to provision and protect the confidentiality, integrity and authenticity of product supplier keys and data that can be used as a 'roots of trust� basis for integrity verification.
Route Privileged Network Access
Automated mechanisms exist to route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.
Route Traffic to Proxy Servers
Mechanisms exist to route internal communications traffic to external networks through organization-approved proxy servers at managed interfaces.
Rules of Behavior
Mechanisms exist to define acceptable and unacceptable rules of behavior for the use of technologies, including consequences for unacceptable behavior.
Safe Operations
Mechanisms exist to continuously validate autonomous systems that trigger an automatic state change when safe operation is no longer assured.
Safeguarding Data Over Open Networks
Cryptographic mechanisms exist to implement strong cryptography and security protocols to safeguard sensitive/regulated data during transmission over open, public networks.
Safety Assessment
Mechanisms exist to evaluate the safety aspects of embedded technologies via a fault tree analysis, or similar method, to determine possible consequences of misuse, misconfiguration and/or failure.
Sanitization of Personal Data (PD)
Mechanisms exist to facilitate the sanitization of Personal Data (PD).
Searches
Physical access control mechanisms exist to inspect personnel and their personal effects (e.g., personal property ordinarily worn or carried by the individual, including vehicles) to prevent the unauthorized exfiltration of data and technology assets.
Secure Coding
Mechanisms exist to develop applications based on secure coding principles.
Secure Development Environments
Mechanisms exist to maintain a segmented development network to ensure a secure development environment.
Secure Development Life Cycle (SDLC) Management
Mechanisms exist to ensure changes to systems within the Secure Development Life Cycle (SDLC) are controlled through formal change control procedures.
Secure Disposal, Destruction or Re-Use of Equipment
Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.
Secure Engineering Principles
Mechanisms exist to facilitate the implementation of industry-recognized cybersecurity & data privacy practices in the specification, design, development, implementation and modification of systems and services.
Secure Log-On Procedures
Mechanisms exist to utilize a trusted communications path between the user and the security functions of the system.
Secure Migration Practices
Mechanisms exist to ensure secure migration practices purge systems, applications and services of test/development/staging data and accounts before it is migrated into a production environment.
Secure Name / Address Resolution Service (Recursive or Caching Resolver)
Mechanisms exist to perform data origin authentication and data integrity verification on the Domain Name Service (DNS) resolution responses received from authoritative sources when requested by client systems.
Secure Practices Guidelines
Mechanisms exist to provide guidelines and recommendations for the secure use of products and/or services to assist in the configuration, installation and use of the product and/or service.
Secure Settings By Default
Mechanisms exist to implement secure configuration settings by default to reduce the likelihood of software being deployed with weak security settings that would put the asset at a greater risk of compromise.
Secure Web Traffic
Mechanisms exist to ensure all web application content is delivered using cryptographic mechanisms (e.g., TLS).
Securely Dispose of Data
Securely dispose of data as outlined in the enterprise�s data management process. Ensure the disposal process and method are commensurate with the data sensitivity.
Security Assessment Report (SAR)
Mechanisms exist to produce a Security Assessment Report (SAR) at the conclusion of a security assessment to certify the results of the assessment and assist with any remediation actions.
Security Authorization
Mechanisms exist to ensure systems, projects and services are officially authorized prior to "go live" in a production environment.
Security Compromise Notification Agreements
Mechanisms exist to compel External Service Providers (ESPs) to provide notification of actual or potential compromises in the supply chain that can potentially affect or have adversely affected systems, applications and/or services that the organization utilizes.
Security Concept Of Operations (CONOPS)
Mechanisms exist to develop a security Concept of Operations (CONOPS), or a similarly-defined plan for achieving cybersecurity objectives, that documents management, operational and technical measures implemented to apply defense-in-depth techniques that is communicated to all appropriate stakeholders.
Security Function Isolation
Mechanisms exist to isolate security functions from non-security functions.
Security Impact Analysis for Changes
Mechanisms exist to analyze proposed changes for potential security impacts, prior to the implementation of the change.
Security Management Subnets
Mechanisms exist to implement security management subnets to isolate security tools and support components from other internal system components by implementing separate subnetworks with managed interfaces to other components of the system.
Security Operations Center (SOC)
Mechanisms exist to establish and maintain a Security Operations Center (SOC) that facilitates a 24x7 response capability.
Security Orchestration, Automation, and Response (SOAR)
Mechanisms exist to utilize Security Orchestration, Automation and Response (SOAR) tools to define, prioritize and automate the response to security incidents.
Security Policy Filters
Automated mechanisms exist to enforce information flow control using security policy filters as a basis for flow control decisions.
Security of Assets & Media
Mechanisms exist to maintain strict control over the internal or external distribution of any kind of sensitive/regulated media.
Security of Personal Data
Mechanisms exist to ensure Personal Data (PD) is protected by security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD.
Security-Minded Dress Code
Mechanisms exist to prohibit the use of oversized clothing (e.g., baggy pants, oversized hooded sweatshirts, etc.) to prevent the unauthorized exfiltration of data and technology assets.
Segregation From Enterprise Services
Mechanisms exist to isolate sensitive / regulated data enclaves (secure zones) from corporate-provided IT resources by providing enclave-specific IT services (e.g., directory services, DNS, NTP, ITAM, antimalware, patch management, etc.) to those isolated network segments.
Select Controls
Mechanisms exist to compel data and/or process owners to select required cybersecurity & data privacy controls for each system, application and/or service under their control.
Sender Denylisting
Mechanisms exist to implement sender denylisting protections that prevent the reception of email from denylisted senders, domains and/or email servers.
Sender Policy Framework (SPF)
Mechanisms exist to validate the legitimacy of email communications through configuring a Domain Naming Service (DNS) Sender Policy Framework (SPF) record to specify the IP addresses and/or hostnames that are authorized to send email from the specified domain.
Sensitive / Regulated Data Access Enforcement
Mechanisms exist to configure systems, applications and processes to restrict access to sensitive/regulated data.
Sensitive / Regulated Data Actions
Automated mechanisms exist to generate event logs whenever sensitive/regulated data is collected, created, updated, deleted and/or archived.
Sensitive / Regulated Data Enclave (Secure Zone)
Mechanisms exist to implement segmentation controls to restrict inbound and outbound connectivity for sensitive / regulated data enclaves (secure zones).
Sensitive / Regulated Data Protection
Mechanisms exist to protect sensitive/regulated data wherever it is stored.
Sensitive / Regulated Media Records
Mechanisms exist to ensure media records for sensitive/regulated data contain sufficient information to determine the potential impact in the event of a data loss incident.
Sensitive Audit Information
Mechanisms exist to protect sensitive/regulated data contained in log files.
Sensitive Data In Public Cloud Providers
Mechanisms exist to limit and manage the storage of sensitive/regulated data in public cloud providers.
Sensitive Data Inventories
Mechanisms exist to maintain inventory logs of all sensitive media and conduct sensitive media inventories at least annually.
Sensitive Information Storage, Handling & Processing
Mechanisms exist to ensure that every user accessing a system processing, storing or transmitting sensitive information is formally trained in data handling requirements.
Sensitive/Regulated Data On Hosted Systems, Applications & Services
Mechanisms exist to define formal processes to store, process and/or transmit sensitive/regulated data using External Service Providers (ESP) owned, operated and/or maintained external systems, applications and/or services , in accordance with all applicable statutory, regulatory and/or contractual obligations.
Sensor Capability
Mechanisms exist to configure embedded sensors on systems to: ? Prohibit the remote activation of sensing capabilities; and ? Provide an explicit indication of sensor use to users.
Sensor Delivery Verification
Mechanisms exist to verify embedded technology sensors are configured so that data collected by the sensor(s) is only reported to authorized individuals or roles.
Separate Mobile Device Profiles
Mechanisms exist to enforce a separate device workspace on applicable mobile devices to separate work-related and personal-related applications and data.
Separate Storage for Critical Information
Mechanisms exist to store backup copies of critical software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the system being backed up.
Separate Subnet for Connecting to Different Security Domains
Mechanisms exist to implement separate network addresses (e.g., different subnets) to connect to systems in different security domains.
Separation from Primary Site
Mechanisms exist to separate the alternate storage site from the primary storage site to reduce susceptibility to similar threats.
Separation from Primary Site
Mechanisms exist to separate the alternate processing site from the primary processing site to reduce susceptibility to similar threats.
Separation of Development, Testing and Operational Environments
Mechanisms exist to manage separate development, testing and operational environments to reduce the risks of unauthorized access or changes to the operational environment and to ensure no impact to production systems.
Separation of Duties (SoD)
Mechanisms exist to implement and maintain Separation of Duties (SoD) to prevent potential inappropriate activity without collusion.
Separation of Maintenance Sessions
Mechanisms exist to protect maintenance sessions through replay-resistant sessions that are physically or logically separated communications paths from other network sessions.
Separation of Primary / Alternate Providers
Mechanisms exist to obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.
Service Delivery (Business Process Support)
Mechanisms exist to define supporting business processes and implement appropriate governance and service management to ensure appropriate planning, delivery and support of the organization's technology capabilities supporting business functions, workforce, and/or customers based on industry-recognized standards to achieve the specific goals of the process area.
Session Audit
Mechanisms exist to provide session audit capabilities that can: ? Capture and log all content related to a user session; and ? Remotely view all content related to an established user session in real time.
Session Integrity
Mechanisms exist to protect the authenticity and integrity of communications sessions.
Session Lock
Mechanisms exist to initiate a session lock after an organization-defined time period of inactivity, or upon receiving a request from a user and retain the session lock until the user reestablishes access using established identification and authentication methods.
Session Termination
Automated mechanisms exist to log out users, both locally on the network and for remote sessions, at the end of the session or after an organization-defined period of inactivity.
Shadow Information Technology Detection
Mechanisms exist to detect the presence of unauthorized software, systems and services in use by the organization.
Sharing Identification & Authentication Information
Mechanisms exist to ensure external service providers provide current and accurate information for any third-party user with access to the organization's data or assets.
Sharing of Event Logs
Mechanisms exist to share event logs with third-party organizations based on specific cross-organizational sharing agreements.
Side Channel Attack Prevention
Mechanisms exist to prevent "side channel attacks" when using a Content Delivery Network (CDN) by restricting access to the origin server's IP address to the CDN and an authorized management network.
Signed Components
Mechanisms exist to prevent the installation of software and firmware components without verification that the component has been digitally signed using an organization-approved certificate authority.
Simulated Cyber Attack Scenario Training
Mechanisms exist to include simulated actual cyber-attacks through practical exercises that are aligned with current threat scenarios.
Simulated Events
Mechanisms exist to incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.
Simulated Incidents
Mechanisms exist to incorporate simulated events into incident response training to facilitate effective response by personnel in crisis situations.
Single Sign-On (SSO)
Mechanisms exist to provide a Single Sign-On (SSO) capability to the organization's systems and services.
Site Security Plan (SitePlan)
Mechanisms exist to document a Site Security Plan (SitePlan) for each server and communications room to summarize the implemented security controls to protect physical access to technology assets, as well as applicable risks and threats.
Situational Awareness For Incidents
Mechanisms exist to document, monitor and report the status of cybersecurity & data privacy incidents to internal stakeholders all the way through the resolution of the incident.
Situational Awareness of AI & Autonomous Technologies
Mechanisms exist to develop and maintain an inventory of Artificial Intelligence (AI) and Autonomous Technologies (AAT) (internal and third-party).
Social Engineering & Mining
Mechanisms exist to include awareness training on recognizing and reporting potential and actual instances of social engineering and social mining.
Social Media & Social Networking Restrictions
Mechanisms exist to define rules of behavior that contain explicit restrictions on the use of social media and networking sites, posting information on commercial websites and sharing account information.
Software & Firmware Patching
Mechanisms exist to conduct software patching for all deployed operating systems, applications and firmware.
Software / Firmware Integrity Verification
Mechanisms exist to require developer of systems, system components or services to enable integrity verification of software and firmware components.
Software Assurance Maturity Model (SAMM)
Mechanisms exist to utilize a Software Assurance Maturity Model (SAMM) to govern a secure development lifecycle for the development of systems, applications and services.
Software Bill of Materials (SBOM)
Mechanisms exist to require a Software Bill of Materials (SBOM) for systems, applications and services that lists software packages in use, including versions and applicable licenses.
Software Design Review
Mechanisms exist to have an independent review of the software design to confirm that all cybersecurity & data privacy requirements are met and that any identified risks are satisfactorily addressed.
Software Escrow
Mechanisms exist to escrow source code and supporting documentation to ensure software availability in the event the software provider goes out of business or is unable to provide support.
Software Firewall
Mechanisms exist to utilize host-based firewall software, or a similar technology, on all information systems, where technically feasible.
Software Installation Alerts
Mechanisms exist to generate an alert when new software is detected.
Software Licensing Restrictions
Mechanisms exist to protect Intellectual Property (IP) rights with software licensing restrictions.
Software Release Integrity Verification
Mechanisms exist to publish integrity verification information for software releases.
Software Usage Restrictions
Mechanisms exist to enforce software usage restrictions to comply with applicable contract agreements and copyright laws.
Specialized Assessments
Mechanisms exist to conduct specialized assessments for: ? Statutory, regulatory and contractual compliance obligations; ? Monitoring capabilities; ? Mobile devices; ? Databases; ? Application security; ? Embedded technologies (e.g., IoT, OT, etc.); ? Vulnerability management; ? Malicious code; ? Insider threats and ? Performance/load testing.
Split Tunneling
Mechanisms exist to prevent split tunneling for remote devices unless the split tunnel is securely provisioned using organization-defined safeguards.
Stable Versions
Mechanisms exist to install the latest stable version of any software and/or security-related updates on all applicable systems.
Stakeholder Accountability Structure
Mechanisms exist to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing data and technology-related risks.
Stakeholder Identification & Involvement
Mechanisms exist to identify and involve pertinent stakeholders of critical systems, applications and services to support the ongoing secure management of those assets.
Stakeholder Notification of Changes
Mechanisms exist to ensure stakeholders are made aware of and understand the impact of proposed changes.
Standardized Microsoft Windows Banner
Mechanisms exist to configure Microsoft Windows-based systems to display an approved logon banner before granting access to the system that provides cybersecurity & data privacy notices.
Standardized Naming Convention
Mechanisms exist to implement a scalable, standardized naming convention for systems, applications and services that avoids asset naming conflicts.
Standardized Operating Procedures (SOP)
Mechanisms exist to identify and document Standardized Operating Procedures (SOP), or similar documentation, to enable the proper execution of day-to-day / assigned tasks.
Standardized Terminology
Mechanisms exist to standardize technology and process terminology to reduce confusion amongst groups and departments.
Standardized Virtualization Formats
Mechanisms exist to ensure interoperability by requiring cloud providers to use industry-recognized formats and provide documentation of custom changes for review.
State-Sponsored Espionage
Mechanisms exist to constrain the host government's ability to leverage the organization's technology assets for economic or political espionage and/or cyberwarfare activities.
Static Code Analysis
Mechanisms exist to require the developers of systems, system components or services to employ static code analysis tools to identify and remediate common flaws and document the results of the analysis.
Statistical Disclosure Control
Mechanisms exist to manipulate numerical data, contingency tables and statistical findings so that no person or organization is identifiable in the results of the analysis.
Status Reporting To Governing Body
Mechanisms exist to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization's cybersecurity & data protection program.
Statutory, Regulatory & Contractual Compliance
Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.
Steering Committee & Program Oversight
Mechanisms exist to coordinate cybersecurity, data protection and business alignment through a steering committee or advisory board, comprised of key cybersecurity, data privacy and business executives, which meets formally and on a regular basis.
Storage Media
Cryptographic mechanisms exist to protect the confidentiality and integrity of sensitive/regulated data residing on storage media.
Storing Authentication Data
Mechanisms exist to prohibit the storage of sensitive transaction authentication data after authorization.
Strategic Plan & Objectives
Mechanisms exist to establish a strategic cybersecurity & data privacy-specific business plan and set of objectives to achieve that plan.
Strong Customer Authentication (SCA)
Mechanisms exist to implement Strong Customer Authentication (SCA) for consumers to reasonably prove their identity.
Supplier Diversity
Mechanisms exist to obtain cybersecurity & data privacy technologies from different suppliers to minimize supply chain risk.
Supply Chain Coordination
Mechanisms exist to provide cybersecurity & data privacy incident information to the provider of the product or service and other organizations involved in the supply chain for systems or system components related to the incident.
Supply Chain Protection
Mechanisms exist to evaluate security risks associated with the services and product supply chain.
Supply Chain Risk Assessment
Mechanisms exist to periodically assess supply chain risks associated with systems, system components and services.
Supply Chain Risk Management (SCRM) Plan
Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of systems, system components and services, including documenting selected mitigating actions and monitoring performance against those plans.
Supporting Toolchain
Automated mechanisms exist to improve the accuracy, consistency and comprehensiveness of secure practices throughout the asset's lifecycle.
Supporting Utilities
Facility security mechanisms exist to protect power equipment and power cabling for the system from damage and destruction.
Suspicious Communications & Anomalous System Behavior
Mechanisms exist to provide training to personnel on organization-defined indicators of malware to recognize suspicious communications and anomalous behavior.
Symmetric Keys
Mechanisms exist to facilitate the production and management of symmetric cryptographic keys using Federal Information Processing Standards (FIPS)-compliant key management technology and processes.
Synchronization With Authoritative Time Source
Mechanisms exist to synchronize internal system clocks with an authoritative time source.
System Account Reviews
Mechanisms exist to review all system accounts and disable any account that cannot be associated with a business process and owner.
System Administrative Processes
Mechanisms exist to develop, implement and govern system administration processes, with corresponding Standardized Operating Procedures (SOP), for operating and maintaining systems, applications and services.
System Generated Alerts
Mechanisms exist to monitor, correlate and respond to alerts from physical, cybersecurity, data privacy and supply chain activities to achieve integrated situational awareness.
System Hardening Through Baseline Configurations
Mechanisms exist to develop, document and maintain secure baseline configurations for technology platforms that are consistent with industry-accepted system hardening standards.
System Interconnections
Mechanisms exist to authorize connections from systems to other systems using Interconnection Security Agreements (ISAs) that document, for each interconnection, the interface characteristics, cybersecurity & data privacy requirements and the nature of the information communicated.
System Media Sanitization
Mechanisms exist to sanitize system media with the strength and integrity commensurate with the classification or sensitivity of the information prior to disposal, release out of organizational control or release for reuse.
System Media Sanitization Documentation
Mechanisms exist to supervise, track, document and verify system media sanitization and disposal actions.
System Partitioning
Mechanisms exist to partition systems so that partitions reside in separate physical domains or environments.
System Privileges Isolation
Mechanisms exist to isolate, or logically separate, any application, service and/or process running with system privileges.
System Security & Privacy Plan (SSPP)
Mechanisms exist to generate System Security & Privacy Plans (SSPPs), or similar document repositories, to identify and maintain key architectural information on each critical system, application or service, as well as influence inputs, entities, systems, applications and processes, providing a historical record of the data and its origins.
System Use Notification (Logon Banner)
Mechanisms exist to utilize system use notification / logon banners that display an approved system use notification message or banner before granting access to the system that provides cybersecurity & data privacy notices.
System of Records Notice (SORN)
Mechanisms exist to draft, publish and keep System of Records Notices (SORN) updated in accordance with regulatory guidance.
System of Records Notice (SORN) Review Process
Mechanisms exist to review all routine uses of data published in the System of Records Notices (SORN) to ensure continued accuracy and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.
System-Wide / Time-Correlated Audit Trail
Automated mechanisms exist to compile audit records into an organization-wide audit trail that is time-correlated.
Tailored Consent
Mechanisms exist to allow data subjects to modify the use permissions to selected attributes of their Personal Data (PD).
Tainting
Mechanisms exist to embed false data or steganographic data in files to enable the organization to determine if data has been exfiltrated and provide a means to identify the individual(s) involved.
Tamper Detection
Mechanisms exist to periodically inspect systems and system components for Indicators of Compromise (IoC).
Tamper Protection
Mechanisms exist to verify logical configuration settings and the physical integrity of critical technology assets throughout their lifecycle.
Targeted Capability Maturity Levels
Mechanisms exist to define and identify targeted capability maturity levels.
Technical Debt Reviews
Mechanisms exist to conduct ongoing 'technical debt� reviews of hardware and software technologies to remediate outdated and/or unsupported technologies.
Technical Surveillance Countermeasures Security
Mechanisms exist to utilize a technical surveillance countermeasures survey.
Technical Verification
Mechanisms exist to perform Information Assurance Program (IAP) activities to evaluate the design, implementation and effectiveness of technical cybersecurity & data privacy controls.
Technology Development & Acquisition
Mechanisms exist to facilitate the implementation of tailored development and acquisition strategies, contract tools and procurement methods to meet unique business needs.
Technology Lifecycle Management
Mechanisms exist to manage the usable lifecycles of technology assets.
Telecommunications Equipment
Mechanisms exist to establish usage restrictions and implementation guidance for telecommunication equipment to prevent potential damage or unauthorized modification and to prevent potential eavesdropping.
Telecommunications Priority of Service Provisions
Mechanisms exist to formalize primary and alternate telecommunications service agreements contain priority-of-service provisions that support availability requirements, including Recovery Time Objectives (RTOs).
Telecommunications Services Availability
Mechanisms exist to reduce the likelihood of a single point of failure with primary telecommunications services.
Temperature & Humidity Controls
Facility security mechanisms exist to maintain and monitor temperature and humidity levels within the facility.
Temporary Files Containing Personal Data (PD)
Mechanisms exist to perform periodic checks of temporary files for the existence of Personal Data (PD).
Temporary Storage
Physical access control mechanisms exist to temporarily store undelivered packages or deliveries in a dedicated, secure area (e.g., security cage, secure room) that is locked, access-controlled and monitored with surveillance cameras and/or security guards.
Termination of Employment
Mechanisms exist to revoke user access rights in a timely manner, upon termination of employment or contract.
Terms of Employment
Mechanisms exist to require all employees and contractors to apply cybersecurity & data privacy principles in their daily work.
Test 1234
Test 4567
Test Data Integrity
Mechanisms exist to ensure the integrity of test data through existing cybersecurity & data privacy controls.
Test Restoration Using Sampling
Mechanisms exist to utilize sampling of available backups to test recovery capabilities as part of business continuity plan testing.
Test, Validate & Document Changes
Mechanisms exist to appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment.
Testing editing an Assessment task
Testing for Reliability & Integrity
Mechanisms exist to routinely test backups that verify the reliability of the backup process, as well as the integrity and availability of the data.
Testing, Training & Monitoring
Mechanisms exist to conduct cybersecurity & data privacy testing, training and monitoring activities
Thin Nodes
Mechanisms exist to configure thin nodes to have minimal functionality and information storage.
Third-Party Assessments
Mechanisms exist to accept and respond to the results of external assessments that are performed by impartial, external organizations.
Third-Party Attestation
Mechanisms exist to obtain an attestation from an independent Third-Party Assessment Organization (3PAO) that provides assurance of conformity with specified statutory, regulatory and contractual obligations for cybersecurity & data privacy controls, including any flow-down requirements to contractors and subcontractors.
Third-Party Authentication Practices
Mechanisms exist to ensure External Service Providers (ESPs) use unique authentication factors for each of its customers.
Third-Party Contract Requirements
Mechanisms exist to require contractual requirements for cybersecurity & data privacy requirements with third-parties, reflecting the organization's needs to protect its systems, processes and data.
Third-Party Criticality Assessments
Mechanisms exist to identify, prioritize and assess suppliers and partners of critical systems, components and services using a supply chain risk assessment process relative to their importance in supporting the delivery of high-value services.
Third-Party Cryptographic Keys
Mechanisms exist to ensure customers are provided with appropriate key management guidance whenever cryptographic keys are shared.
Third-Party Deficiency Remediation
Mechanisms exist to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.
Third-Party Incident Response & Recovery Capabilities
Mechanisms exist to ensure response/recovery planning and testing are conducted with critical suppliers/providers.
Third-Party Inventories
Mechanisms exist to maintain a current, accurate and complete list of External Service Providers (ESPs) that can potentially impact the Confidentiality, Integrity, Availability and/or Safety (CIAS) of the organization's systems, applications, services and data.
Third-Party Management
Mechanisms exist to facilitate the implementation of third-party management controls.
Third-Party Personnel Security
Mechanisms exist to govern third-party personnel by reviewing and monitoring third-party cybersecurity & data privacy roles and responsibilities.
Third-Party Personnel Security
Mechanisms exist to control personnel security requirements including security roles and responsibilities for third-party providers.
Third-Party Processing, Storage and Service Locations
Mechanisms exist to restrict the location of information processing/storage based on business requirements.
Third-Party Remote Access Governance
Mechanisms exist to proactively control and monitor third-party accounts used to access, support, or maintain system components via remote access.
Third-Party Risk Assessments & Approvals
Mechanisms exist to conduct a risk assessment prior to the acquisition or outsourcing of technology-related services.
Third-Party Scope Review
Mechanisms exist to perform recurring validation of the Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, to ensure cybersecurity & data privacy control assignments accurately reflect current business practices, compliance obligations, technologies and stakeholders.
Third-Party Services
Mechanisms exist to mitigate the risks associated with third-party access to the organization's systems and data.
Third-Party Threats
Mechanisms exist to monitor third-party personnel activity for potential security incidents.
Thread Separation
Mechanisms exist to maintain a separate execution domain for each thread in multi-threaded processing.
Threat Analysis
Mechanisms exist to identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats.
Threat Analysis & Flaw Remediation During Development
Mechanisms exist to require system developers and integrators to create and execute a Security Test and Evaluation (ST&E) plan to identify and remediate flaws during development.
Threat Catalog
Mechanisms exist to develop and keep current a catalog of applicable internal and external threats to the organization, both natural and manmade.
Threat Hunting
Mechanisms exist to perform cyber threat hunting that uses Indicators of Compromise (IoC) to detect, track and disrupt threats that evade existing security controls.
Threat Intelligence Feeds
Mechanisms exist to maintain situational awareness of evolving threats by leveraging the knowledge of attacker tactics, techniques and procedures to facilitate the implementation of preventative and compensating controls.
Threat Intelligence Program
Mechanisms exist to implement a threat intelligence program that includes a cross-organization information-sharing capability that can influence the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, response and recovery activities.
Threat Modeling
Mechanisms exist to perform threat modelling and other secure design techniques, to ensure that threats to software and solutions are identified and accounted for.
Time Stamps
Mechanisms exist to configure systems to use an authoritative time source to generate time stamps for event logs.
Time To Remediate / Benchmarks For Corrective Action
Mechanisms exist to track the effectiveness of remediation operations through metrics reporting.
Timely Maintenance
Mechanisms exist to obtain maintenance support and/or spare parts for systems within a defined Recovery Time Objective (RTO).
Training
Mechanisms exist to ensure incident response training material provides coverage for sensitive information spillage response.
Transaction Recovery
Mechanisms exist to utilize specialized backup mechanisms that will allow transaction recovery for transaction-based applications and services in accordance with Recovery Point Objectives (RPOs).
Transfer Activity Limits
Mechanisms exist to establish organization-defined "normal business activities" to identify anomalous transaction activities that can reduce the opportunity for sending (outbound) and/or receiving (inbound) fraudulent actions.
Transfer Authorizations
Mechanisms exist to verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (e.g., write permissions or privileges) prior to transferring said data.
Transfer of Sensitive and/or Regulated Data
Mechanisms exist to restrict and govern the transfer of sensitive and/or regulated data to third-countries or international organizations.
Transfer to Alternate Processing / Storage Site
Mechanisms exist to redeploy personnel to other roles during a disruptive event or in the execution of a continuity plan.
Transfer to Alternate Storage Site
Mechanisms exist to transfer backup data to the alternate storage site at a rate that is capable of meeting both Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Transmission Confidentiality
Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.
Transmission Integrity
Cryptographic mechanisms exist to protect the integrity of data being transmitted.
Transmission Medium Security
Physical security mechanisms exist to protect power and telecommunications cabling carrying data or supporting information services from interception, interference or damage.
Transmission of Cybersecurity & Data Privacy Attributes
Mechanisms exist to ensure systems associate security attributes with information exchanged between systems.
Travel-Only Devices
Mechanisms exist to issue personnel travelling overseas with temporary, loaner or "travel-only" end user technology (e.g., laptops and mobile devices) when travelling to authoritarian countries with a higher-than average risk for Intellectual Property (IP) theft or espionage against individuals and private companies.
Trend Analysis
Automated mechanisms exist to compare the results of vulnerability scans over time to determine trends in system vulnerabilities.
Trend Analysis Reporting
Mechanisms exist to employ trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data.
Truncated Banner
Mechanisms exist to utilize a truncated system use notification / logon banner on systems not capable of displaying a logon banner from a centralized source, such as Active Directory.
Trusted Path
Mechanisms exist to establish a trusted communications path between the user and the security functions of the operating system.
Trustworthy AI & Autonomous Technologies
Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Technologies (AAT) are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences.
Two-Person Rule
Mechanisms exist to enforce a two-person rule for implementing changes to sensitive systems.
Unattended End-User Equipment
Mechanisms exist to implement enhanced protection measures for unattended systems to protect against tampering and unauthorized access.
Unauthorized Activities
Mechanisms exist to monitor for unauthorized activities, accounts, connections, devices and software.
Unauthorized Code
Mechanisms exist to prevent unauthorized code from being present in a secure page as it is rendered in a client's browser.
Unauthorized Installation Alerts
Mechanisms exist to configure systems to generate an alert when the unauthorized installation of software is detected.
Unauthorized Network Services
Automated mechanisms exist to detect unauthorized network services and alert incident response personnel.
Unauthorized or Authorized Software (Blacklisting or Whitelisting)
Mechanisms exist to whitelist or blacklist applications in an order to limit what is authorized to execute on systems.
Unique System-Generated Session Identifiers
Automated mechanisms exist to generate and recognize unique session identifiers for each session.
Unmeasurable AI & Autonomous Technologies Risks
Mechanisms exist to identify and document unmeasurable risks or trustworthiness characteristics.
Unsupported Internet Browsers & Email Clients
Mechanisms exist to allow only approved Internet browsers and email clients to run on systems.
Unsupported Systems
Mechanisms exist to prevent unsupported systems by: ? Replacing systems when support for the components is no longer available from the developer, vendor or manufacturer; and ? Requiring justification and documented approval for the continued use of unsupported system components required to satisfy mission/business needs.
Update Tool Capability
Mechanisms exist to update vulnerability scanning tools.
Updates During Installations / Removals
Mechanisms exist to update asset inventories as part of component installations, removals and asset upgrades.
Updating & Correcting Personal Data (PD)
Mechanisms exist to utilize technical controls to correct Personal Data (PD) that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified.
Updating AI & Autonomous Technologies
Mechanisms exist to integrate continual improvements for deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT).
Updating Personal Data (PD)
Mechanisms exist to develop processes to identify and record the method under which Personal Data (PD) is updated and the frequency that such updates occur.
Usage Conditions
Automated mechanisms exist to enforce usage conditions for users and/or roles.
Usage Parameters
Mechanisms exist to monitor and enforce usage parameters that limit the potential damage caused from the unauthorized or unintentional alteration of system parameters.
Usage Restrictions of Sensitive Personal Data
Mechanisms exist to restrict the use of Personal Data (PD) to only the authorized purpose(s) consistent with applicable laws, regulations and in data privacy notices.
Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise�s asset inventory. Review and use logs to update the enterprise�s asset inventory weekly, or more frequently.
Use a Passive Asset Discovery Tool
Use a passive discovery tool to identify assets connected to the enterprise�s network. Review and use scans to update the enterprise�s asset inventory at least weekly, or more frequently.
Use of Communications Technology
Mechanisms exist to establish usage restrictions and implementation guidance for communications technologies based on the potential to cause damage to systems, if used maliciously.
Use of Critical Technologies
Mechanisms exist to govern usage policies for critical technologies.
Use of Cryptographic Controls
Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.
Use of Demilitarized Zones (DMZ)
Mechanisms exist to utilize a Demilitarized Zone (DMZ) to restrict inbound traffic to authorized devices on certain services, protocols and ports.
Use of External Information Systems
Mechanisms exist to govern how external parties, systems and services are used to securely store, process and transmit data.
Use of FICAM-Issued Profiles
Mechanisms exist to conform systems to Federal Identity, Credential and Access Management (FICAM)-issued profiles.
Use of Live Data
Mechanisms exist to approve, document and control the use of live data in development and test environments.
Use of Mobile Devices
Mechanisms exist to manage business risks associated with permitting mobile device access to organizational resources.
Use of Personal Devices
Mechanisms exist to restrict the possession and usage of personally-owned technology devices within organization-controlled facilities.
Use of Privileged Utility Programs
Mechanisms exist to restrict and tightly control utility programs that are capable of overriding system and application controls.
Use of Third-Party Devices
Mechanisms exist to reduce the risk associated with third-party assets that are attached to the network from harming organizational assets or exfiltrating organizational data.
User Awareness
Mechanisms exist to communicate with users about their roles and responsibilities to maintain a safe and secure working environment.
User Digital Signatures for Outgoing Email
Mechanisms exist to enable users to digitally sign their emails, allowing external parties to authenticate the email's sender and its contents according to the Domain-based Message Authentication Reporting and Conformance (DMARC) email authentication protocol.
User Feedback Management
Mechanisms exist to implement a process for receiving and responding to complaints, concerns or questions from data subjects about the organizational data privacy practices.
User Identity (ID) Management
Mechanisms exist to ensure proper user identification management for non-consumer users and administrators.
User Provisioning & De-Provisioning
Mechanisms exist to utilize a formal user registration and de-registration process that governs the assignment of access rights.
User Responsibilities for Account Management
Mechanisms exist to compel users to follow accepted practices in the use of authentication mechanisms (e.g., passwords, passphrases, physical or logical security tokens, smart cards, certificates, etc.).
User Threat Reporting
Mechanisms exist to incorporate submissions from users of phishing attempts, spam or otherwise malicious actions to better protect the organization.
User-Initiated Logouts / Message Displays
Mechanisms exist to provide a logout capability and display an explicit logout message to users indicating the reliable termination of the session.
User-Installed Software
Mechanisms exist to restrict the ability of non-privileged users to install unauthorized software.
Users With Elevated Privileges
Mechanisms exist to ensure that every user accessing a system that processes, stores, or transmits sensitive information is cleared and regularly trained to handle the information in question.
Utilize Automated Software Inventory Tools
Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software.
Utilize an Active Discovery Tool
Utilize an active discovery tool to identify assets connected to the enterprise�s network. Configure the active discovery tool to execute daily, or more frequently.
Validate Collected Personal Data
Mechanisms exist to ensure that the data subject, or authorized representative, validate Personal Data (PD) during the collection process.
Validation & Sanitization
Mechanisms exist to ensure all input handled by a web application is validated and/or sanitized.
Vendor Cybersecurity & Data Privacy Training
Mechanisms exist to incorporate vendor-specific security training in support of new technology initiatives.
Vendor-Supplied Defaults
Mechanisms exist to ensure vendor-supplied defaults are changed as part of the installation process.
Verbosity Logging for Boundary Devices
Mechanisms exist to verbosely log all traffic (both allowed and blocked) arriving at network boundary devices, including firewalls, Intrusion Detection / Prevention Systems (IDS/IPS) and inbound and outbound proxies.
Video Teleconference (VTC) Security
Mechanisms exist to implement secure Video Teleconference (VTC) capabilities on endpoint devices and in designated conference rooms, to prevent potential eavesdropping.
Virtual Local Area Network (VLAN) Separation
Mechanisms exist to enable Virtual Local Area Networks (VLANs) to limit the ability of devices on a network to directly communicate with other devices on the subnet and limit an attacker's ability to laterally move to compromise neighboring systems.
Virtual Machine Images
Mechanisms exist to ensure the integrity of virtual machine images at all times.
Virtualization Techniques
Mechanisms exist to utilize virtualization techniques to support the employment of a diversity of operating systems and applications.
Visibility of Encrypted Communications
Mechanisms exist to configure the proxy to make encrypted communications traffic visible to monitoring tools and mechanisms.
Visitor Access Revocation
Mechanisms exist to ensure visitor badges, or other issued identification, are surrendered before visitors leave the facility or are deactivated at a pre-determined time/date of expiration.
Visitor Control
Physical access control mechanisms exist to identify, authorize and monitor visitors before allowing access to the facility (other than areas designated as publicly accessible).
Voice Over Internet Protocol (VoIP) Security
Mechanisms exist to implement secure Internet Protocol Telephony (IPT) that logically or physically separates Voice Over Internet Protocol (VoIP) traffic from data networks.
Vulnerabilities Related To Incidents
Mechanisms exist to report system vulnerabilities associated with reported cybersecurity & data privacy incidents to organization-defined personnel or roles.
Vulnerability & Patch Management Program (VPMP)
Mechanisms exist to facilitate the implementation and monitoring of vulnerability management controls.
Vulnerability Disclosure Program (VDP)
Mechanisms exist to establish a Vulnerability Disclosure Program (VDP) to assist with the secure development and maintenance of products and services that receives unsolicited input from the public about vulnerabilities in organizational systems, services and processes.
Vulnerability Exploitation Analysis
Mechanisms exist to identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats exploiting known vulnerabilities.
Vulnerability Ranking
Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities using reputable outside sources for security vulnerability information.
Vulnerability Remediation Process
Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.
Vulnerability Scanning
Mechanisms exist to detect vulnerabilities and configuration errors by recurring vulnerability scanning of systems and web applications.
Water Damage Protection
Facility security mechanisms exist to protect systems from damage resulting from water leakage by providing master shutoff valves that are accessible, working properly and known to key personnel.
Web Application Firewall (WAF)
Mechanisms exist to deploy Web Application Firewalls (WAFs) to provide defense-in-depth protection for application-specific threats.
Web Application Framework
Mechanisms exist to ensure a robust Web Application Framework is used to aid in the development of secure web applications, including web services, web resources and web APIs.
Web Browser Security
Mechanisms exist to ensure web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers to protect both the web application and its users.
Web Security
Mechanisms exist to facilitate the implementation of an enterprise-wide web management policy, as well as associated standards, controls and procedures.
Web Security Standard
Mechanisms exist to ensure the Open Web Application Security Project (OWASP) Application Security Verification Standard is incorporated into the organization's Secure Systems Development Lifecycle (SSDLC) process.
Website Change Detection
Mechanisms exist to detect and respond to Indicators of Compromise (IoC) for unauthorized alterations, additions, deletions or changes on websites that store, process and/or transmit sensitive / regulated data.
Wireless Access Authentication & Encryption
Mechanisms exist to protect wireless access via secure authentication and encryption.
Wireless Boundaries
Mechanisms exist to confine wireless communications to organization-controlled boundaries.
Wireless Intrusion Detection / Prevention Systems (WIDS / WIPS)
Mechanisms exist to monitor wireless network segments to implement Wireless Intrusion Detection / Prevention Systems (WIDS/WIPS) technologies.
Wireless Intrusion Detection System (WIDS)
Mechanisms exist to utilize Wireless Intrusion Detection / Protection Systems (WIDS / WIPS) to identify rogue wireless devices and to detect attack attempts via wireless networks.
Wireless Link Protection
Mechanisms exist to protect external and internal wireless links from signal parameter attacks through monitoring for unauthorized wireless connections, including scanning for unauthorized wireless access points and taking appropriate action, if an unauthorized connection is discovered.
Wireless Networking
Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access.
Work From Anywhere (WFA) - Telecommuting Security
Mechanisms exist to define secure telecommuting practices and govern remote access to systems and data for remote workers.
Working in Secure Areas
Physical security mechanisms exist to allow only authorized personnel access to secure areas.
Workplace Investigations
Mechanisms exist to conduct employee misconduct investigations when there is reasonable assurance that a policy has been violated.
Zero Trust Architecture (ZTA)
Mechanisms exist to treat all users and devices as potential threats and prevent access to data and resources until the users can be properly authenticated and their access authorized.
Zero-Touch Provisioning (ZTP)
Mechanisms exist to implement Zero-Touch Provisioning (ZTP), or similar technology, to automatically and securely configure devices upon being added to a network.
Adding valid from in the future
Approval Report for Approved task: Checking issue with approval
Approval Report for Approved task: New approval task for security policy
Approval Report for Approved task: Testing
Approval Report for Approved task: Testing report generation
Approval Report for Approved task: Testing scheduled
Approval Report for Approved task: This is a new policy approval to check rich text
Asana - asanaListProjects-2024-08-15T13:30:47.595Z.json
Asana - asanaListUsers-2024-06-07T16:25:23.364Z.json
Azure - 90 day audit retention
Azure - activity log storage
Azure - additional email addresses
Azure - auto -provisioning log analytics
Azure - deny all default access rule
Azure - diagnostic settings
Azure - disabled ftp
Azure - disabled public access level
Azure - enabled app service authentication
Azure - enabled auditing
Azure - enabled connection throttling
Azure - enabled defender for sql
Azure - enabled key vault logging
Azure - enabled log and alert - change firewall rule
Azure - enabled log and alert - change network security group
Azure - enabled log and alert - change network security group
Azure - enabled log and alert - change public IP address rule
Azure - enabled log and alert - change security solution
Azure - enabled log and alert - delete firewall rule
Azure - enabled log and alert - delete network security group
Azure - enabled log and alert - delete policy assignment
Azure - enabled log and alert - delete public ip address rule
Azure - enabled log and alert - delete security solutions
Azure - enabled logging blob service
Azure - enabled secure transfer required
Azure - enabled server parameter - log checkpoints
Azure - enabled server parameter - log connections
Azure - enabled server parameter - log disconnections
Azure - enabled server parameter - log retention
Azure - enabled storage logging
Azure - enabled trusted service access
Azure - https access from internet
Azure - https redirect
Azure - importing client certificates
Azure - key expiration - non rbac
Azure - key expiration - rbac
Azure - latest http version
Azure - mysql enforce ssl connection
Azure - network security group flow log retention
Azure - no custom subscription owner
Azure - no ingress from 0.0.0.0/0
Azure - owner enabled for user roles
Azure - postgresql enforce ssl connection
Azure - rdp from internet access
Azure - recoverable key vault
Azure - secret expiration - non rbac
Azure - secret expiration - rbac
Azure - soft delete
Azure - ssh access from internet
Azure - tls encryption
Azure - tls version 1.2
Azure - tls version 1.2
Azure - udp access from internet
Azure - vulnerability assessment setting
Azure - vulnerability assessment setting - email notification
Azure - vulnerability assessment setting - periodic scans
Check evidence review task is created - Screenshot 2023-03-16 at 10.16.07.png
Closing task with evidence
Complete task - Screenshot 2023-03-16 at 10.16.07.png
DR evidence - Screenshot 2023-03-16 at 10.16.07.png
Datadog - datadogListActiveMetrics-2024-09-05T16:50:56.345Z.json
Email Attachment-32f102d0-8be5-4b4a-b3aa-e3f88bee0868
Evidence - Screenshot 2023-03-16 at 10.16.07 This is a long name to test how it displays in the viewer 12345qwertyoikfjhalshdgflahsdgfjkhagroyeqrofhasdlfhgaoiywgerfoahdfhahdfgakhgflkasgdflkhgsadljhfgalshdgflahsgdflkahsgdflkashgdfaghf.png
Evidence R&T
Evidence attached to BO
Evidence for a policy
Evidence to check finding
Example - evidence.png
Expiration date
GitHub - branchProtection-2024-08-15T15:56:34.148Z.json
GitHub - pullRequestsList-2024-08-15T11:58:44.703Z.json
GitHub - pullRequestsList-2024-08-15T13:21:06.611Z.json
GitHub - repositoriesList-2024-08-15T11:39:49.107Z.json
GitHub - repositoriesList-2024-08-15T11:54:28.294Z.json
Google Workspace - googleDriveFile-2024-05-23T18:10:24.746Z.png
Google Workspace - googleDriveFile-2024-05-23T18:47:56.711Z.xlsx
KnowBe4 - userTrainingHistory-2024-05-15T21:08:47.250Z.json
KnowBe4 - userTrainingHistory-2024-05-30T17:05:23.536Z.json
KnowBe4 - userTrainingHistory-2024-11-04T19:13:56.719Z.json
Microsoft 365 - microsoft365sharePointFile-2024-06-11T18:43:29.349Z.doc
New Evidecnce
New evidence
New evidence
New evidence
New evidence - Screenshot 2023-03-16 at 10.16.07.png
New evidence - Screenshot 2023-03-16 at 10.16.07.png
New evidence added on DR-002 - Screenshot 2023-03-16 at 10.16.07.png
New evidence added on DR-003 - Screenshot 2024-03-11 at 11.11.24 AM.png
New evidence added on DR-003 - Screenshot 2024-03-11 at 12.23.50 PM.png
New evidence added on DR-003 - Screenshot 2024-03-11 at 16.52.59.png
New evidence from DR-001 - Screenshot 2023-03-16 at 10.16.07.png
New evidence upload in prod
New test - Escudo_del_C_A_River_Plate.svg
Okta - oktaListCustomRoles-2024-05-30T17:00:34.455Z.json
Okta - oktaListSystemLogs-2024-05-30T17:05:21.769Z.json
Okta - oktaListUsers-2024-05-30T17:00:33.718Z.json
PNG image
Risk evidence
River - Escudo_del_C_A_River_Plate.svg
Sample evidence
Sample evidence 2
Sample evidence 3
Splunk Enterprise - splunkEnterpriseListDataIndexes-2024-12-09T23:02:27.085Z.json
Tenable - tenableScanResults-2024-08-15T13:35:49.807Z.json
Test
Test
Test - Escudo_del_C_A_River_Plate.svg
Test - Escudo_del_C_A_River_Plate.svg
Test - Escudo_del_C_A_River_Plate.svg
Test - Screenshot 2023-03-16 at 10.16.07 This is a long name to test how it displays in the viewer 12345qwertyoikfjhalshdgflahsdgfjkhagroyeqrofhasdlfhgaoiywgerfoahdfhahdfgakhgflkasgdflkhgsadljhfgalshdgflahsgdflkahsgdflkashgdfaghf.png
Test 3 - approval-report-this-is-a-long-name-123456677-asadkjhahahahagasgashfdgashfgashfghagfhagfhaghfgahfsga-copy-3.pdf
Test 4 - approval-report-this-is-a-long-name-123456677-asadkjhahahahagasgashfdgashfgashfghagfhagfhaghfgahfsga-copy-3.pdf
Test evidence - Escudo_del_C_A_River_Plate.svg
Testing
Testing evidence uploading
Testing evidence uploading - Screenshot 2023-03-16 at 10.16.07.png
Testing hotfix - Screenshot 2023-03-16 at 10.16.07.png
Testing uploading evidence
Testing uploading evidence flow
This is a new evidence
This is a new evidence
This is a new testing task - Evidence - Escudo_del_C_A_River_Plate.svg
This is a sample evidence
Update expiring evidence - Evidence - Escudo_del_C_A_River_Plate.svg
dfdsfds - medical-plan-comparison.pdf
dfgdfg - DataRequestImportTemplate.csv
dfgdfg - DataRequestImportTemplate.csv
dfgdfg - results.csv
dfsdf - medical-plan-comparison.pdf
dwer - DataRequestImportTemplate.csv
erwr - DataRequestImportTemplate.csv
ev1 - medical-plan-comparison.pdf
fwerwer - DataRequestImportTemplate.csv
ghjghj - DataRequestImportTemplate.csv
sdfsdf - DataRequestImportTemplate.csv
sdfsdf - DataRequestImportTemplate.csv
test - Escudo_del_C_A_River_Plate.svg
Powered By
Copyright © 2025
